switching to leap | Kernel Issue

Bongi · March 13, 2022, 10:59am

Hi folks,
can someone tell me which kernel actually version is coming with leap?
Would like to avoid “dirty pipe” and tumbleweed is susceptible unfortunately.

cheers

hcvv · March 13, 2022, 12:00pm

henk@boven:~> cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.3"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.3"
PRETTY_NAME="openSUSE Leap 15.3"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.3"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
henk@boven:~>

henk@boven:~> uname -r
5.3.18-150300.59.49-default
henk@boven:~>

arvidjaar · March 13, 2022, 12:59pm

AFAIK it is fixed in kernel 5.6.11 which is in Tumbleweed as of this posting.

hcvv · March 13, 2022, 1:02pm

The above is not complete up-to-date because I only update once a week. In the update repo there is: 5.3.18-150300.59.54-default (with 5 security patches and a few non-security ones)…

r0ckhopper · March 13, 2022, 1:19pm

The Dirty Pipe Vulnerability was publicly disclosed on 7th March - https://dirtypipe.cm4all.com/

The vulnerability was fixed in Linux Kernel 5.16.11, which was published in the 20220226 Tumbleweed snapshot on 27th February - https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/VNAE5YA22EGNX45POA336HVHDDDDK3I5/
To claim in your post on 13th March that “tumbleweed is susceptible unfortunately” is FUD - https://en.wikipedia.org/wiki/Fear,_uncertainty,_and_doubt

Sauerland · March 13, 2022, 1:28pm

Maybe 5.16.11:

* Di Mär 08 2022 jslaby@suse.cz
- Update
  patches.kernel.org/5.16.11-207-lib-iov_iter-initialize-flags-in-new-pipe_buf.patch
  (bsc#1012628 bsc#1196584 CVE-2022-0847).

Or for Leap 15.3:

rpm -ql --changelog http://download.opensuse.org/update/leap/15.3/sle/x86_64/kernel-default-5.3.18-150300.59.54.1.x86_64.rpm | grep -iB 50 'CVE-2022-0847'
* Fr Mär 04 2022 tiwai@suse.de
- Revert PCI MSI-X patch that caused a regression on network devices (bsc#1196403)
  Deleted:
  patches.suse/PCI-MSI-Mask-MSI-X-vectors-only-on-success.patch
- commit 0c68bb9

* Fr Mär 04 2022 tiwai@suse.de
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)

So CVE-2022-0847 should be fixed in actual openSUSE kernel.

Bongi · March 13, 2022, 2:57pm

@hcvv
thanks! exactly what I was looking for!

@all
I see…seems like i missed something :shame:

Bongi · March 13, 2022, 2:59pm

Sauerland:

Maybe 5.16.11:

* Di Mär 08 2022 jslaby@suse.cz
- Update
  patches.kernel.org/5.16.11-207-lib-iov_iter-initialize-flags-in-new-pipe_buf.patch
  (bsc#1012628 bsc#1196584 CVE-2022-0847).

May I ask how did you get/retrieve this info?
which command is to run ?

Sauerland · March 13, 2022, 3:48pm

rpm -ql --changelog kernel-default | grep -iB 50 'CVE-2022-0847'

-b 50 = show also 50 lines before the term because the log has often many changes in one kernel-version.

Bongi · March 13, 2022, 3:56pm

thanks a lot !