You are not logged in.
- Topics: Active | Unanswered
#1 2020-09-07 12:20:00
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,988
- Website
[SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
I just read about CVE-2020-14386 [1][2].
It's not listed under https://security.archlinux.org/issues/all.
Are the current Kernels linux 5.8.7.arch1-1 and linux-lts 5.4.63-1 vulnerable to this issue or has the patch by Or Cohen already been backported?
[1] German news article: https://www.golem.de/news/linux-keine-e … 50712.html
[2] Original announcement: https://seclists.org/oss-sec/2020/q3/146
Last edited by schard (2020-09-08 13:41:50)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Online
#2 2020-09-07 13:02:00
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,195
Re: [SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
Doesn't look like the patch has been backported.
https://git.archlinux.org/linux.git/log/?h=v5.8.7-arch1
As a mitigation you can disable user namespaces (set the sysctl kernel.unprivileged_userns_clone to 0)
Last edited by progandy (2020-09-07 13:08:25)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2020-09-07 14:00:30
- WorMzy
- Forum Moderator
- From: Scotland
- Registered: 2010-06-16
- Posts: 11,864
- Website
Re: [SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
Mod note: Moving to Kernel Issues.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
#4 2020-09-07 14:17:47
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,372
Re: [SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
Fix is queued for 5.8.8 [1] and 5.4.64 [2].
[1] https://git.kernel.org/pub/scm/linux/ke … 041bcb0257
[2] https://git.kernel.org/pub/scm/linux/ke … 969eb2b674
Offline
#5 2020-09-07 16:14:35
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
Doesn't look like the patch has been backported.
https://git.archlinux.org/linux.git/log/?h=v5.8.7-arch1As a mitigation you can disable user namespaces (set the sysctl kernel.unprivileged_userns_clone to 0)
e.g. the linux-hardened kernel.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#6 2020-09-07 17:48:12
#7 2020-09-07 17:55:41
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
Debian's security tracker says that kernel 5.8.7 in sid is fixed[0] so I think that would also apply to Arch's linux package in [core].
Huh? Where did you get that from? You've already been told it is available upstream as a pending 5.8.8 update, which per definition means if debian has it in 5.8.7 they have manually backported it.
And indeed they did: https://salsa.debian.org/kernel-team/li … 8698bf4f8e
This does not in any way "also apply" to Arch's linux package in [core]. It could, possibly, coincide due to coincidence with an independent backport by Arch's linux package in [core].
It does coincide with an independent backport in the linux-hardened package, which was never vulnerable to begin with due to disabling userns by default.
Last edited by eschwartz (2020-09-07 17:59:13)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#8 2020-09-07 17:57:58
- Head_on_a_Stick
- Member
- From: London
- Registered: 2014-02-20
- Posts: 7,732
- Website
Re: [SOLVED] Is the current Arch Kernel vulnerable to CVE-2020-14386?
Yes, sorry eschwartz, I've had a long day and I'm clearly too tired to think straight. Sorry for the noise.
Offline