-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 10 Mar 2005 18:25:39 -0500 Source: kernel-source-2.6.10 Binary: kernel-doc-2.6.10 kernel-tree-2.6.10 kernel-patch-debian-2.6.10 kernel-source-2.6.10 Architecture: source all Version: 2.6.10-6 Distribution: unstable Urgency: low Maintainer: Debian kernel team <debian-kernel@lists.debian.org> Changed-By: Andres Salomon <[EMAIL PROTECTED]> Description: kernel-doc-2.6.10 - Linux kernel specific documentation for version 2.6.10 kernel-patch-debian-2.6.10 - Debian patches to Linux 2.6.10 kernel-source-2.6.10 - Linux kernel source for version 2.6.10 with Debian patches kernel-tree-2.6.10 - Linux kernel source tree for building Debian kernel images Closes: 295488 295628 Changes: kernel-source-2.6.10 (2.6.10-6) unstable; urgency=low . * Updated kernel-tree description from Martin F Krafft (Simon Horman) . * Updated apply script so it can handle point versions (Simon Horman) . * atyfb-sparc.dpatch: Fix post-2.6.10 atyfb breakage on SPARC32/64. closes: #295488 (Joshua Kwan) . * skb-reset-ip_summed.dpatch: resolve checksumming exploit in fragmented packet forwarding (Joshua Kwan) . * sparc64-nis-killer.dpatch: patch that fixes some compatibility functions that (as a side effect) caused NIS to flatten a sparc64 machine. closes: #295628 (Joshua Kwan) . * sparc32-hypersparc-srmmu.dpatch: unbreak hypersparc by reverting a srmmu "fix", which should not have made it to 2.6.10 (Jurij Smakov) . * nls-table-overflow.dpatch: [CAN-2005-0177] NLS ASCII table should be 256 entries, not 128! (Joshua Kwan) . * setsid-race.dpatch, setsid-race-2.dpatch: [CAN-2005-0178] fix setsid() race that could lead to a denial of service. (Joshua Kwan, Simon Horman) . * ipv4-fragment-queues.dpatch, ipv4-fragment-queues-2.dpatch: fix potential information leak by making fragment queues private. (Joshua Kwan, Simon Horman) . * amd64-noexec32-backport.dpatch: enable executable stack and executable heap for all 32bit programs on amd64, except if noexec32=on is specified. (Frederik Schüler) . * outs.dpatch: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction. (Simon Horman) . * un-apply 083-x86_64_switch_mm_context_race.dpatch, it breaks amd64 SMP systems. Thanks to Stephen Frost who helped fixing this. (Frederik Schüler) . * sparc64-sb1500-clock-2.6.dpatch by David Miller: enable recognition of the clock chip on SunBlade 1500, it won't boot otherwise. (Jurij Smakov). . * 088-ibmvscsi_event_struct_use_after_free.dpatch The ibmvscsi driver has paths that free evt_struct, and then proceed to use it. That's clearly a no-no in SMP/threaded contexts; once an evt_struct is free, something else may grab it. So, this patch: - moves the free_event_struct() to after usage of the evt_struct - creates a single path for cleanup - calls evt_struct->done during cleanup, which is something that should've been happening. (Andres Salomon) . * 089-i386_acpi_backwards_ifdef.dpatch [I386] An ACPI related printk is wrapped in an #ifdef that should be an #ifndef. Correct that (Andres Salomon). . * 090-alsa_midi_emulation_chorus_reverb_swap.dpatch [ALSA] seq_midi_emul.c had CHORUS_MODE and REVERB_MODE swapped in sysex(). This patch fixes that (Andres Salomon). . * 091-alsa_emu8000_load_fx_skip_header.patch [ALSA] emu8000's load_fx() loads a userspace blob, and should be skipping over the header (Andres Salomon). . * 092-net_sched_police_locate_sanity_check_input.dpatch [NET] Some sanity checks are needed to ensure payloads are the same size as the structures they're being copied into. AFAICT, there's no way for a malicious user to inject a payload in here (it looks like police_locate stuff is called during routing changes by root); however, I can't say that I'm too familiar w/ tcf stuff (Andres Salomon). . * 093-e1000_eeprom_read_off_by_one.dpatch The e1000 driver's read_eeprom and write_eeprom functions allowed a bit to much data to be read/written; an extra word. Fix that (Andres Salomon). . * 094-scsi_device_set_state_missing_oldstate.dpatch [SCSI] scsi_device_set_state() might be setting a device offline, w/ an oldstate of BLOCK; that shouldn't be considered an error. Add the missing state transition (Andres Salomon). . * 095-jffs2_build_filesystem_memory_leak.dpatch [JFFS2] Fix memory leak in jffs2_build_filesystem(), if jffs2_scan_medium fails (Andres Salomon). . * 096-mtd_formatblock_zero_before_assignment.dpatch [MTD] Inside NFTL_formatblock and INFTL_formatblock, the code was previously assigning values to instr, then zero'ing out the values. Instead, move the assignment to after the memset (Andres Salomon). . * 097-mtd_s3c2410_nand_inithw_calc_rate_fix.dpatch [MTD] s3c2410_nand_inithw() was pulling timing information from the wrong place, making the timing incorrect. This patch makes it pull the info from the right place (Andres Salomon). . * 098-jffs2_do_mount_fs_init_bad_count.dpatch [JFFS2] Initialize each eraseblock's bad_count to 0 in jffs2_do_mount_fs(). Unitialized memory sure is fun, eh? (Andres Salomon) . * 099-jfs_commit_inode_commit_race.dpatch [JFS] Fix race in jfs_commit_inode(); before actually doing the commit, retest to ensure that the inode is both dirty and linked (Andres Salomon). . * 101-ppc64_hugetlb_mm_free_pgd_unlock.dpatch [PPC64] In hugetlb_mm_free_pgd(), mm->page_table_lock is locked, but never unlocked in the event of an error. This patch fixes that (Andres Salomon). . * 102-cosa_sppp_channel_init_delay_attach.dpatch Fix buglet in cosa's sppp_channel_init(); do not call sppp_attach() until the netdev contains info that sppp_attach needs (Andres Salomon). . * 104-wan_sdla_firmware_cap_sys_rawio_addition.dpatch [SECURITY] The SDLA driver only checked CAP_NET_ADMIN when doing firmware uploads. This patch adds an additional check for CAP_SYS_RAWIO, as well (Andres Salomon). . * 107-xfs_finish_reclaim_always_inode.dpatch [XFS] In xfs_finish_reclaim(), xfs_ireclaim() should always be called (unless there's some sort of locking problem) before returning (Andres Salomon). . * 108-xfs_attrmulti_by_handle_limit_mem_alloc.dpatch [SECURITY] xfs_ioctl(XFS_IOC_ATTRMULTI_BY_HANDLE) calls xfs_attrmulti_by_handle, which allocates memory based on user input. This patch adds a check for a max size of memory to alloc; otherwise, a user can potentially DoS the system by exhausting memory. Not sure whether root is required to open the vnode device, but to be on the safe side... (Andres Salomon) . * 109-binfmt_elf_loader_solar_designer_fixes.dpatch [SECURITY] Fix from Solar Designer; the binfmt_elf load routines are returning incorrect values, and are not strict enough in checking the number of program headers (Andres Salomon). . * 110-load_module_arg_checking.dpatch If the parsing of module args failed, the module could still be loaded successfully. Fix that (Andres Salomon). . * 111-security_seclvl_kconfig_dep.dpatch Add a Kconfig dependency on CRYPTO for SECURITY_SECLVL (Andres Salomon). . * 112-audit_receive_skb_double_negative_return_val.dpatch audit_receive_skb negates the err it receives from audit_receive_msg. It shouldn't do that (Andres Salomon). . * 114-netfilter_private_queues.dpatch [NETFILTER] Amongst netfilter users, skb frag queues were shared. This could cause problems. See http://oss.sgi.com/archives/netdev/2005-01/threads.html#01036 for more details (Andres Salomon). . * 115-proc_file_read_nbytes_signedness_fix.dpatch [SECURITY] Heap overflow fix in /proc; WDYBTGT3-1 on http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html No CAN# assigned yet, afaik (Andres Salomon). . * 116-n_tty_copy_from_read_buf_signedness_fixes.dpatch [SECURITY] copy_from_read_buf() fix; WDYBTGT3-2 on http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html No CAN#, yet (Andres Salomon). . * 117-reiserfs_file_64bit_size_t_fixes.dpatch [SECURITY] reiserfs integer fixes; WDYBTGT3-4 on http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html (Andres Salomon). . * 118-i2c_sis5595_setup_pci_config_return_checks.dpatch [I2C] The i2c-sis5595 was forward ported from 2.4, but the calls to read the pci config registers were never updated for 2.6. As such, they are incorrectly handling the results of the function calls (Andres Salomon). . * 119-i2c_viapro_i2cdump_overflow.dpatch [SECURITY] Fix a very hard to exploit buffer overflow in the i2c-viapro driver (Andres Salomon). . * 120-openpromfs_property_read_fix.dpatch Fix an oopsable condition in Openpromfs's property_read() (Andres Salomon). . * 121-cpufreq_resume_readd.dpatch [CPUFREQ] Somewhere around 2.6.6, a call to cpufreq_driver->resume() was accidentally dropped. Readd it (Andres Salomon). . * 122-cpufreq_resume_readd_2.dpatch [CPUFREQ] Fix a problem w/ 121-cpufreq_resume_readd.patch, where a return value was not being checked correctly (Andres Salomon). . * 123-atm_get_addr_signedness_fix.dpatch [SECURITY] Fix atm_get_addr()'s usage of its size arg, by making it unsigned. WDYBTGT3-3 on http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html (Andres Salomon). . * 125-netfilter_private_queues_2.dpatch [SECURITY] Add missing bits needed to make 114-netfilter_private_queues.patch compile. Patch stolen from ubuntu (mainly to keep the same ABI) (Andres Salomon). . * 126-ftdi_sio_set_serial_info_baud_base_check.dpatch [USB] Change ftdi_sio's set_serial_info() to do a correct check for baud_base; it should be checking if baud_base<9600 if the baud_base has changed (Andres Salomon). . * 129-video_cg3_screen_blanking.dpatch [SPARC] Fix cg3 blanking; the driver was setting _ENABLE_VIDEO on POWERDOWN, instead of unsetting it (Andres Salomon). . * 130-sparc_prom_nodematch_check_getproperty.dpatch [SPARC] In prom_nodematch, check whether prom_getproperty() actually succeeds before using the string it sets (Andres Salomon). . * 131-sparc_check_prom_getproperty.dpatch [SPARC] Check return value from prom_getproperty() in various places where it wasn't being checked (Andres Salomon). . * 132-sparc32_get_tv32_use_correct_variable.dpatch [SPARC] get_tv32() uses a non-existent variable 'tv32'. Fix that (Andres Salomon). . * 133-scsi_advansys_build_with_non_pci.dpatch [SCSI] Allow advansys driver to compile if CONFIG_PCI isn't set (Andres Salomon). . * 134-cciss_scsi_detect_put_host_on_error.dpatch [SCSI] cciss_scsi_detect() calls scsi_add_host(), which bumps the refcount (even in the event of an error). Thus, if scsi_add_host fails, the scsi host refcount needs to be decremented; so, call scsi_host_put upon error (Andres Salomon). . * 135-64bit_sys_shmget_compat_size_t_overflow.dpatch 64bit archs that offer 32bit compat wrappers for sys_shmget were mostly passing the second arg as a 32bit signed int; what would happen then is, it would be casted to a size_t (64bit unsigned), and the sign would cause it to overflow. Instead, we need to cast to a 32bit unsigned value first, and then cast to 64bit unsigned (Andres Salomon). . * 136-64bit_sys_compat_overflows.dpatch More of the same as 135*.dpatch, except for stuff like sys_ipc, sys_semget, sys_msgsnd, etc (Andres Salomon). . * 137-ppc64_prom_initialize_tce_table_typo.dpatch [PPC64] prom_initialize_tce_table() refers to 'vbase', which doesn't actually exist; instead, 'base' was what was meant (Andres Salomon). . * 138-tulip_de_init_one_irq_init.dpatch The tulip driver's de_init_one() was using pdev->irq before it had been initialized. Move its usage until after it has been initted (Andres Salomon). . * 139-pci_dma_free_coherent.dpatch [I386] dma_free_coherent() was calling kmalloc with its args reversed; clearly incorrect (Andres Salomon). . * 140-s390_memset_arg_order_fixes.dpatch [S390] Fix various drivers that call memset() with args in the wrong order (Andres Salomon). . * 141-pci_devices_dont_disable_dev_if_busy.dpatch For various pci devices, if pci_request_regions fails (because resources are already in use), don't disable the pci device (someone else is using it) (Andres Salomon). . * 142-r8169_dev_alloc_skb_alignment_fix.dpatch The r8169 driver wasn't alloc'ing enough memory for skbs; the size should be padded by NET_IP_ALIGN (Andres Salomon). . * 143-sysfs_write_file_signedness_problem.dpatch [SYSFS] sysfs_write_file assigns the result of fill_write_buffer (which is signed and returns negative upon error) to an unsigned int. Clearly, bad and wrong.. (Andres Salomon) . * 144-sys_epoll_wait_int_overflow.dpatch [SECURITY] sys_epoll_wait contains an integer overflow; see http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html for additional details (Andres Salomon). . * ipv4-fragment-queues.dpatch, ipv4-fragment-queues-2.dpatch: Drop netfilter frag queue stuff, as a) it's an ABI change, b) it's fixed in 2.6.11, and c) it's not that critical. It's more important to get other 2.6.10 fixes out to people (Andres Salomon). Files: 5c04548740a4fb769b25e9c3b2d44237 997 devel optional kernel-source-2.6.10_2.6.10-6.dsc 1dea9fad378d1ab8b30a89bbbe26ecc5 340839 devel optional kernel-source-2.6.10_2.6.10-6.diff.gz 24b33f480a14a6304ecad6de5ea8a655 405330 devel optional kernel-patch-debian-2.6.10_2.6.10-6_all.deb 5eaa4b751e72298732cdb561040ef3fa 35853606 devel optional kernel-source-2.6.10_2.6.10-6_all.deb dd7dfc7bcf372613d4f4074da879eeb9 36324 devel optional kernel-tree-2.6.10_2.6.10-6_all.deb 307bbad2e8f754c36742e5d5e7e0bb2a 6735044 doc optional kernel-doc-2.6.10_2.6.10-6_all.deb
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCMTSn78o9R9NraMQRAjJeAJ9QPxnZxheNPfziSZ+tKEIpld3LmQCfTRfs cHVjVExs/NcUG+72xqfLaNM= =n1d0 -----END PGP SIGNATURE----- Accepted: kernel-doc-2.6.10_2.6.10-6_all.deb to pool/main/k/kernel-source-2.6.10/kernel-doc-2.6.10_2.6.10-6_all.deb kernel-patch-debian-2.6.10_2.6.10-6_all.deb to pool/main/k/kernel-source-2.6.10/kernel-patch-debian-2.6.10_2.6.10-6_all.deb kernel-source-2.6.10_2.6.10-6.diff.gz to pool/main/k/kernel-source-2.6.10/kernel-source-2.6.10_2.6.10-6.diff.gz kernel-source-2.6.10_2.6.10-6.dsc to pool/main/k/kernel-source-2.6.10/kernel-source-2.6.10_2.6.10-6.dsc kernel-source-2.6.10_2.6.10-6_all.deb to pool/main/k/kernel-source-2.6.10/kernel-source-2.6.10_2.6.10-6_all.deb kernel-tree-2.6.10_2.6.10-6_all.deb to pool/main/k/kernel-source-2.6.10/kernel-tree-2.6.10_2.6.10-6_all.deb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]