CopyFail was not disclosed to Gentoo developer

CopyFail 未向 Gentoo 开发者披露

Message-ID: 87se8dgicq.fsf@gentoo.org
Date: Thu, 30 Apr 2026 05:52:37 +0100
From: Sam James sam@gentoo.org
Subject: Re: CVE-2026-31431: CopyFail: linux local privilege escalation

Eddie Chapman wrote:

So this is one of the worst make-me-root vulnerabilities in the kernel in recent times. I see that on the 11th of April 6.19.12 & 6.18.22 were released with the fix backported.

Longterm 6.12, 6.6, 6.1, 5.15, 5.10 have not received the fix and I don’t see anything in the upstream stable queues yet as I write. My guess is backporting that far back is not as straightforward. As this was introduced in 2017 all those older kernels are affected, right? Or am I missing something?

Eddie Chapman 写道：

这是近期内核中最严重的“提权至 root”漏洞之一。我注意到 4 月 11 日发布的 6.19.12 和 6.18.22 版本已经回溯修复了该漏洞。

长期支持版本 6.12、6.6、6.1、5.15 和 5.10 尚未收到修复补丁，且在我撰写此邮件时，上游稳定版队列中也未见相关内容。我猜测向这些旧版本进行回溯并不简单。由于该漏洞是在 2017 年引入的，所有这些旧内核版本都受到影响，对吗？还是我漏掉了什么？

It does not apply cleanly, no. Attached is the workaround we’re going to use. I’m not an expert on IPSec but I think this is the lesser evil. I attempted a backport but ran into a few API changes and wasn’t confident enough to muck around with it, especially for something to deploy immediately.

确实无法直接应用。附件是我们准备采用的临时解决方案。我不是 IPSec 方面的专家，但我认为这是两害相权取其轻。我曾尝试进行回溯移植，但遇到了一些 API 变更，由于需要立即部署，我没有把握去随意改动它。

What went wrong, has the embargo been broken early today? Not looking to point any fingers, those who make things happen in our communities work damn hard and deserve respect and support, especially with the extra burden of AI slop now. Note that for Linux kernel vulnerabilities, unless the reporter chooses to bring it to the linux-distros ML, there is no heads-up to distributions. It did not happen here.

究竟出了什么问题，禁令（embargo）今天提前泄露了吗？我无意指责任何人，那些为社区做出贡献的人工作非常辛苦，理应得到尊重和支持，尤其是在如今 AI 垃圾内容带来额外负担的情况下。请注意，对于 Linux 内核漏洞，除非报告者选择将其提交到 linux-distros 邮件列表，否则发行版厂商不会收到任何预警。而这次并没有发生这种情况。