Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752808AbcDUOT1 (ORCPT <rfc822;w@1wt.eu>);
	Thu, 21 Apr 2016 10:19:27 -0400
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:24480 "EHLO 1wt.eu"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752094AbcDUOTZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 21 Apr 2016 10:19:25 -0400
Date: Thu, 21 Apr 2016 16:19:06 +0200
From: Willy Tarreau <w@1wt.eu>
To: Jiri Slaby <jslaby@suse.cz>
Cc: Sasha Levin <sasha.levin@oracle.com>, Greg KH <greg@kroah.com>,
        LKML <linux-kernel@vger.kernel.org>, stable <stable@vger.kernel.org>,
        lwn@lwn.net
Subject: Re: stable-security kernel updates
Message-ID: <20160421141906.GB9930@1wt.eu>
References: <5717DD8A.4000707@oracle.com>
 <571876AB.2060106@suse.cz>
 <5718B57D.4000504@oracle.com>
 <5718C0B8.8010609@suse.cz>
 <5718C215.7060703@suse.cz>
 <20160421123918.GA2294@kroah.com>
 <5718DB7F.2010701@oracle.com>
 <5718DFF3.8020306@suse.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5718DFF3.8020306@suse.cz>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1673
Lines: 35

On Thu, Apr 21, 2016 at 04:13:07PM +0200, Jiri Slaby wrote:
> On 04/21/2016, 03:54 PM, Sasha Levin wrote:
> > On 04/21/2016 08:39 AM, Greg KH wrote:
> >> On Thu, Apr 21, 2016 at 02:05:41PM +0200, Jiri Slaby wrote:
> >>>> On 04/21/2016, 01:59 PM, Jiri Slaby wrote:
> >>>>>>>> (CVE-2016-2085) 613317b EVM: Use crypto_memneq() for digest comparisons
> >>>>>>
> >>>>>> Does not exist in the CVE database/is not confirmed yet AFAICS.
> >>>>
> >>>> And now I am looking at the patch and I remember why I threw it away.
> >>>> crypto_memneq is not in 3.12 yet and I was not keen enough to backport  it.
> >> Which brings up the question, Sasha, why did you think these CVEs were
> >> relevant for 3.12?  What were you basing that list on?
> > 
> > The EVM one? Because there exists a vulnerability in the 3.12 EVM code which
> > allows an attacker to essentially circumvent integrity checks, and the reason
> > it wasn't fixed was because a memory comparison helper function wasn't backported?
> 
> Because sometimes the breakage risk is much higher than fixing a bug.
> This one was evaluated for 3.12.55 and not included at that time for
> that very reason.
> 
> Now, given it it upstream for much longer, I reevaluated that and put
> that into the 3.12 tree.
> 
> > For the other CVEs I've listed? I looked at what went in to 3.14 but not 3.12,
> > and audited the resulting list to confirm that the vulnerability existed on 3.12.
> 
> Where exactly is 0185604 and 096fe9e contained in 3.14? I actually don't
> see them in any of Greg's stable tree.

Indeed, the first one was brought into 3.2 and 3.18 (so it's missing from
3.4 to 3.14), and the second one is in 3.18.

Willy