From efa451524c9f99c6abb5cc5ed8bbe8efff0efba6 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 27 Jun 2022 02:56:51 +0200
Subject: Reactivate CVE-2018-1108 as it can now be fixed for stretch

4.9.320 includes a backport of the random driver, and this avoids the
regression that led to our reverting the fix for this issue.
---
 active/CVE-2018-1108  | 24 ++++++++++++++++++++++++
 retired/CVE-2018-1108 | 21 ---------------------
 2 files changed, 24 insertions(+), 21 deletions(-)
 create mode 100644 active/CVE-2018-1108
 delete mode 100644 retired/CVE-2018-1108

diff --git a/active/CVE-2018-1108 b/active/CVE-2018-1108
new file mode 100644
index 00000000..5d52bb5a
--- /dev/null
+++ b/active/CVE-2018-1108
@@ -0,0 +1,24 @@
+Description: random: fix crng_ready() test
+References:
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1559
+Notes:
+ carnil> Commit message mentions as fixing commit for CVE-2018-1108
+ carnil> 43838a23a05fbd13e47d750d3dfd77001536dd33, and related commits
+ carnil> dc12baacb95f205948f64dc936a47d89ee110117 (needed for 4.13+)
+ carnil> and 8ef35c866f8862df074a49a93b0309725812dea8 (needed for 4.8+)
+ carnil> CVE-2018-1108 itself has "Cc: stable@kernel.org # 4.8+"
+ carnil> 4.9.88-1+deb9u1 reverts the fix due to various reported regressions.
+ bwh> This is finally being fixed for 4.9 through a backport of the
+ bwh> random driver that includes improvements to entropy gathering and
+ bwh> so avoids the regression.
+Bugs:
+upstream: released (4.17-rc2) [43838a23a05fbd13e47d750d3dfd77001536dd33]
+4.19-upstream-stable: N/A "Fixed before branch point"
+4.9-upstream-stable: released (4.9.96) [4dfb3442bb7e1fb80515df4a199ca5a7a8edf900]
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.16.5-1)
+4.19-buster-security: N/A "Fixed before branching point"
+4.9-stretch-security: needed
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2018-1108 b/retired/CVE-2018-1108
deleted file mode 100644
index dbe962e9..00000000
--- a/retired/CVE-2018-1108
+++ /dev/null
@@ -1,21 +0,0 @@
-Description: random: fix crng_ready() test
-References:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1559
-Notes:
- carnil> Commit message mentions as fixing commit for CVE-2018-1108
- carnil> 43838a23a05fbd13e47d750d3dfd77001536dd33, and related commits
- carnil> dc12baacb95f205948f64dc936a47d89ee110117 (needed for 4.13+)
- carnil> and 8ef35c866f8862df074a49a93b0309725812dea8 (needed for 4.8+)
- carnil> CVE-2018-1108 itself has "Cc: stable@kernel.org # 4.8+"
- carnil> 4.9.88-1+deb9u1 reverts the fix due to various reported regressions.
-Bugs:
-upstream: released (4.17-rc2) [43838a23a05fbd13e47d750d3dfd77001536dd33]
-4.19-upstream-stable: N/A "Fixed before branch point"
-4.9-upstream-stable: released (4.9.96) [4dfb3442bb7e1fb80515df4a199ca5a7a8edf900]
-3.16-upstream-stable: N/A "Vulnerable code not present"
-3.2-upstream-stable: N/A "Vulnerable code not present"
-sid: released (4.16.5-1)
-4.19-buster-security: N/A "Fixed before branching point"
-4.9-stretch-security: ignored "Can't be fixed without many user-space changes"
-3.16-jessie-security: N/A "Vulnerable code not present"
-3.2-wheezy-security: N/A "Vulnerable code not present"
-- 
cgit v1.2.3