Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Mike Pagano <mpagano@g.o>
To: gentoo-dev@l.g.o
Cc: gentoo-dev-announce@l.g.o
Subject: Re: [gentoo-dev] qa last rites multiple packages
Date: Wed, 07 Jan 2015 16:22:04
Message-Id: 20150107162156.GA29563@woodpecker.gentoo.org
In Reply to: [gentoo-dev] qa last rites multiple packages by William Hubbs
1 On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
2 > All,
3 >
4 > these packages have been masked in the tree for months - years with no
5 > signs of fixes.
6 >
7 > I am particularly concerned about packages with known security
8 > vulnerabilities staying in the main tree masked. If people want to keep
9 > using those packages, I don't want to stop them, but packages like this
10 > should not be in the main tree.
11 >
12 > # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
13 > #
14 > # Pinkie Pie discovered an issue in the futex subsystem that allows a
15 > # local user to gain ring 0 control via the futex syscall. An
16 > # unprivileged user could use this flaw to crash the kernel (resulting
17 > # in denial of service) or for privilege escalation.
18 > #
19 > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
20 > =sys-kernel/gentoo-sources-3.2.58-r2
21 > ~sys-kernel/gentoo-sources-3.4.90
22 > =sys-kernel/gentoo-sources-3.4.91
23 > ~sys-kernel/gentoo-sources-3.10.40
24 > =sys-kernel/gentoo-sources-3.10.41
25 > ~sys-kernel/gentoo-sources-3.12.20
26 > =sys-kernel/gentoo-sources-3.12.21
27 > ~sys-kernel/gentoo-sources-3.14.4
28 > =sys-kernel/gentoo-sources-3.14.5
29
30 Hello,
31
32 What's the feeling for how long a package.mask entry should stay in the
33 file in the event that a package can cause physical damage to a user's
34 system.
35
36 For certain types of hardware, kernel 3.17.0 could cause some
37 filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
38 it appropiate to say that a user has had enough time to upgarde their
39 systems and we can remove this entry?
40
41 Mike
42
43
44 --
45 Mike Pagano
46 Gentoo Developer - Kernel Project
47 Gentoo Sources - Lead
48 E-Mail : mpagano@g.o
49 GnuPG FP : EEE2 601D 0763 B60F 848C 9E14 3C33 C650 B576 E4E3
50 Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Replies

Subject Author
Re: [gentoo-dev] qa last rites multiple packages William Hubbs <williamh@g.o>
Report Message
Find on MARC Find on Google Groups