Gentoo Linux Documentation -- Kernel Security Guide

Kernel Security Guide

1. Public vulnerability bug management

The status whiteboard in Bugzilla lets us keep track of the category the bug falls into and its status. It should be following this pattern: "[kernelline] vulntype: keywords", where:

Element	Content	Example
kernelline	Affected kernel lines (empty means unknown)	[2.6]
vulntype	The vulnerability type and configuration modifier (empty means unknown)	LocalRoot-
keywords	Optional extra keyword(s), as defined below	needPatch

Example kernellines:

Kernel line	Description
[2.6]	Only 2.6 kernels are affected
[2.6 < 2.6.10]	Only 2.6 kernels before 2.6.10 are affected
[2.4 2.6]	2.4 and 2.6 kernels are affected
	No value means affected kernel lines are still unknown

The following vulnerability types are accepted:

Type	Description
RemoteRoot	Remote root compromise
RemoteDoS	Remote denial of service
LocalRoot	Flaw allowing privilege escalation for local unprivileged processes
RemoteOther	Other remote flaws, including memory leaks
LocalDoS	Local user can crash the machine or otherwise deny service to other users
LocalOther	Other local flaws, including local information leaks

The following configuration modifiers are allowed:

Configuration modifier	Description
+	All configurations (or default configurations) are affected
-	Only specific configurations are affected
	No value means configurations affected are still unknown

The following extra keywords are allowed:

Keyword	Description
inKiss	The bug has been entered into the KISS system
needPatch	The bug still misses patches
patching	Maintainers have been called to patch their kernels

Bug severity depending on vulnerability type

Severity	Vulnerability types
Blocker	RemoteRoot+ RemoteRoot-
Critical	RemoteDos+ LocalRoot+
Major	RemoteDos- LocalRoot- RemoteOther+
Normal	LocalDoS+ RemoteOther-
Minor	LocalDos- LocalOther+
Trivial	LocalOther-

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Updated March 29, 2005

Thierry Carrez
Author

Summary: This document contains procedures, tips and tricks applying to the Kernel security maintainer job.

Donate to support our development efforts.

php|architect is the monthly magazine for PHP professionals, available worldwide in print and electronic format. A percentage of all the sales will be donated back into the Gentoo project.

Tek Alchemy offers dedicated servers and other hosting solutions running Gentoo Linux.

Purchase RAM from Crucial.com and a percentage of your sale will go towards further Gentoo Linux development.

Win4Lin from NeTraverse lets you run Windows applications under Gentoo Linux at native speeds.