From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] kernel: update to 4.14.229
Date: Sat, 10 Apr 2021 14:11:47 +0100
Message-ID: <CF81AD76-1770-4E42-BB08-092866D075F5@ipfire.org>
In-Reply-To: <0c7cc06a-6cba-f212-338b-dfedc4b13cb4@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3433377070300024724=="
List-Id: <development.lists.ipfire.org>

--===============3433377070300024724==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On 10 Apr 2021, at 13:52, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Hello Arne,
>=20
> thank you for this patch.
>=20
> Skimming through it, I stumbled across one small oddity - please see below.
>=20
> Looking at https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.230,=
 I regret to
> notice Linux 4.14.230 has been released meanwhile, fixing CVE-2021-29154 - =
for x86_64 only.
> (Once more, we see 32bit architectures dying away...)
>=20
> Do we consider CVE-2021-29154 critical enough to undergo an update to 4.14.=
230 in Core Update 157?

Sorry to phrase this in really strong words, but no.

There is *always* another kernel release. Any yes, they fix bugs in them. Man=
y, but often generally quite unimportant ones. There is always a corner case =
when you have a 16PB volume and you write a lot of data on it, that ext4 migh=
t lose a byte or something similar. Those bugs do not affect us and we should=
 not assume that most of them would.

If we would treat every bug as a critical one, we would never get a release o=
ut. We simply would be busy watching the builders compile one kernel after th=
e other and never have a chance to even boot them and let them run for longer=
 than a day before the next release is out there. We need to draw lines on th=
ings.

I agree that that isn=E2=80=99t easy and there will always be something that =
could be used to form an argument for another update. But this makes testing =
an absolute waste of time.

If we now take .229 and test it for a while, we would have to start again fro=
m zero with .230 and so on. I do not see why that is a price worth paying for=
 a corner-case bug that does not affect anyone.

Ultimately I would like to rebase IPFire on a more recent kernel than 4.14 an=
d keeping ourselves busy with updating 4.14 once another time is moving that =
further and further away.

Regarding CVE-2021-29154: This can be used to gain privileges as an unprivile=
ged user. We do not have any unprivileged users running unkwown software on t=
he system. If that is a concern, we could still disable BPF entirely.

Best,
-Michael

> Anyway:
>=20
> Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>=20
> Thanks, and best regards,
> Peter M=C3=BCller
>=20
>> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.aarch64-ipfire        | 3 +--
>> config/kernel/kernel.config.armv5tel-ipfire-multi | 3 +--
>> config/kernel/kernel.config.i586-ipfire           | 3 +--
>> config/kernel/kernel.config.x86_64-ipfire         | 3 +--
>> lfs/linux                                         | 8 ++++----
>> 5 files changed, 8 insertions(+), 12 deletions(-)
>>=20
>> diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/ke=
rnel.config.aarch64-ipfire
>> index b794cbcf2..9e8563cbd 100644
>> --- a/config/kernel/kernel.config.aarch64-ipfire
>> +++ b/config/kernel/kernel.config.aarch64-ipfire
>> @@ -1,6 +1,6 @@
>> #
>> # Automatically generated file; DO NOT EDIT.
>> -# Linux/arm64 4.14.206-ipfire Kernel Configuration
>> +# Linux/arm64 4.14.229 Kernel Configuration
>=20
> Just a very minor comment: Is this intentional?
>=20
>> #
>> CONFIG_ARM64=3Dy
>> CONFIG_64BIT=3Dy
>> @@ -5050,7 +5050,6 @@ CONFIG_USB_LCD=3Dm
>> CONFIG_USB_FTDI_ELAN=3Dm
>> # CONFIG_USB_APPLEDISPLAY is not set
>> CONFIG_USB_SISUSBVGA=3Dm
>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>> # CONFIG_USB_LD is not set
>> # CONFIG_USB_TRANCEVIBRATOR is not set
>> CONFIG_USB_IOWARRIOR=3Dm
>> diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/ke=
rnel/kernel.config.armv5tel-ipfire-multi
>> index 3c26a3ce2..c40eb9f55 100644
>> --- a/config/kernel/kernel.config.armv5tel-ipfire-multi
>> +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
>> @@ -1,6 +1,6 @@
>> #
>> # Automatically generated file; DO NOT EDIT.
>> -# Linux/arm 4.14.206-ipfire-multi Kernel Configuration
>> +# Linux/arm 4.14.229-ipfire-multi Kernel Configuration
>> #
>> CONFIG_ARM=3Dy
>> CONFIG_ARM_HAS_SG_CHAIN=3Dy
>> @@ -5457,7 +5457,6 @@ CONFIG_USB_LCD=3Dm
>> CONFIG_USB_FTDI_ELAN=3Dm
>> # CONFIG_USB_APPLEDISPLAY is not set
>> CONFIG_USB_SISUSBVGA=3Dm
>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>> # CONFIG_USB_LD is not set
>> # CONFIG_USB_TRANCEVIBRATOR is not set
>> CONFIG_USB_IOWARRIOR=3Dm
>> diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kerne=
l.config.i586-ipfire
>> index 8cac7cd45..448b8a84b 100644
>> --- a/config/kernel/kernel.config.i586-ipfire
>> +++ b/config/kernel/kernel.config.i586-ipfire
>> @@ -1,6 +1,6 @@
>> #
>> # Automatically generated file; DO NOT EDIT.
>> -# Linux/x86 4.14.206-ipfire Kernel Configuration
>> +# Linux/x86 4.14.229 Kernel Configuration
>> #
>> # CONFIG_64BIT is not set
>> CONFIG_X86_32=3Dy
>> @@ -5179,7 +5179,6 @@ CONFIG_USB_LCD=3Dm
>> CONFIG_USB_FTDI_ELAN=3Dm
>> # CONFIG_USB_APPLEDISPLAY is not set
>> CONFIG_USB_SISUSBVGA=3Dm
>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>> # CONFIG_USB_LD is not set
>> # CONFIG_USB_TRANCEVIBRATOR is not set
>> CONFIG_USB_IOWARRIOR=3Dm
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/ker=
nel.config.x86_64-ipfire
>> index 4dec50605..65c365c1b 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -1,6 +1,6 @@
>> #
>> # Automatically generated file; DO NOT EDIT.
>> -# Linux/x86 4.14.206-ipfire Kernel Configuration
>> +# Linux/x86 4.14.229 Kernel Configuration
>> #
>> CONFIG_64BIT=3Dy
>> CONFIG_X86_64=3Dy
>> @@ -5021,7 +5021,6 @@ CONFIG_USB_LCD=3Dm
>> CONFIG_USB_FTDI_ELAN=3Dm
>> # CONFIG_USB_APPLEDISPLAY is not set
>> CONFIG_USB_SISUSBVGA=3Dm
>> -CONFIG_USB_SISUSBVGA_CON=3Dy
>> # CONFIG_USB_LD is not set
>> # CONFIG_USB_TRANCEVIBRATOR is not set
>> CONFIG_USB_IOWARRIOR=3Dm
>> diff --git a/lfs/linux b/lfs/linux
>> index 5abc6f93a..86acc14f7 100644
>> --- a/lfs/linux
>> +++ b/lfs/linux
>> @@ -24,8 +24,8 @@
>>=20
>> include Config
>>=20
>> -VER         =3D 4.14.212
>> -ARM_PATCHES =3D 4.14.212-ipfire0
>> +VER         =3D 4.14.229
>> +ARM_PATCHES =3D 4.14.229-ipfire0
>>=20
>> THISAPP    =3D linux-$(VER)
>> DL_FILE    =3D linux-$(VER).tar.xz
>> @@ -79,8 +79,8 @@ objects =3D$(DL_FILE) \
>> $(DL_FILE)					=3D $(URL_IPFIRE)/$(DL_FILE)
>> arm-multi-patches-$(ARM_PATCHES).patch.xz	=3D $(URL_IPFIRE)/arm-multi-patc=
hes-$(ARM_PATCHES).patch.xz
>>=20
>> -$(DL_FILE)_MD5					=3D 645d5256adf72569e14edcf80c3757dc
>> -arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5	=3D 2b0e8e3ebe9827b2bfed739=
7b043dbc5
>> +$(DL_FILE)_MD5					=3D 9d4cf6e9ffff893d8a2ecea6a8c5a15b
>> +arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5	=3D a04b842733999abb818cabb=
0388572b8
>>=20
>> install : $(TARGET)


--===============3433377070300024724==--