series

Dann Frazier Wed, 13 Feb 2008 23:10:28 -0800

Author: dannf
Date: Thu Feb 14 04:48:54 2008
New Revision: 10541

Log:
* random-bound-check-ordering.dpatch
  [SECURITY] Fix stack-based buffer overflow in the random number
  generator
  See CVE-2007-3105


Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Thu Feb 14 04:48:54 2008
@@ -65,8 +65,12 @@
     [SECURITY][powerpc] Fix NULL pointer dereference if get_property
     fails on the subarchitecture
     See CVE-2007-6694
+  * random-bound-check-ordering.dpatch
+    [SECURITY] Fix stack-based buffer overflow in the random number
+    generator
+    See CVE-2007-3105
 
- -- dann frazier <[EMAIL PROTECTED]>  Wed, 13 Feb 2008 21:18:45 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Wed, 13 Feb 2008 21:46:22 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch
      Thu Feb 14 04:48:54 2008
@@ -0,0 +1,42 @@
+From: Matt Mackall <[EMAIL PROTECTED]>
+Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
+Subject: random: fix bound check ordering (CVE-2007-3105)
+X-Git-Tag: v2.6.23-rc1~259
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd
+
+random: fix bound check ordering (CVE-2007-3105)
+
+If root raised the default wakeup threshold over the size of the
+output pool, the pool transfer function could overflow the stack with
+RNG bytes, causing a DoS or potential privilege escalation.
+
+(Bug reported by the PaX Team <[EMAIL PROTECTED]>)
+
+Cc: Theodore Tso <[EMAIL PROTECTED]>
+Cc: Willy Tarreau <[EMAIL PROTECTED]>
+Signed-off-by: Matt Mackall <[EMAIL PROTECTED]>
+Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c 
kernel-source-2.6.8/drivers/char/random.c
+--- kernel-source-2.6.8.orig/drivers/char/random.c     2007-05-26 
02:54:38.000000000 -0600
++++ kernel-source-2.6.8/drivers/char/random.c  2008-02-11 21:15:53.000000000 
-0700
+@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s
+ {
+       if (r->entropy_count < nbytes * 8 &&
+           r->entropy_count < r->poolinfo.POOLBITS) {
+-              int bytes = max_t(int, random_read_wakeup_thresh / 8,
+-                              min_t(int, nbytes, TMP_BUF_SIZE));
++              /* If we're limited, always leave two wakeup worth's BITS */
++              int bytes = nbytes;
++
++              /* pull at least as many as BYTES as wakeup BITS */
++              bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
++              /* but never more than the buffer size */
++              bytes = min_t(int, bytes, TMP_BUF_SIZE);
+ 
+               DEBUG_ENT("%04d %04d : going to reseed %s with %d bits "
+                         "(%d of %d requested)\n",

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   Thu Feb 14 04:48:54 2008
@@ -17,3 +17,4 @@
 + amd64-zero-extend-32bit-ptrace.dpatch
 + usb-pwc-disconnect-block.dpatch
 + powerpc-chrp-null-deref.dpatch
++ random-bound-check-ordering.dpatch

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r10541 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Reply via email to