Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
Tue, 28 Feb 2017 17:25:24 +0100 Salvatore Bonaccorso , 20170228162524.47jesr3zopycriir@eldamar.local
Hi
CVE-2017-6346 was assigned by MITRE to the following (via
https://cveform.mitre.org/):
https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b
> packet: fix races in fanout_add()
>
> Multiple threads can call fanout_add() at the same time.
>
> We need to grab fanout_mutex earlier to avoid races that could
> lead to one thread freeing po->rollover that was set by another thread.
>
> Do the same in fanout_release(), for peace of mind, and to help us
> finding lockdep issues earlier.
Since 4.2 the races can lead to a use-after-free.
The fix was backported to 4.9.13 as well.
Regards,
Salvatore
fpletz
commented
7 years ago
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Skip to First Email
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
Skip to First Email
Upon Completion ...
Info
Triage Indicator:
Should the search term be changed from
linux-kernel? Suggest a new package search by commenting:Known CVEs: CVE-2017-6346
Skip to End
Tue, 28 Feb 2017 17:25:24 +0100 Salvatore Bonaccorso,
20170228162524.47jesr3zopycriir@eldamar.localSkip to End