[meta-freescale] upgrade kernel version from 3.12.37 -> 3.12.72 to address CVE-2017-2636 and some other CVEs in

Thu Mar 23 08:01:54 PDT 2017

Hi Sona,

To fix bug for released version, my suggestion is to backport corresponding patches instead of doing upgrade.


Best Regards,

Zhenhua

From: Sona Sarmadi [mailto:sona.sarmadi at enea.com]
Sent: Tuesday, March 21, 2017 5:55 PM
To: meta-freescale at yoctoproject.org; Zhenhua Luo <zhenhua.luo at nxp.com>
Subject: upgrade kernel version from 3.12.37 -> 3.12.72 to address CVE-2017-2636 and some other CVEs in

Hi all,

I would like to know what is your opinion about upgrading  the Linux kernel used in "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x" to address the new Linux kernel vulnerability CVE-2017-2636  ( see below for more info) and some other CVEs ?

CVE-2017-2636 Linux kernel flaw was spotted after seven years and quickly fixed

http://securityaffairs.co/wordpress/57194/hacking/cve-2017-2636-linux-kernel-flaw.html

Those who want the latest security fixes (plus other fixes) can add this patch to the "meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb" and upgrade the kernel version:

diff -Nurp b/Makefile a/Makefile

--- b/Makefile  2017-03-21 09:03:21.268339298 +0100
+++ a/Makefile  2017-03-21 09:03:53.258969199 +0100
@@ -1,6 +1,6 @@
VERSION = 3
PATCHLEVEL = 12
-SUBLEVEL = 37
+SUBLEVEL = 72
EXTRAVERSION =
NAME = One Giant Leap for Frogkind

We could just fetch the patch but the patch fails when applying in our version, some modification is needed. I think it is less risk to upgrade the kernel version rather than to modify the patch and backport it to 3.12.37 version.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?id=refs%2Ftags%2Fv3.12.72&qt=grep&q=tty%3A+n_hdlc%3A+get+rid+of+racy+n_hdlc.tbuf

I have run some basic tests and everything seems work after the upgrade:
root at p2041rdb:~# uname -a
Linux p2041rdb 3.12.72-rt51 #4 SMP PREEMPT Tue Mar 21 09:42:59 CET 2017 ppc GNU/Linux
root at p2041rdb:~#

Do you have any suggestion on more tests just to be sure that the upgrade will not cause an issue?

Thanks
//Sona

---------------------------------------
Sona Sarmadi
Security Responsible for Enea Linux/

GPG Fingerprint: 444F A5E9 CDC6 4620 85C7  2CA9 60FF AF33 15BD 5928

Enea Software AB
Jan Stenbecks Torg 17
P.O Box 1033
SE-164 26 Kista, Sweden
Phone  +46 70 971 4475

www.enea.com<www.enea.com%20>

This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake
please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone. All messages sent to and from
Enea  may be monitored to ensure compliance with internal policies and to protect our business. Emails are not secure and cannot be guaranteed to be
error free as they can be intercepted, a mended, lost or destroyed, or contain viruses. The sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a result of email  transmission. Anyone who communicates with us by email accepts these risks.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-freescale/attachments/20170323/a64890f2/attachment.html>
