This past week there has been a lot of hype about CVE-2016-10229 which seems to have been one of those "just a bug" bugs that later turned out to be exploitable. The description:
udp.c in the Linux kernel before 4.5 allows remote attackers to
execute arbitrary code via UDP traffic that triggers an unsafe
second checksum calculation during execution of a recv system call
with the MSG_PEEK flag.
implies that Linux versions before Linux 4.5 are vulnerable, which seems to have led to misleading things like Security Focus listing dozens of Linux versions as vulnerable.
But according to the author of the patch, "Whoever said that linux [before] 4.5 was vulnerable made a mistake", and only kernels which had Linux kernel git commit 89c22d8c3b278212eef6a8cc66b570bc840a6f5a backported need the fix, which is in Linux kernel git commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191. The fix was created in late 2015, and applied to the main Linux git repository in early 2016.
Debian patched CVE-2016-10229 before there was any CVE assigned, as a result of Debian Bug #808293 where UDP in IPv6 did not always work correctly. The fix was released in, eg, Debian Linux kernel 3.2.73-2+deb7u2 (for Debian Squeeze):
ewen@debian-squeeze:~$ zgrep -A 18 3.2.73-2+deb7u2 /usr/share/doc/linux-image-3.2.0-4-686-pae/changelog.Debian.gz | egrep "udp|808293|-- |^ *$"
* udp: properly support MSG_PEEK with truncated buffers
(Closes: #808293, regression in 3.2.72)
-- Ben Hutchings [...email omitted...] Sat, 02 Jan 2016 03:31:22 +0000
ewen@debian-squeeze:~$
in January 2016, which means that Debian Squeeze has not been vulnerable since very early 2016.
Ubuntu patched
CVE-2016-10229
before there was any CVE assigned, as a result of Ubuntu
Bug #1527902,
as a result of different symptoms but referencing the Debian Bug
and the net-next patch
that got committed above. For Ubuntu 14.04 the patch was released in
3.13.0-79.123; which is so long ago that the installed changlogs do
not even include that release in the installed changelog.Debian.gz
.
The full Linux Trusty kernel changelog does not have a date for 3.13.0.79-123, but it
must have been released at least by Monday 2016-02-22 when 3.13.0-80.124
was released (the next release). So Ubuntu has also been fixed since
early 2016.
Redhat Linux never included CVE-2016-10229, due to not backporting the vulnerable code, so they have never been vulnerable. And it appears that Debian and Ubuntu were vulnerable for only a few Linux kernel releases before realising they had a regression and fixing them.
At this point it would be difficult to be running a modern server-Linux distribution and not have been not-vulnerable to CVE-2016-10229 for over a year, assuming you ever install patches. Which means no rush-patching is required. (Rather like last month's Microsoft MS17-010 SMB fixes turned out to patch the bugs in the Shadow Brokers Release that were not already patched, and was released weeks before the Shadow Brokers Release. Pro Tip: Stop using SMB1!)
So why the hype now? As best I can tell it is because Android only just patched CVE-2016-10229 this month, and called it out as a security issue whereas no one else had. That plus the imprecise CVE-2016-10229 description "udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP" seems to have caused all the noise.
It probably did not help that the Register, Reddit, and Hacker News describe it as patched "earlier this year", or "in Jan/Feb 2017" or "a while ago", without pointing out that it has been patched for around 14-15 months (early 2016, weeks after being introduced) in most non-Android locations. Plus of course the brokenness of the Android security update eco-system (most handsets are patched via a chain of Google, phone manufacturer and/or telco -- and many fixes do not make it through that chain to devices in real world use -- which leads to a lot of non-patchable devices).
Sometimes Linus Torvalds's "So I personally consider security bugs to be just "normal bugs"" does pay off; this bug was mostly fixed as a regression (except by Android who were a year late to the party). But it seems like the lack of CVE identifiers being back-tagged onto older bugs that were fixed, combined with a lack of research by journalists, leads to more hype when the security risks (rather than just regressions) are later realised.
At least CVE-2016-10229 did not have a vanity website.