kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #44538
[Bug 1259570] Re: kexec should get a disabling sysctl
This bug was fixed in the package linux - 3.13.0-8.28
---------------
linux (3.13.0-8.28) trusty; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1278963
[ Paolo Pisati ]
* [Config] armhf: RTC_DRV_PL031=y
[ Serge Hallyn ]
* SAUCE: Overlayfs: allow unprivileged mounts
[ Upstream Kernel Changes ]
* kexec: add sysctl to disable kexec_load
- LP: #1259570
* SELinux: Fix kernel BUG on empty security contexts.
- CVE-2014-1874
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Tue, 11 Feb 2014 08:35:39 -0500
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1874
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1259570
Title:
kexec should get a disabling sysctl
Status in “linux” package in Ubuntu:
Fix Released
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux” source package in Precise:
Won't Fix
Status in “linux-lts-saucy” source package in Precise:
Fix Committed
Status in “linux” source package in Quantal:
Won't Fix
Status in “linux-lts-saucy” source package in Quantal:
Invalid
Status in “linux” source package in Raring:
Invalid
Status in “linux-lts-saucy” source package in Raring:
Invalid
Status in “linux” source package in Saucy:
Fix Committed
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
Fix Released
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Bug description:
To enable kexec makes sense for a generic distro kernel. But if your
users have root in their virtual machines, and you want to make it
hard for them to run code in ring 0, you commonly disable further
module loading and you also want to disable kexec[1]. Kees Cook wrote
up a patch[2] that we'd like to see applied to the Ubuntu kernel to
avoid recompilation of the distro kernel.
I'm marking this as a security issue on the ground that it's quite
surprising that setting kernel.modules_disabled=1 as a hardening
feature can be subverted by using kexec.
[1] http://mjg59.dreamwidth.org/28746.html
[2] https://lkml.org/lkml/2013/12/9/765
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1259570/+subscriptions
References