On 05/07/12 07:00, Yves-Alexis Perez wrote: > Can you show us a debdiff for the package you intend to upload to > stable-security?
Hi, Please find debdiff attached. Thank you! Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -u kfreebsd-8-8.1+dfsg/debian/changelog kfreebsd-8-8.1+dfsg/debian/changelog --- kfreebsd-8-8.1+dfsg/debian/changelog +++ kfreebsd-8-8.1+dfsg/debian/changelog @@ -1,3 +1,12 @@ +kfreebsd-8 (8.1+dfsg-8+squeeze3) stable-security; urgency=medium + + [ Steven Chamberlain ] + * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297) + - Include correction from upstream (r237241) + * Apply upstream EN-12:02.ipv6refcount patch (Closes: #677738) + + -- GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org> Tue, 19 Jun 2012 13:18:39 +0100 + kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff: diff -u kfreebsd-8-8.1+dfsg/debian/patches/series kfreebsd-8-8.1+dfsg/debian/patches/series --- kfreebsd-8-8.1+dfsg/debian/patches/series +++ kfreebsd-8-8.1+dfsg/debian/patches/series @@ -1,3 +1,5 @@ +SA-12_04.sysret.patch +EN-12_02.ipv6refcount.patch 000_adaptive_machine_arch.diff 000_ata.diff 000_coda.diff only in patch2: unchanged: --- kfreebsd-8-8.1+dfsg.orig/debian/patches/SA-12_04.sysret.patch +++ kfreebsd-8-8.1+dfsg/debian/patches/SA-12_04.sysret.patch @@ -0,0 +1,37 @@ +Description: + Correct a privilege escalation when returning from kernel if + running FreeBSD/amd64 on non-AMD processors. [12:04] + . + Includes a corrected patch from upstream, as the original commit to + RELENG_8_1 accidentally applied it to the wrong location. +Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc +Bug-Debian: http://bugs.debian.org/677297 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=237241 + +Index: kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c +=================================================================== +--- kfreebsd-8-8.1+dfsg.orig/sys/amd64/amd64/trap.c 2012-06-17 13:55:31.000000000 +0100 ++++ kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c 2012-06-19 12:44:37.299956401 +0100 +@@ -1010,4 +1010,21 @@ + STOPEVENT(p, S_SCX, sa.code); + + PTRACESTOP_SC(p, td, S_PT_SCX); ++ ++ /* ++ * If the user-supplied value of %rip is not a canonical ++ * address, then some CPUs will trigger a ring 0 #GP during ++ * the sysret instruction. However, the fault handler would ++ * execute with the user's %gs and %rsp in ring 0 which would ++ * not be safe. Instead, preemptively kill the thread with a ++ * SIGBUS. ++ */ ++ if (td->td_frame->tf_rip >= VM_MAXUSER_ADDRESS) { ++ ksiginfo_init_trap(&ksi); ++ ksi.ksi_signo = SIGBUS; ++ ksi.ksi_code = BUS_OBJERR; ++ ksi.ksi_trapno = T_PROTFLT; ++ ksi.ksi_addr = (void *)td->td_frame->tf_rip; ++ trapsignal(td, &ksi); ++ } + } only in patch2: unchanged: --- kfreebsd-8-8.1+dfsg.orig/debian/patches/EN-12_02.ipv6refcount.patch +++ kfreebsd-8-8.1+dfsg/debian/patches/EN-12_02.ipv6refcount.patch @@ -0,0 +1,134 @@ +Description: + Fix reference count errors in IPv6 code. [EN-12:02] +Origin: vendor, http://security.freebsd.org/patches/EN-12:02/ipv6refcount.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-EN-12:02.ipv6refcount.asc +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=236953 + +Index: kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c +=================================================================== +--- kfreebsd-8-8.1+dfsg.orig/sys/netinet6/in6.c 2012-06-16 19:00:59.000000000 +0100 ++++ kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c 2012-06-16 19:03:42.829835350 +0100 +@@ -1370,6 +1370,8 @@ + } + + cleanup: ++ if (ifa0 != NULL) ++ ifa_free(ifa0); + + plen = in6_mask2len(&ia->ia_prefixmask.sin6_addr, NULL); /* XXX */ + if ((ia->ia_flags & IFA_ROUTE) && plen == 128) { +@@ -1394,8 +1396,6 @@ + return; + ia->ia_flags &= ~IFA_ROUTE; + } +- if (ifa0 != NULL) +- ifa_free(ifa0); + + in6_unlink_ifa(ia, ifp); + } +@@ -1549,14 +1549,19 @@ + hostid = IFA_IN6(ifa); + + /* prefixlen must be <= 64. */ +- if (64 < iflr->prefixlen) ++ if (64 < iflr->prefixlen) { ++ if (ifa != NULL) ++ ifa_free(ifa); + return EINVAL; ++ } + prefixlen = iflr->prefixlen; + + /* hostid part must be zero. */ + sin6 = (struct sockaddr_in6 *)&iflr->addr; + if (sin6->sin6_addr.s6_addr32[2] != 0 || + sin6->sin6_addr.s6_addr32[3] != 0) { ++ if (ifa != NULL) ++ ifa_free(ifa); + return EINVAL; + } + } else +@@ -2144,14 +2149,20 @@ + IN6_IFADDR_RUNLOCK(); + return (struct in6_ifaddr *)ifa; + } +- IN6_IFADDR_RUNLOCK(); + + /* use the last-resort values, that are, deprecated addresses */ +- if (dep[0]) ++ if (dep[0]) { ++ ifa_ref((struct ifaddr *)dep[0]); ++ IN6_IFADDR_RUNLOCK(); + return dep[0]; +- if (dep[1]) ++ } ++ if (dep[1]) { ++ ifa_ref((struct ifaddr *)dep[1]); ++ IN6_IFADDR_RUNLOCK(); + return dep[1]; ++ } + ++ IN6_IFADDR_RUNLOCK(); + return NULL; + } + +Index: kfreebsd-8-8.1+dfsg/sys/netinet6/ip6_input.c +=================================================================== +--- kfreebsd-8-8.1+dfsg.orig/sys/netinet6/ip6_input.c 2012-06-16 19:00:59.000000000 +0100 ++++ kfreebsd-8-8.1+dfsg/sys/netinet6/ip6_input.c 2012-06-16 19:03:42.838808064 +0100 +@@ -632,19 +632,23 @@ + * as our interface address (e.g. multicast addresses, addresses + * within FAITH prefixes and such). + */ +- if (deliverifp && !ip6_getdstifaddr(m)) { ++ if (deliverifp) { + struct in6_ifaddr *ia6; + +- ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); +- if (ia6) { +- if (!ip6_setdstifaddr(m, ia6)) { +- /* +- * XXX maybe we should drop the packet here, +- * as we could not provide enough information +- * to the upper layers. +- */ +- } ++ if ((ia6 = ip6_getdstifaddr(m)) != NULL) { + ifa_free(&ia6->ia_ifa); ++ } else { ++ ia6 = in6_ifawithifp(deliverifp, &ip6->ip6_dst); ++ if (ia6) { ++ if (!ip6_setdstifaddr(m, ia6)) { ++ /* ++ * XXX maybe we should drop the packet here, ++ * as we could not provide enough information ++ * to the upper layers. ++ */ ++ } ++ ifa_free(&ia6->ia_ifa); ++ } + } + } + +Index: kfreebsd-8-8.1+dfsg/sys/netinet/tcp_input.c +=================================================================== +--- kfreebsd-8-8.1+dfsg.orig/sys/netinet/tcp_input.c 2012-06-16 19:00:59.000000000 +0100 ++++ kfreebsd-8-8.1+dfsg/sys/netinet/tcp_input.c 2012-06-16 19:03:42.849828260 +0100 +@@ -293,6 +293,8 @@ + (caddr_t)&ip6->ip6_dst - (caddr_t)ip6); + return IPPROTO_DONE; + } ++ if (ia6) ++ ifa_free(&ia6->ia_ifa); + + tcp_input(m, *offp); + return IPPROTO_DONE; +@@ -941,7 +943,8 @@ + rstreason = BANDLIM_RST_OPENPORT; + goto dropwithreset; + } +- ifa_free(&ia6->ia_ifa); ++ if (ia6) ++ ifa_free(&ia6->ia_ifa); + } + #endif + /*
