From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] kernel: update to 4.14.229
Date: Sat, 10 Apr 2021 15:19:55 +0200
Message-ID: <1ca883ad-af36-240e-8005-0f67b522259f@ipfire.org>
In-Reply-To: <CF81AD76-1770-4E42-BB08-092866D075F5@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4330233977145365457=="
List-Id: <development.lists.ipfire.org>

--===============4330233977145365457==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

thanks for your reply.

> Hello,
>=20
>> On 10 Apr 2021, at 13:52, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>
>> Hello Arne,
>>
>> thank you for this patch.
>>
>> Skimming through it, I stumbled across one small oddity - please see below.
>>
>> Looking at https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.230=
, I regret to
>> notice Linux 4.14.230 has been released meanwhile, fixing CVE-2021-29154 -=
 for x86_64 only.
>> (Once more, we see 32bit architectures dying away...)
>>
>> Do we consider CVE-2021-29154 critical enough to undergo an update to 4.14=
.230 in Core Update 157?
>=20
> Sorry to phrase this in really strong words, but no.
>=20
> There is *always* another kernel release. Any yes, they fix bugs in them. M=
any, but often generally quite unimportant ones. There is always a corner cas=
e when you have a 16PB volume and you write a lot of data on it, that ext4 mi=
ght lose a byte or something similar. Those bugs do not affect us and we shou=
ld not assume that most of them would.
>=20
> If we would treat every bug as a critical one, we would never get a release=
 out. We simply would be busy watching the builders compile one kernel after =
the other and never have a chance to even boot them and let them run for long=
er than a day before the next release is out there. We need to draw lines on =
things.
>=20
> I agree that that isn=E2=80=99t easy and there will always be something tha=
t could be used to form an argument for another update. But this makes testin=
g an absolute waste of time.

ACK.

> If we now take .229 and test it for a while, we would have to start again f=
rom zero with .230 and so on. I do not see why that is a price worth paying f=
or a corner-case bug that does not affect anyone.
>=20
> Ultimately I would like to rebase IPFire on a more recent kernel than 4.14 =
and keeping ourselves busy with updating 4.14 once another time is moving tha=
t further and further away.

Full ACK.

> Regarding CVE-2021-29154: This can be used to gain privileges as an unprivi=
leged user. We do not have any unprivileged users running unknown software on=
 the system. If that is a concern, we could still disable BPF entirely.

Okay, I am fine with this then.

Thanks, and best regards,
Peter M=C3=BCller

>=20
> Best,
> -Michael
>=20
>> Anyway:
>>
>> Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>
>> Thanks, and best regards,
>> Peter M=C3=BCller
>>
>>> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
>>> ---
>>> config/kernel/kernel.config.aarch64-ipfire        | 3 +--
>>> config/kernel/kernel.config.armv5tel-ipfire-multi | 3 +--
>>> config/kernel/kernel.config.i586-ipfire           | 3 +--
>>> config/kernel/kernel.config.x86_64-ipfire         | 3 +--
>>> lfs/linux                                         | 8 ++++----
>>> 5 files changed, 8 insertions(+), 12 deletions(-)
>>>
>>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/k=
ernel.config.aarch64-ipfire
>>> index b794cbcf2..9e8563cbd 100644
>>> --- a/config/kernel/kernel.config.aarch64-ipfire
>>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>>> @@ -1,6 +1,6 @@
>>> #
>>> # Automatically generated file; DO NOT EDIT.
>>> -# Linux/arm64 4.14.206-ipfire Kernel Configuration
>>> +# Linux/arm64 4.14.229 Kernel Configuration
>>
>> Just a very minor comment: Is this intentional?
>>
>>> #
>>> CONFIG_ARM64=3Dy
>>> CONFIG_64BIT=3Dy
>>> @@ -5050,7 +5050,6 @@ CONFIG_USB_LCD=3Dm
>>> CONFIG_USB_FTDI_ELAN=3Dm
>>> # CONFIG_USB_APPLEDISPLAY is not set
>>> CONFIG_USB_SISUSBVGA=3Dm
>>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>>> # CONFIG_USB_LD is not set
>>> # CONFIG_USB_TRANCEVIBRATOR is not set
>>> CONFIG_USB_IOWARRIOR=3Dm
>>> diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/k=
ernel/kernel.config.armv5tel-ipfire-multi
>>> index 3c26a3ce2..c40eb9f55 100644
>>> --- a/config/kernel/kernel.config.armv5tel-ipfire-multi
>>> +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
>>> @@ -1,6 +1,6 @@
>>> #
>>> # Automatically generated file; DO NOT EDIT.
>>> -# Linux/arm 4.14.206-ipfire-multi Kernel Configuration
>>> +# Linux/arm 4.14.229-ipfire-multi Kernel Configuration
>>> #
>>> CONFIG_ARM=3Dy
>>> CONFIG_ARM_HAS_SG_CHAIN=3Dy
>>> @@ -5457,7 +5457,6 @@ CONFIG_USB_LCD=3Dm
>>> CONFIG_USB_FTDI_ELAN=3Dm
>>> # CONFIG_USB_APPLEDISPLAY is not set
>>> CONFIG_USB_SISUSBVGA=3Dm
>>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>>> # CONFIG_USB_LD is not set
>>> # CONFIG_USB_TRANCEVIBRATOR is not set
>>> CONFIG_USB_IOWARRIOR=3Dm
>>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kern=
el.config.i586-ipfire
>>> index 8cac7cd45..448b8a84b 100644
>>> --- a/config/kernel/kernel.config.i586-ipfire
>>> +++ b/config/kernel/kernel.config.i586-ipfire
>>> @@ -1,6 +1,6 @@
>>> #
>>> # Automatically generated file; DO NOT EDIT.
>>> -# Linux/x86 4.14.206-ipfire Kernel Configuration
>>> +# Linux/x86 4.14.229 Kernel Configuration
>>> #
>>> # CONFIG_64BIT is not set
>>> CONFIG_X86_32=3Dy
>>> @@ -5179,7 +5179,6 @@ CONFIG_USB_LCD=3Dm
>>> CONFIG_USB_FTDI_ELAN=3Dm
>>> # CONFIG_USB_APPLEDISPLAY is not set
>>> CONFIG_USB_SISUSBVGA=3Dm
>>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>>> # CONFIG_USB_LD is not set
>>> # CONFIG_USB_TRANCEVIBRATOR is not set
>>> CONFIG_USB_IOWARRIOR=3Dm
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/ke=
rnel.config.x86_64-ipfire
>>> index 4dec50605..65c365c1b 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -1,6 +1,6 @@
>>> #
>>> # Automatically generated file; DO NOT EDIT.
>>> -# Linux/x86 4.14.206-ipfire Kernel Configuration
>>> +# Linux/x86 4.14.229 Kernel Configuration
>>> #
>>> CONFIG_64BIT=3Dy
>>> CONFIG_X86_64=3Dy
>>> @@ -5021,7 +5021,6 @@ CONFIG_USB_LCD=3Dm
>>> CONFIG_USB_FTDI_ELAN=3Dm
>>> # CONFIG_USB_APPLEDISPLAY is not set
>>> CONFIG_USB_SISUSBVGA=3Dm
>>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>>> # CONFIG_USB_LD is not set
>>> # CONFIG_USB_TRANCEVIBRATOR is not set
>>> CONFIG_USB_IOWARRIOR=3Dm
>>> diff --git a/lfs/linux b/lfs/linux
>>> index 5abc6f93a..86acc14f7 100644
>>> --- a/lfs/linux
>>> +++ b/lfs/linux
>>> @@ -24,8 +24,8 @@
>>>
>>> include Config
>>>
>>> -VER         =3D 4.14.212
>>> -ARM_PATCHES =3D 4.14.212-ipfire0
>>> +VER         =3D 4.14.229
>>> +ARM_PATCHES =3D 4.14.229-ipfire0
>>>
>>> THISAPP    =3D linux-$(VER)
>>> DL_FILE    =3D linux-$(VER).tar.xz
>>> @@ -79,8 +79,8 @@ objects =3D$(DL_FILE) \
>>> $(DL_FILE)					=3D $(URL_IPFIRE)/$(DL_FILE)
>>> arm-multi-patches-$(ARM_PATCHES).patch.xz	=3D $(URL_IPFIRE)/arm-multi-pat=
ches-$(ARM_PATCHES).patch.xz
>>>
>>> -$(DL_FILE)_MD5					=3D 645d5256adf72569e14edcf80c3757dc
>>> -arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5	=3D 2b0e8e3ebe9827b2bfed73=
97b043dbc5
>>> +$(DL_FILE)_MD5					=3D 9d4cf6e9ffff893d8a2ecea6a8c5a15b
>>> +arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5	=3D a04b842733999abb818cab=
b0388572b8
>>>
>>> install : $(TARGET)
>=20

--===============4330233977145365457==--