[rsbac] Bugfixing the kernel uselib vulnerability

[Andrea Pasquinucci]

On Mon, Jan 10, 2005 at 05:01:52PM +0100, Amon Ott wrote:
* Several new vulnerabilities have been found for kernel 2.4.28, the 
* most important one got known as uselib bug.
* 
* The more or less official bugfix, which also made its way into 
* 2.4.29-rc1, does not apply cleanly to an RSBAC patched kernel. The 
* attached patch is a modified version, which does apply without 
* rejects. The fix should be correct, but please recheck yourself.
* 
* Please note that there have also been several vulnerabilities found in 
* kernel 2.6.10 (as in almost any kernel in the 2.6 series so far). I 
* strongly recommend to at least follow the -ac patches by Alan Cox, if 
* you happen to use 2.6 kernels for production use.
* 
* The pre-patched RSBAC kernels do not contain third party fixes, it is 
* impossible to maintain all these patches here!

I perfectly understand your point, but this creates sometimes a problem
for people like me. Little explanation, I do not have the time right now
to try to patch the kernel (2.6.10 or 2.4.28) with the security fixes,
then try to patch it with rsbac and if succesfull try to compile and if
succesful try it on a machine just to discover that it crashes (kernel
panic on boot). Obviously I did something wrong... But I do not have the
time right now to do anything else, so I have to decide if to keep a
buggy kernel with rsbac or to use a patched vendor kernel without rsbac.
Today I decided for the vendor kernel and to wait until there will be a
patched rsbac kernel (hopefully with 2.6.11).

I suspect that there are many in my situation. So I have a suggestion,
can we try to produce pre-patched RSBAC kernel with the main security
fix ? If we are in at least a few in my situation is also silly that all
of us do the same thing (try to apply the security fix) whereas by
sharing the result we would help each other out.

Andrea