• Home
  • Categories
  • WIKI
  • LANGUAGE: en
    • Deepin Kernel needs Updates
    Community Discussion 1378 views · 17 replies ·
    Tofloor
    poster avatar
    nhoya
    deepin
    2016-10-22 12:38
    Author
    Edited by nhoya at 2016-10-24 22:57

    I tried to compile the kernel from sources and with my big surprise i saw this:

    1. fakeroot make -f debian/rules orig
    2. mkdir -p ../orig
    3. wget -c https://www.kernel.org/pub/linux/kernel/v4.x/testing/linux-4.4-rc6.tar.xz -O ../orig/linux-4.4-rc6.tar.xz || (echo "removing ../orig/linux-4.4-rc6.tar.xz"; rm -fr ../orig/linux-4.4-rc6.tar.xz; exit 1)
    4. --2016-10-21 21:53:56--  https://www.kernel.org/pub/linux/kernel/v4.x/testing/linux-4.4-rc6.tar.xz
    5. Risoluzione di www.kernel.org (www.kernel.org)... 149.20.4.69, 198.145.20.140, 199.204.44.194, ...
    6. Connessione a www.kernel.org (www.kernel.org)|149.20.4.69|:443... connesso.
    7. Richiesta HTTP inviata, in attesa di risposta... 200 OK
    8. Lunghezza: 87271788 (83M) [application/x-xz]
    9. Salvataggio in: "../orig/linux-4.4-rc6.tar.xz"

    11. ../orig/linux-4.4-rc6.tar.xz               100%[=======================================================================================>]  83,23M  1,13MB/s   in 75s   

    13. 2016-10-21 21:55:12 (1,11 MB/s) - "../orig/linux-4.4-rc6.tar.xz" salvato [87271788/87271788]
    Copy the Code

    Wtf is going on? Why the Deepin Kernel is based on 4.4-rc6 dropped long, long time ago? The kernel need instant updates and security fixes ASAP.



    ***UPDATE 23/10/2016***: i found the kernel is vulnerable to really old and patched exploit like the one related to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4557 patched 5 month ago.
    Read here: https://www.reddit.com/r/linux/c ... _de_but_0_security/


    ***UPDATE 23/10/2016***
    Actually they have a wrong master branch old and outdated, the new one is the 4.4-02 now based on 4.4.26. The PoCs were tested on the actually .4.0-2-deepin-amd64 #1 SMP Deepin 4.4.6-4 (2016-07-01) x86_64 GNU/Linux. The Fix has been released and will be pushed soon. Thank you all for the sharing
    Reply Favorite View the author
    All Replies
    doorsoft
    deepin
    2016-10-22 17:10
    #1
    uname -a

    4.4.0-2-deepin-amd64 #1 SMP Deepin 4.4.6-4 (2016-07-01) x86_64 GNU/Linux

    uname -mrs

    Linux 4.4.0-2-deepin-amd64 x86_64

    Reply View the author
    menny
    deepin
    2016-10-22 17:56
    #2
    Reply View the author
    nhoya
    deepin
    2016-10-23 01:58
    #3
    Edited by nhoya at 2016-10-22 18:14
    https://bbs.deepin.org/post/31654
    read this https://blog.deepin.org/2016/03/deepin-kernel-plan/

    in the blog article i see this:
    ...
        Follow CVE announcements, fix kernel security issues in real-time -> not real time, Kernel still vulnerable to Dirty Cow (patch released in mainline 4 days ago --- edit: fixed today after a bug report on bugzilla but still not committed )
        Keep the major version of kernel in line with Debian official version -> the kernel of debian SID isn't the 4.4-rc6 anymore
        ...

    Reply View the author
    nhoya
    deepin
    2016-10-23 02:31
    #4
    Edited by nhoya at 2016-10-24 04:21
    https://bbs.deepin.org/post/31654
    uname -a

    4.4.0-2-deepin-amd64 #1 SMP Deepin 4.4.6-4 (2016-07-01) x86_64 GNU/Linux

    Uname is not a warranty, i'm talking about what the build from source does. And btw you can change the kernel name


    Oh and btw last update: 2016-07-01 and today is 2016-10-22, last security update released in debian on 2016-10-19. So yes, the kernel is outdated
    Reply View the author
    com_bvv
    deepin
    2016-10-23 03:30
    #5
    Last kernel may appear in Deepin 16.
    Reply View the author
    nhoya
    deepin
    2016-10-23 03:37
    #6
    https://bbs.deepin.org/post/31654
    Last kernel may appear in Deepin 16.

    Again, the point is not the version of the kernel but the security patches related to them. rc6 is dropped, rc8 too, 4.4 is now lts
    Reply View the author
    horvan
    deepin
    2016-10-24 02:47
    #7
    have you used the github repo to compile the kernel? I dropped an issue there and have linked to your post here. So The developers should get a mail about this!
    Reply View the author
    nhoya
    deepin
    2016-10-24 06:39
    #8
    Edited by nhoya at 2016-10-23 22:49
    https://bbs.deepin.org/post/31654
    have you used the github repo to compile the kernel? I dropped an issue there and have linked to you ...

    yes i did, and the result is what you see in the first post

    Developers actually know about that: https://bugzilla.deepin.io/show_bug.cgi?id=10457  but no answers or patches has been released
    Reply View the author
    horvan
    deepin
    2016-10-24 08:57
    #9
    Well on 2016-07-01 they deployed deepin 15.3 to deepin.com May be theyr will be an incremental patch when they have time to do it. They know about it . So I see your point security first. They should and must fix this asap
    Reply View the author
    nhoya
    deepin
    2016-10-24 10:19
    #10
    Thread updated
    Reply View the author
    makkon
    deepin
    2016-10-24 10:57
    #11
    Edited by makkon at 2016-10-24 19:44

    Deepin kernel 4.4.9
    Linux kernel 4.4.26
    "- Can be updated in the next release .."
    When can we expect?
    Reply View the author
    m***[email protected]
    deepin
    2016-10-24 23:46
    #12
    I hope Deepin Team will base their kernel on the last Linux version.
    As we can see on Linux.org, the current stable Linux version is 4.8.4, and the LTS is 4.4.27.

    Finger crossed for Deepin 15.4.
    Reply View the author
    doorsoft
    deepin
    2016-10-25 08:37
    #13
    i think you are worried for nothing.. the security updates are "updated"... you can follow it from the blog..

    http://blog.deepin.org/2016/10/s ... 30-1-dsa-3631-1-ds/
    Reply View the author
    makkon
    deepin
    2016-10-25 08:46
    #14
    Sorry, thanks for the reply.
    Respect to you team DEEPIN!
    Reply View the author
    nhoya
    deepin
    2016-10-25 08:53
    #15
    Edited by nhoya at 2016-10-25 02:36
    https://bbs.deepin.org/post/31654
    i think you are worried for nothing.. the security updates are "updated"... you can follow it from t ...

    https://www.exploit-db.com/exploits/39772/ this is still valid. Please test it

    Oh and you are linking security patches relative to other softwares, not the kernel. Please, take a look to what you link before actually linking it
    Reply View the author
    nhoya
    deepin
    2016-10-26 12:23
    #16
    Hope a new version will be released soon, i added a little PoC
    https://www.youtube.com/watch?v=9hpAp3sVnHE
    Reply View the author
    HualetWang
    deepin
    2016-10-27 19:44
    #17
    We've got a plan, see https://bbs.deepin.org/post/31499
    Reply View the author