[kernel] r10916 - in dists/etch/linux-2.6/debian: . patches/bugfix patches/series
Author: dannf Date: Tue Mar 18 06:04:32 2008 New Revision: 10916 Log: * Fix potential nfs write corruption (closes: #470719) Added: dists/etch/linux-2.6/debian/patches/bugfix/nfs-write-corruption.patch Modified: dists/etch/linux-2.6/debian/changelog dists/etch/linux-2.6/debian/patches/series/19 Modified: dists/etch/linux-2.6/debian/changelog == --- dists/etch/linux-2.6/debian/changelog (original) +++ dists/etch/linux-2.6/debian/changelog Tue Mar 18 06:04:32 2008 @@ -5,8 +5,9 @@ [ dann frazier ] * e1000: Add PCI-IDs for 82571EB 4-port cards (closes: #466401). + * Fix potential nfs write corruption (closes: #470719) - -- dann frazier [EMAIL PROTECTED] Thu, 28 Feb 2008 17:26:31 -0700 + -- dann frazier [EMAIL PROTECTED] Sun, 16 Mar 2008 20:57:06 -0600 linux-2.6 (2.6.18.dfsg.1-18) stable; urgency=high Added: dists/etch/linux-2.6/debian/patches/bugfix/nfs-write-corruption.patch == --- (empty file) +++ dists/etch/linux-2.6/debian/patches/bugfix/nfs-write-corruption.patch Tue Mar 18 06:04:32 2008 @@ -0,0 +1,76 @@ +From: Trond Myklebust [EMAIL PROTECTED] +Date: Thu, 7 Feb 2008 22:24:07 + (-0500) +Subject: NFS: Fix a potential file corruption issue when writing +X-Git-Tag: v2.6.25-rc1~286^2~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5d47a35600270e7115061cb1320ee60ae9bcb6b8 + +NFS: Fix a potential file corruption issue when writing + +If the inode is flagged as having an invalid mapping, then we can't rely on +the PageUptodate() flag. Ensure that we don't use the anti-fragmentation +write optimisation in nfs_updatepage(), since that will cause NFS to write +out areas of the page that are no longer guaranteed to be up to date. + +A potential corruption could occur in the following scenario: + +client 1 client 2 +====== + fd=open(f,O_CREAT|O_WRONLY,0644); + write(fd,fubar\n,6); // cache last page + close(fd); +fd=open(f,O_WRONLY|O_APPEND); +write(fd,foo\n,4); +close(fd); + + fd=open(f,O_WRONLY|O_APPEND); + write(fd,bar\n,4); + close(fd); +- +The bug may lead to the file f reading 'fubar\n\0\0\0\nbar\n' because +client 2 does not update the cached page after re-opening the file for +write. Instead it keeps it marked as PageUptodate() until someone calls +invaldate_inode_pages2() (typically by calling read()). + +Signed-off-by: Trond Myklebust [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.18 by dann frazier [EMAIL PROTECTED] + +diff -urpN linux-source-2.6.18.orig/fs/nfs/write.c linux-source-2.6.18/fs/nfs/write.c +--- linux-source-2.6.18.orig/fs/nfs/write.c2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/fs/nfs/write.c 2008-03-13 01:16:30.0 -0600 +@@ -805,6 +805,17 @@ int nfs_flush_incompatible(struct file * + } + + /* ++ * If the page cache is marked as unsafe or invalid, then we can't rely on ++ * the PageUptodate() flag. In this case, we will need to turn off ++ * write optimisations that depend on the page contents being correct. ++ */ ++static int nfs_write_pageuptodate(struct page *page, struct inode *inode) ++{ ++ return PageUptodate(page) ++ !(NFS_I(inode)-cache_validity (NFS_INO_REVAL_PAGECACHE|NFS_INO_INVALID_DATA)); ++} ++ ++/* + * Update and possibly write a cached page of an NFS file. + * + * XXX: Keep an eye on generic_file_read to make sure it doesn't do bad +@@ -836,10 +847,13 @@ int nfs_updatepage(struct file *file, st + } + + /* If we're not using byte range locks, and we know the page +- * is entirely in cache, it may be more efficient to avoid +- * fragmenting write requests. ++ * is up to date, it may be more efficient to extend the write ++ * to cover the entire page in order to avoid fragmentation ++ * inefficiencies. +*/ +- if (PageUptodate(page) inode-i_flock == NULL !(file-f_mode O_SYNC)) { ++ if (nfs_write_pageuptodate(page, inode) ++ inode-i_flock == NULL ++ !(file-f_flags O_SYNC)) { + loff_t end_offs = i_size_read(inode) - 1; + unsigned long end_index = end_offs PAGE_CACHE_SHIFT; + Modified: dists/etch/linux-2.6/debian/patches/series/19 == --- dists/etch/linux-2.6/debian/patches/series/19 (original) +++ dists/etch/linux-2.6/debian/patches/series/19 Tue Mar 18 06:04:32 2008 @@ -1,2 +1,3 @@ + bugfix/mips/cobalt-raq1-uart.patch + features/e1000-quad-82571EB-ids.patch ++ bugfix/nfs-write
[kernel] r10803 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series
Author: dannf Date: Tue Mar 11 16:29:32 2008 New Revision: 10803 Log: * Fix missing multicast addresses (closes: #466719) Added: dists/sid/linux-2.6/debian/patches/bugfix/net-mcast-zero-addr-list.patch Modified: dists/sid/linux-2.6/debian/changelog dists/sid/linux-2.6/debian/patches/series/5 Modified: dists/sid/linux-2.6/debian/changelog == --- dists/sid/linux-2.6/debian/changelog(original) +++ dists/sid/linux-2.6/debian/changelogTue Mar 11 16:29:32 2008 @@ -44,7 +44,10 @@ - NETFILTER: nf_conntrack_tcp: conntrack reopening fix - SPARC/SPARC64: Fix usage of .section .sched.text in assembler code. - -- Gordon Farquharson [EMAIL PROTECTED] Thu, 21 Feb 2008 21:00:48 -0700 + [ dann frazier ] + * Fix missing multicast addresses (closes: #466719) + + -- dann frazier [EMAIL PROTECTED] Mon, 10 Mar 2008 14:03:59 -0600 linux-2.6 (2.6.24-4) unstable; urgency=low Added: dists/sid/linux-2.6/debian/patches/bugfix/net-mcast-zero-addr-list.patch == --- (empty file) +++ dists/sid/linux-2.6/debian/patches/bugfix/net-mcast-zero-addr-list.patch Tue Mar 11 16:29:32 2008 @@ -0,0 +1,35 @@ +From: Jorge Boncompte [DTI2] [EMAIL PROTECTED] +Date: Tue, 19 Feb 2008 22:17:04 + (-0800) +Subject: [NET]: Messed multicast lists after dev_mc_sync/unsync +X-Git-Tag: v2.6.25-rc3~9^2~36 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=12aa343add3eced38a44bdb612b35fdf634d918c + +[NET]: Messed multicast lists after dev_mc_sync/unsync + +Commit a0a400d79e3dd7843e7e81baa3ef2957bdc292d0 ([NET]: dev_mcast: +add multicast list synchronization helpers) from you introduced a new +field da_synced to struct dev_addr_list that is not properly +initialized to 0. So when any of the current users (8021q, macvlan, +mac80211) calls dev_mc_sync/unsync they mess the address list for both +devices. + +The attached patch fixed it for me and avoid future problems. + +Signed-off-by: Jorge Boncompte [DTI2] [EMAIL PROTECTED] +Signed-off-by: Patrick McHardy [EMAIL PROTECTED] +Signed-off-by: David S. Miller [EMAIL PROTECTED] +--- + +diff --git a/net/core/dev.c b/net/core/dev.c +index 6cfc123..9516105 100644 +--- a/net/core/dev.c b/net/core/dev.c +@@ -2900,7 +2900,7 @@ int __dev_addr_add(struct dev_addr_list **list, int *count, + } + } + +- da = kmalloc(sizeof(*da), GFP_ATOMIC); ++ da = kzalloc(sizeof(*da), GFP_ATOMIC); + if (da == NULL) + return -ENOMEM; + memcpy(da-da_addr, addr, alen); Modified: dists/sid/linux-2.6/debian/patches/series/5 == --- dists/sid/linux-2.6/debian/patches/series/5 (original) +++ dists/sid/linux-2.6/debian/patches/series/5 Tue Mar 11 16:29:32 2008 @@ -1,2 +1,3 @@ + bugfix/all/stable/2.6.24.3.patch + bugfix/all/stable/2.6.24.3-fix1.patch ++ bugfix/net-mcast-zero-addr-list.patch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10739 - in dists/sid/linux-2.6/debian: . config
Author: dannf Date: Fri Mar 7 17:15:46 2008 New Revision: 10739 Log: * Disable CONFIG_SECURITY_FILE_CAPABILITIES - it causes SUID signaling issues that haven't been resolved upstream (breaks submission of at jobs, for example), and is still marked EXPERIMENTAL. (closes: #463669) Modified: dists/sid/linux-2.6/debian/changelog dists/sid/linux-2.6/debian/config/config Modified: dists/sid/linux-2.6/debian/changelog == --- dists/sid/linux-2.6/debian/changelog(original) +++ dists/sid/linux-2.6/debian/changelogFri Mar 7 17:15:46 2008 @@ -44,7 +44,12 @@ - NETFILTER: nf_conntrack_tcp: conntrack reopening fix - SPARC/SPARC64: Fix usage of .section .sched.text in assembler code. - -- Gordon Farquharson [EMAIL PROTECTED] Thu, 21 Feb 2008 21:00:48 -0700 + [ dann frazier ] + * Disable CONFIG_SECURITY_FILE_CAPABILITIES - it causes SUID signaling +issues that haven't been resolved upstream (breaks submission of at +jobs, for example), and is still marked EXPERIMENTAL. (closes: #463669) + + -- dann frazier [EMAIL PROTECTED] Fri, 07 Mar 2008 10:08:54 -0700 linux-2.6 (2.6.24-4) unstable; urgency=low Modified: dists/sid/linux-2.6/debian/config/config == --- dists/sid/linux-2.6/debian/config/config(original) +++ dists/sid/linux-2.6/debian/config/configFri Mar 7 17:15:46 2008 @@ -1766,7 +1766,7 @@ # CONFIG_KEYS_DEBUG_PROC_KEYS is not set CONFIG_SECURITY=y CONFIG_SECURITY_CAPABILITIES=y -CONFIG_SECURITY_FILE_CAPABILITIES=y +# CONFIG_SECURITY_FILE_CAPABILITIES is not set # CONFIG_SECURITY_ROOTPLUG is not set CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10740 - in dists/sid/linux-2.6/debian: . config
Author: dannf Date: Fri Mar 7 17:33:26 2008 New Revision: 10740 Log: revert r10739, pending discussion Modified: dists/sid/linux-2.6/debian/changelog dists/sid/linux-2.6/debian/config/config Modified: dists/sid/linux-2.6/debian/changelog == --- dists/sid/linux-2.6/debian/changelog(original) +++ dists/sid/linux-2.6/debian/changelogFri Mar 7 17:33:26 2008 @@ -44,12 +44,7 @@ - NETFILTER: nf_conntrack_tcp: conntrack reopening fix - SPARC/SPARC64: Fix usage of .section .sched.text in assembler code. - [ dann frazier ] - * Disable CONFIG_SECURITY_FILE_CAPABILITIES - it causes SUID signaling -issues that haven't been resolved upstream (breaks submission of at -jobs, for example), and is still marked EXPERIMENTAL. (closes: #463669) - - -- dann frazier [EMAIL PROTECTED] Fri, 07 Mar 2008 10:08:54 -0700 + -- Gordon Farquharson [EMAIL PROTECTED] Thu, 21 Feb 2008 21:00:48 -0700 linux-2.6 (2.6.24-4) unstable; urgency=low Modified: dists/sid/linux-2.6/debian/config/config == --- dists/sid/linux-2.6/debian/config/config(original) +++ dists/sid/linux-2.6/debian/config/configFri Mar 7 17:33:26 2008 @@ -1766,7 +1766,7 @@ # CONFIG_KEYS_DEBUG_PROC_KEYS is not set CONFIG_SECURITY=y CONFIG_SECURITY_CAPABILITIES=y -# CONFIG_SECURITY_FILE_CAPABILITIES is not set +CONFIG_SECURITY_FILE_CAPABILITIES=y # CONFIG_SECURITY_ROOTPLUG is not set CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10694 - releases/kernel-2.4/arm/kernel-image-2.4.27-arm-2.4.27/2.4.27-2sarge7
Author: dannf Date: Wed Mar 5 03:20:06 2008 New Revision: 10694 Log: Tagging kernel-image-2.4.27-arm-2.4.27 2.4.27-2sarge7 Added: releases/kernel-2.4/arm/kernel-image-2.4.27-arm-2.4.27/2.4.27-2sarge7/ - copied from r10693, /dists/sarge-security/kernel-2.4/arm/kernel-image-2.4.27-arm-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10695 - releases/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/2.4.27-10sarge7
Author: dannf Date: Wed Mar 5 03:20:20 2008 New Revision: 10695 Log: Tagging kernel-image-2.4.27-i386-2.4.27 2.4.27-10sarge7 Added: releases/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/2.4.27-10sarge7/ - copied from r10694, /dists/sarge-security/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10696 - releases/kernel-2.4/i386/kernel-image-speakup-i386-2.4.27/2.4.27-1.1sarge6
Author: dannf Date: Wed Mar 5 03:20:33 2008 New Revision: 10696 Log: Tagging kernel-image-speakup-i386-2.4.27 2.4.27-1.1sarge6 Added: releases/kernel-2.4/i386/kernel-image-speakup-i386-2.4.27/2.4.27-1.1sarge6/ - copied from r10695, /dists/sarge-security/kernel-2.4/i386/kernel-image-speakup-i386-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10697 - releases/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/2.4.27-10sarge7
Author: dannf Date: Wed Mar 5 03:20:42 2008 New Revision: 10697 Log: Tagging kernel-image-2.4.27-ia64-2.4.27 2.4.27-10sarge7 Added: releases/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/2.4.27-10sarge7/ - copied from r10696, /dists/sarge-security/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10698 - releases/kernel-2.4/mips/kernel-patch-2.4.27-mips/2.4.27-10.sarge4.040815-4
Author: dannf Date: Wed Mar 5 03:20:51 2008 New Revision: 10698 Log: Tagging kernel-patch-2.4.27-mips 2.4.27-10.sarge4.040815-4 Added: releases/kernel-2.4/mips/kernel-patch-2.4.27-mips/2.4.27-10.sarge4.040815-4/ - copied from r10697, /dists/sarge-security/kernel-2.4/mips/kernel-patch-2.4.27-mips/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10699 - releases/kernel-2.4/powerpc/kernel-patch-powerpc-2.4.27-2.4.27/2.4.27-10sarge7
Author: dannf Date: Wed Mar 5 03:21:04 2008 New Revision: 10699 Log: Tagging kernel-patch-powerpc-2.4.27-2.4.27 2.4.27-10sarge7 Added: releases/kernel-2.4/powerpc/kernel-patch-powerpc-2.4.27-2.4.27/2.4.27-10sarge7/ - copied from r10698, /dists/sarge-security/kernel-2.4/powerpc/kernel-patch-powerpc-2.4.27-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10700 - releases/kernel-2.4/s390/kernel-image-2.4.27-s390/2.4.27-2sarge7
Author: dannf Date: Wed Mar 5 03:21:13 2008 New Revision: 10700 Log: Tagging kernel-image-2.4.27-s390 2.4.27-2sarge7 Added: releases/kernel-2.4/s390/kernel-image-2.4.27-s390/2.4.27-2sarge7/ - copied from r10699, /dists/sarge-security/kernel-2.4/s390/kernel-image-2.4.27-s390/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10702 - releases/kernel-2.4/sparc/kernel-image-2.4.27-sparc-2.4.27/2.4.27-9sarge7
Author: dannf Date: Wed Mar 5 03:21:42 2008 New Revision: 10702 Log: Tagging kernel-image-2.4.27-sparc-2.4.27 2.4.27-9sarge7 Added: releases/kernel-2.4/sparc/kernel-image-2.4.27-sparc-2.4.27/2.4.27-9sarge7/ - copied from r10701, /dists/sarge-security/kernel-2.4/sparc/kernel-image-2.4.27-sparc-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10703 - releases/kernel-2.4/m68k/kernel-image-2.4.27-m68k-2.4.27/2.4.27-3sarge7
Author: dannf Date: Wed Mar 5 03:21:55 2008 New Revision: 10703 Log: Tagging kernel-image-2.4.27-m68k-2.4.27 2.4.27-3sarge7 Added: releases/kernel-2.4/m68k/kernel-image-2.4.27-m68k-2.4.27/2.4.27-3sarge7/ - copied from r10702, /dists/sarge-security/kernel-2.4/m68k/kernel-image-2.4.27-m68k-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10673 - in dists/trunk/firmware-nonfree/debian: . templates
Author: dannf Date: Thu Feb 28 10:11:39 2008 New Revision: 10673 Log: * Correct path to initramfs.conf file in postinst. (closes: #432042) Modified: dists/trunk/firmware-nonfree/debian/changelog dists/trunk/firmware-nonfree/debian/templates/postinst.initramfs-tools.in Modified: dists/trunk/firmware-nonfree/debian/changelog == --- dists/trunk/firmware-nonfree/debian/changelog (original) +++ dists/trunk/firmware-nonfree/debian/changelog Thu Feb 28 10:11:39 2008 @@ -1,3 +1,9 @@ +firmware-nonfree (0.11) UNRELEASED; urgency=low + + * Correct path to initramfs.conf file in postinst. (closes: #432042) + + -- dann frazier [EMAIL PROTECTED] Thu, 28 Feb 2008 03:09:13 -0700 + firmware-nonfree (0.10) unstable; urgency=low [ Daniel Baumann ] Modified: dists/trunk/firmware-nonfree/debian/templates/postinst.initramfs-tools.in == --- dists/trunk/firmware-nonfree/debian/templates/postinst.initramfs-tools.in (original) +++ dists/trunk/firmware-nonfree/debian/templates/postinst.initramfs-tools.in Thu Feb 28 10:11:39 2008 @@ -4,7 +4,7 @@ case $1 in configure) - if [ -x /usr/sbin/update-initramfs -a -e /etc/mkinitramfs/initramfs.conf ] ; then + if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then update-initramfs -u fi ;; ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10675 - in dists/etch/linux-2.6/debian: . patches/features patches/series
Author: dannf Date: Fri Feb 29 00:28:41 2008 New Revision: 10675 Log: * e1000: Add PCI-IDs for 82571EB 4-port cards (closes: #466401). Added: dists/etch/linux-2.6/debian/patches/features/e1000-quad-82571EB-ids.patch Modified: dists/etch/linux-2.6/debian/changelog dists/etch/linux-2.6/debian/patches/series/19 Modified: dists/etch/linux-2.6/debian/changelog == --- dists/etch/linux-2.6/debian/changelog (original) +++ dists/etch/linux-2.6/debian/changelog Fri Feb 29 00:28:41 2008 @@ -3,7 +3,10 @@ [ Martin Michlmayr ] * [mips] Enable UART on RaQ1. - -- Martin Michlmayr [EMAIL PROTECTED] Mon, 25 Feb 2008 23:20:20 +0100 + [ dann frazier ] + * e1000: Add PCI-IDs for 82571EB 4-port cards (closes: #466401). + + -- dann frazier [EMAIL PROTECTED] Thu, 28 Feb 2008 17:26:31 -0700 linux-2.6 (2.6.18.dfsg.1-18) stable; urgency=high Added: dists/etch/linux-2.6/debian/patches/features/e1000-quad-82571EB-ids.patch == --- (empty file) +++ dists/etch/linux-2.6/debian/patches/features/e1000-quad-82571EB-ids.patch Fri Feb 29 00:28:41 2008 @@ -0,0 +1,110 @@ +commit 5881cde8a38cab3b228a63516ab64f8d79acc4f5 +Author: Jesse Brandeburg [EMAIL PROTECTED] +Date: Thu Aug 31 14:27:47 2006 -0700 + +e1000: Add PCI ID 0x10a4 for our new 4-port PCI-Express device + +Device 0x10a4 is a double 82571 on a single PCI-Express card and +has 4 gigabit capable ports. + +Signed-off-by: Jesse Brandeburg [EMAIL PROTECTED] +Signed-off-by: Auke Kok [EMAIL PROTECTED] + +commit fc2307d00c15385fbdbb5928a8517e5f63c3d068 +Author: Auke Kok [EMAIL PROTECTED] +Date: Wed Nov 1 08:47:56 2006 -0800 + +e1000: New hardware support + +Add support for a Low Profile quad-port PCI-E adapter and 2 variants +of the ICH8 systems' onboard NIC's. + +Signed-off-by: Auke Kok [EMAIL PROTECTED] + +Backported to Debian's 2.6.18 by dann frazier [EMAIL PROTECTED] + +diff -urpN linux-source-2.6.18.orig/drivers/net/e1000/e1000_ethtool.c linux-source-2.6.18/drivers/net/e1000/e1000_ethtool.c +--- linux-source-2.6.18.orig/drivers/net/e1000/e1000_ethtool.c 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/drivers/net/e1000/e1000_ethtool.c 2008-02-28 08:41:17.0 -0700 +@@ -1676,6 +1676,8 @@ e1000_get_wol(struct net_device *netdev, + wol-wolopts = 0; + return; + ++ case E1000_DEV_ID_82571EB_QUAD_COPPER: ++ case E1000_DEV_ID_82571EB_QUAD_COPPER_LOWPROFILE: + case E1000_DEV_ID_82546GB_QUAD_COPPER_KSP3: + /* device id 10B5 port-A supports wol */ + if (!adapter-ksp3_port_a) { +diff -urpN linux-source-2.6.18.orig/drivers/net/e1000/e1000_hw.c linux-source-2.6.18/drivers/net/e1000/e1000_hw.c +--- linux-source-2.6.18.orig/drivers/net/e1000/e1000_hw.c 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/drivers/net/e1000/e1000_hw.c 2008-02-28 08:41:17.0 -0700 +@@ -387,6 +387,8 @@ e1000_set_mac_type(struct e1000_hw *hw) + case E1000_DEV_ID_82571EB_COPPER: + case E1000_DEV_ID_82571EB_FIBER: + case E1000_DEV_ID_82571EB_SERDES: ++case E1000_DEV_ID_82571EB_QUAD_COPPER: ++case E1000_DEV_ID_82571EB_QUAD_COPPER_LOWPROFILE: + hw-mac_type = e1000_82571; + break; + case E1000_DEV_ID_82572EI_COPPER: +@@ -410,6 +412,8 @@ e1000_set_mac_type(struct e1000_hw *hw) + case E1000_DEV_ID_ICH8_IGP_AMT: + case E1000_DEV_ID_ICH8_IGP_C: + case E1000_DEV_ID_ICH8_IFE: ++case E1000_DEV_ID_ICH8_IFE_GT: ++case E1000_DEV_ID_ICH8_IFE_G: + case E1000_DEV_ID_ICH8_IGP_M: + hw-mac_type = e1000_ich8lan; + break; +diff -urpN linux-source-2.6.18.orig/drivers/net/e1000/e1000_hw.h linux-source-2.6.18/drivers/net/e1000/e1000_hw.h +--- linux-source-2.6.18.orig/drivers/net/e1000/e1000_hw.h 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/drivers/net/e1000/e1000_hw.h 2008-02-28 08:41:17.0 -0700 +@@ -470,6 +470,8 @@ int32_t e1000_check_phy_reset_block(stru + #define E1000_DEV_ID_82571EB_COPPER 0x105E + #define E1000_DEV_ID_82571EB_FIBER 0x105F + #define E1000_DEV_ID_82571EB_SERDES 0x1060 ++#define E1000_DEV_ID_82571EB_QUAD_COPPER 0x10A4 ++#define E1000_DEV_ID_82571EB_QUAD_COPPER_LOWPROFILE 0x10BC + #define E1000_DEV_ID_82572EI_COPPER 0x107D + #define E1000_DEV_ID_82572EI_FIBER 0x107E + #define E1000_DEV_ID_82572EI_SERDES 0x107F +@@ -487,6 +489,8 @@ int32_t e1000_check_phy_reset_block(stru + #define E1000_DEV_ID_ICH8_IGP_AMT0x104A + #define E1000_DEV_ID_ICH8_IGP_C 0x104B + #define E1000_DEV_ID_ICH8_IFE0x104C ++#define E1000_DEV_ID_ICH8_IFE_GT 0x10C4 ++#define E1000_DEV_ID_ICH8_IFE_G 0x10C5 + #define E1000_DEV_ID_ICH8_IGP_M 0x104D + + +diff -urpN linux-source-2.6.18.orig
[kernel] r10669 - releases/firmware-nonfree/0.4
Author: dannf Date: Wed Feb 27 18:48:44 2008 New Revision: 10669 Log: retroactively tag 0.4 release Added: releases/firmware-nonfree/0.4/ - copied from r8357, /dists/trunk/firmware-nonfree/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10670 - dists/etch/firmware-nonfree
Author: dannf Date: Wed Feb 27 18:54:02 2008 New Revision: 10670 Log: create an etch branch of firmware-nonfree since the build-deps need to change w/ the ABI Added: dists/etch/firmware-nonfree/ - copied from r10669, /releases/firmware-nonfree/0.4/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10671 - dists/etch/firmware-nonfree/debian
Author: dannf Date: Wed Feb 27 19:07:54 2008 New Revision: 10671 Log: * Build-depend on linux-support-2.6.18-6; closes: #468215. Modified: dists/etch/firmware-nonfree/debian/changelog dists/etch/firmware-nonfree/debian/rules.defs Modified: dists/etch/firmware-nonfree/debian/changelog == --- dists/etch/firmware-nonfree/debian/changelog(original) +++ dists/etch/firmware-nonfree/debian/changelogWed Feb 27 19:07:54 2008 @@ -1,3 +1,9 @@ +firmware-nonfree (0.4etch1) stable; urgency=high + + * Build-depend on linux-support-2.6.18-6; closes: #468215. + + -- dann frazier [EMAIL PROTECTED] Wed, 27 Feb 2008 11:54:52 -0700 + firmware-nonfree (0.4) unstable; urgency=low * Build-depend on linux-support-2.6.18-4; closes: #414773. Modified: dists/etch/firmware-nonfree/debian/rules.defs == --- dists/etch/firmware-nonfree/debian/rules.defs (original) +++ dists/etch/firmware-nonfree/debian/rules.defs Wed Feb 27 19:07:54 2008 @@ -1 +1 @@ -KERNELVERSION := 2.6.18-4 +KERNELVERSION := 2.6.18-6 ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10672 - releases/firmware-nonfree/0.4etch1
Author: dannf Date: Wed Feb 27 20:32:14 2008 New Revision: 10672 Log: tag 0.4etch1 Added: releases/firmware-nonfree/0.4etch1/ - copied from r10671, /dists/etch/firmware-nonfree/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10627 - releases/kernel-2.4/alpha/kernel-image-2.4.27-alpha-2.4.27/2.4.27-10sarge6
Author: dannf Date: Fri Feb 22 22:24:59 2008 New Revision: 10627 Log: Tagging kernel-image-2.4.27-alpha-2.4.27 2.4.27-10sarge6 Added: releases/kernel-2.4/alpha/kernel-image-2.4.27-alpha-2.4.27/2.4.27-10sarge6/ - copied from r10626, /dists/sarge-security/kernel-2.4/alpha/kernel-image-2.4.27-alpha-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10628 - releases/kernel-2.4/alpha/kernel-latest-2.4-alpha/101sarge3
Author: dannf Date: Fri Feb 22 22:25:08 2008 New Revision: 10628 Log: Tagging kernel-latest-2.4-alpha 101sarge3 Added: releases/kernel-2.4/alpha/kernel-latest-2.4-alpha/101sarge3/ - copied from r10627, /dists/sarge-security/kernel-2.4/alpha/kernel-latest-2.4-alpha/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10629 - releases/kernel-2.4/arm/kernel-image-2.4.27-arm-2.4.27/2.4.27-2sarge6
Author: dannf Date: Fri Feb 22 22:25:16 2008 New Revision: 10629 Log: Tagging kernel-image-2.4.27-arm-2.4.27 2.4.27-2sarge6 Added: releases/kernel-2.4/arm/kernel-image-2.4.27-arm-2.4.27/2.4.27-2sarge6/ - copied from r10628, /dists/sarge-security/kernel-2.4/arm/kernel-image-2.4.27-arm-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10630 - releases/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/2.4.27-10sarge6
Author: dannf Date: Fri Feb 22 22:25:34 2008 New Revision: 10630 Log: Tagging kernel-image-2.4.27-i386-2.4.27 2.4.27-10sarge6 Added: releases/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/2.4.27-10sarge6/ - copied from r10629, /dists/sarge-security/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10631 - releases/kernel-2.4/i386/kernel-latest-2.4-i386/101sarge2
Author: dannf Date: Fri Feb 22 22:25:42 2008 New Revision: 10631 Log: Tagging kernel-latest-2.4-i386 101sarge2 Added: releases/kernel-2.4/i386/kernel-latest-2.4-i386/101sarge2/ - copied from r10630, /dists/sarge-security/kernel-2.4/i386/kernel-latest-2.4-i386/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10632 - releases/kernel-2.4/i386/kernel-image-speakup-i386-2.4.27/2.4.27-1.1sarge5
Author: dannf Date: Fri Feb 22 22:25:51 2008 New Revision: 10632 Log: Tagging kernel-image-speakup-i386-2.4.27 2.4.27-1.1sarge5 Added: releases/kernel-2.4/i386/kernel-image-speakup-i386-2.4.27/2.4.27-1.1sarge5/ - copied from r10631, /dists/sarge-security/kernel-2.4/i386/kernel-image-speakup-i386-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10633 - releases/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/2.4.27-10sarge6
Author: dannf Date: Fri Feb 22 22:25:59 2008 New Revision: 10633 Log: Tagging kernel-image-2.4.27-ia64-2.4.27 2.4.27-10sarge6 Added: releases/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/2.4.27-10sarge6/ - copied from r10632, /dists/sarge-security/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10634 - releases/kernel-2.4/mips/kernel-patch-2.4.27-mips/2.4.27-10.sarge4.040815-3
Author: dannf Date: Fri Feb 22 22:26:07 2008 New Revision: 10634 Log: Tagging kernel-patch-2.4.27-mips 2.4.27-10.sarge4.040815-3 Added: releases/kernel-2.4/mips/kernel-patch-2.4.27-mips/2.4.27-10.sarge4.040815-3/ - copied from r10633, /dists/sarge-security/kernel-2.4/mips/kernel-patch-2.4.27-mips/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10635 - releases/kernel-2.4/powerpc/kernel-patch-powerpc-2.4.27-2.4.27/2.4.27-10sarge6
Author: dannf Date: Fri Feb 22 22:26:16 2008 New Revision: 10635 Log: Tagging kernel-patch-powerpc-2.4.27-2.4.27 2.4.27-10sarge6 Added: releases/kernel-2.4/powerpc/kernel-patch-powerpc-2.4.27-2.4.27/2.4.27-10sarge6/ - copied from r10634, /dists/sarge-security/kernel-2.4/powerpc/kernel-patch-powerpc-2.4.27-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10642 - releases/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/2.6.8-17sarge1
Author: dannf Date: Fri Feb 22 22:27:33 2008 New Revision: 10642 Log: Tagging kernel-image-2.6.8-alpha-2.6.8 2.6.8-17sarge1 Added: releases/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/2.6.8-17sarge1/ - copied from r10641, /dists/sarge-security/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10643 - releases/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/2.6.8-17sarge1
Author: dannf Date: Fri Feb 22 22:27:45 2008 New Revision: 10643 Log: Tagging kernel-image-2.6.8-amd64-2.6.8 2.6.8-17sarge1 Added: releases/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/2.6.8-17sarge1/ - copied from r10642, /dists/sarge-security/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10644 - releases/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/2.6.8-7sarge1
Author: dannf Date: Fri Feb 22 22:27:57 2008 New Revision: 10644 Log: Tagging kernel-image-2.6.8-hppa-2.6.8 2.6.8-7sarge1 Added: releases/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/2.6.8-7sarge1/ - copied from r10643, /dists/sarge-security/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10645 - releases/kernel/i386/kernel-image-2.6.8-i386-2.6.8/2.6.8-17sarge1
Author: dannf Date: Fri Feb 22 22:28:13 2008 New Revision: 10645 Log: Tagging kernel-image-2.6.8-i386-2.6.8 2.6.8-17sarge1 Added: releases/kernel/i386/kernel-image-2.6.8-i386-2.6.8/2.6.8-17sarge1/ - copied from r10644, /dists/sarge-security/kernel/i386/kernel-image-2.6.8-i386-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10646 - releases/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/2.6.8-15sarge1
Author: dannf Date: Fri Feb 22 22:28:25 2008 New Revision: 10646 Log: Tagging kernel-image-2.6.8-ia64-2.6.8 2.6.8-15sarge1 Added: releases/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/2.6.8-15sarge1/ - copied from r10645, /dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10647 - releases/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/2.6.8-13sarge1
Author: dannf Date: Fri Feb 22 22:28:37 2008 New Revision: 10647 Log: Tagging kernel-patch-powerpc-2.6.8-2.6.8 2.6.8-13sarge1 Added: releases/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/2.6.8-13sarge1/ - copied from r10646, /dists/sarge-security/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10648 - releases/kernel/s390/kernel-image-2.6.8-s390-2.6.8/2.6.8-6sarge1
Author: dannf Date: Fri Feb 22 22:28:45 2008 New Revision: 10648 Log: Tagging kernel-image-2.6.8-s390-2.6.8 2.6.8-6sarge1 Added: releases/kernel/s390/kernel-image-2.6.8-s390-2.6.8/2.6.8-6sarge1/ - copied from r10647, /dists/sarge-security/kernel/s390/kernel-image-2.6.8-s390-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10649 - releases/kernel/source/kernel-source-2.6.8-2.6.8/2.6.8-17sarge1
Author: dannf Date: Fri Feb 22 22:28:54 2008 New Revision: 10649 Log: Tagging kernel-source-2.6.8-2.6.8 2.6.8-17sarge1 Added: releases/kernel/source/kernel-source-2.6.8-2.6.8/2.6.8-17sarge1/ - copied from r10648, /dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10650 - releases/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/2.6.8-16sarge1
Author: dannf Date: Fri Feb 22 22:29:02 2008 New Revision: 10650 Log: Tagging kernel-image-2.6.8-sparc-2.6.8 2.6.8-16sarge1 Added: releases/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/2.6.8-16sarge1/ - copied from r10649, /dists/sarge-security/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10636 - releases/kernel-2.4/s390/kernel-image-2.4.27-s390/2.4.27-2sarge6
Author: dannf Date: Fri Feb 22 22:26:24 2008 New Revision: 10636 Log: Tagging kernel-image-2.4.27-s390 2.4.27-2sarge6 Added: releases/kernel-2.4/s390/kernel-image-2.4.27-s390/2.4.27-2sarge6/ - copied from r10635, /dists/sarge-security/kernel-2.4/s390/kernel-image-2.4.27-s390/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10638 - releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-10sarge6
Author: dannf Date: Fri Feb 22 22:26:44 2008 New Revision: 10638 Log: Tagging kernel-source-2.4.27-2.4.27 2.4.27-10sarge6 Added: releases/kernel-2.4/source/kernel-source-2.4.27-2.4.27/2.4.27-10sarge6/ - copied from r10637, /dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10639 - releases/kernel-2.4/sparc/kernel-image-2.4.27-sparc-2.4.27/2.4.27-9sarge6
Author: dannf Date: Fri Feb 22 22:26:52 2008 New Revision: 10639 Log: Tagging kernel-image-2.4.27-sparc-2.4.27 2.4.27-9sarge6 Added: releases/kernel-2.4/sparc/kernel-image-2.4.27-sparc-2.4.27/2.4.27-9sarge6/ - copied from r10638, /dists/sarge-security/kernel-2.4/sparc/kernel-image-2.4.27-sparc-2.4.27/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10637 - releases/kernel-2.4/s390/kernel-latest-2.4-s390/2.4.27-1sarge2
Author: dannf Date: Fri Feb 22 22:26:32 2008 New Revision: 10637 Log: Tagging kernel-latest-2.4-s390 2.4.27-1sarge2 Added: releases/kernel-2.4/s390/kernel-latest-2.4-s390/2.4.27-1sarge2/ - copied from r10636, /dists/sarge-security/kernel-2.4/s390/kernel-latest-2.4-s390/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10580 - dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8
Author: dannf Date: Tue Feb 19 08:30:30 2008 New Revision: 10580 Log: rebasing from sarge branch Removed: dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10583 - in dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8: . debian
Author: dannf Date: Tue Feb 19 08:37:18 2008 New Revision: 10583 Log: rebasing from sarge branch Added: dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/ - copied from r10578, /dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/ dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/changelog - copied unchanged from r10581, /dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/changelog dists/sarge-security/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/control - copied unchanged from r10581, /dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/control ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10581 - dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian
after writing something to disk. + +* mm-rmap-out-of-bounds-pte.dpatch + Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap() + +* net-ipv4-netfilter-ip_queue-deadlock.dpatch + Fix deadlock with ip_queue and tcp local input path. + +* asm-i386-mem-clobber.dpatch: + Make sure gcc doesn't reorder memory accesses in strncmp and friends on + i386. + +* drivers-acpi-pci_irq-elcr.dpatch: + Make sure we call acpi_register_gsi() even for default PCI interrupt + assignment. That's the part that keeps track of the ELCR register, and we + want to make sure that the PCI interrupts are properly marked level/low. + +[ dann frazier ] +* Merge in applicable fixes from 2.6.12.4 + - netfilter-deadlock-ip6_queue.dpatch + - rocket_c-fix-ldisc-ref-count.dpatch + - early-vlan-fix.dpatch + +[ Simon Horman ] +* drivers-sata-promise-sataii_tx2_tx4.dpatch + Add SATAII TX2 and TX2/TX4 support to sata promise driver + (Closes: #317286) + +* module-per-cpu-alignment-fix.dpatch + Module per-cpu alignment cannot always be met + From 2.6.12.5 + +* genelink-usbnet-skb-typo.dpatch + fix gl_skb/skb type error in genelink driver in usbnet + Backported From 2.6.12.6 + +* drivers-ide-ppp-pmac-build.dpatch + Make sure BLK_DEV_IDEDMA_PCI is defined for pmac ide driver builds + (closes: #321442) + +* fs-ext3-nfs-parent-fix.dpatch + ext3 file systems mounted over nfs may lookup .. in dx directories + causing an oops. + (closes: #323557) + +* sparc-request_irq-in-RTC-fix.dpatch + Use SA_SHIRQ in sparc specific code. + From 2.6.13.1 + +* forcedeth-init-link-settings-in-nv_open.patch + forcedeth: Initialize link settings in every nv_open() + From 2.6.13.2 + +* fix-MPOL_F_VERIFY.patch + Fix MPOL_F_VERIFY + From 2.6.13.2 + +* fix-more-byte-to-dword-writes-to-PCI_ROM_ADDRESS-config-word.patch + Fix up more strange byte writes to the PCI_ROM_ADDRESS config word + From 2.6.13.2 + +* yenta-oops-fix.patch + yenta oops fix + From 2.6.13.3 + +* fix-de_thread-BUG_ON.patch + Fix fs/exec.c:788 (de_thread()) BUG_ON + From 2.6.13.3 + +* ipv6-fix-per-socket-multicast-filtering.patch + fix IPv6 per-socket multicast filtering in exact-match case + From 2.6.13.3 + +* ipvs-ip_vs_ftp-breaks-connections.patch + ipvs: ip_vs_ftp breaks connections using persistence + From 2.6.13.3 + +* ieee1394-sbp2-fixes-for-hot-unplug-and-module-unloading.dpatch + ieee1394/sbp2: fixes for hot-unplug and module unloading + From 2.6.13.4 + +* fix-sparc64-fpu-register-corruption.dpatch + [SPARC64]: Fix userland FPU state corruption. + From 2.6.13.4 + +[ dann frazier ] +* drivers-block-raw-ioctl2.dpatch, drivers-block-ioctl-enotty.dpatch: + Fix a bug in the block layer that causes a bootloader installation + error under certain conditions - breaks installation on cciss devices. + (closes: #354493) +* Fix data corruption with dm-crypt over RAID5 (closes: #336153) +* Fix VLAN support for 3c59x/90x series hardware (closes: #349774) +* Fix erroneous calculation of 'len' parameter to NLMSG_PUT resulting in + bogus 'error during NLMSG_PUT' messages (closes: #372621) +* hp-diva-rmp3.dpatch, hp-diva-hurricane.dpatch: + Add PCI IDs for newer Diva console ports + + -- dann frazier [EMAIL PROTECTED] Sat, 26 May 2007 04:04:02 -0600 + kernel-image-2.6.8-ia64 (2.6.8-14sarge7) oldstable-security; urgency=high * Rebuild against kernel-tree-2.6.8-16sarge7 which requires Modified: dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/control == --- dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/control (original) +++ dists/sarge/kernel/ia64/kernel-image-2.6.8-ia64-2.6.8/debian/control Tue Feb 19 08:33:32 2008 @@ -4,7 +4,7 @@ Maintainer: Debian Kernel Team [EMAIL PROTECTED] Uploaders: dann frazier [EMAIL PROTECTED] Standards-Version: 3.6.1 -Build-Depends: debhelper (= 2), kernel-package (= 8.054), kernel-tree-2.6.8-16sarge7, module-init-tools +Build-Depends: debhelper (= 2), kernel-package (= 8.054), kernel-tree-2.6.8-17, module-init-tools Package: kernel-headers-2.6.8-4 Architecture: ia64 ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10590 - releases/kernel/i386/kernel-image-2.6.8-i386-2.6.8/2.6.8-17
Author: dannf Date: Tue Feb 19 08:58:42 2008 New Revision: 10590 Log: Tagging kernel-image-2.6.8-i386-2.6.8 2.6.8-17 Added: releases/kernel/i386/kernel-image-2.6.8-i386-2.6.8/2.6.8-17/ - copied from r10589, /dists/sarge/kernel/i386/kernel-image-2.6.8-i386-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10588 - releases/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/2.6.8-5
Author: dannf Date: Tue Feb 19 08:58:01 2008 New Revision: 10588 Log: Tagging kernel-image-2.6.8-m68k-2.6.8 2.6.8-5 Added: releases/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/2.6.8-5/ - copied from r10587, /dists/sarge/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10592 - releases/kernel/s390/kernel-image-2.6.8-s390-2.6.8/2.6.8-6
Author: dannf Date: Tue Feb 19 08:59:08 2008 New Revision: 10592 Log: Tagging kernel-image-2.6.8-s390-2.6.8 2.6.8-6 Added: releases/kernel/s390/kernel-image-2.6.8-s390-2.6.8/2.6.8-6/ - copied from r10591, /dists/sarge/kernel/s390/kernel-image-2.6.8-s390-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10589 - releases/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/2.6.8-7
Author: dannf Date: Tue Feb 19 08:58:19 2008 New Revision: 10589 Log: Tagging kernel-image-2.6.8-hppa-2.6.8 2.6.8-7 Added: releases/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/2.6.8-7/ - copied from r10588, /dists/sarge/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10585 - dists/sarge
Author: dannf Date: Tue Feb 19 08:56:32 2008 New Revision: 10585 Log: set dist to sarge on sarge branch Modified: dists/sarge/tagall Modified: dists/sarge/tagall == --- dists/sarge/tagall (original) +++ dists/sarge/tagall Tue Feb 19 08:56:32 2008 @@ -4,7 +4,7 @@ svnbase=svn+ssh://svn.debian.org/svn/kernel tagdir=releases -dist=sarge-security +dist=sarge for c in $(find . -name changelog); do pdir=$(echo $c | sed 's,/debian/changelog$,,' | sed 's,^\./,,') ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10586 - releases/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/2.6.8-13
Author: dannf Date: Tue Feb 19 08:57:33 2008 New Revision: 10586 Log: Tagging kernel-patch-powerpc-2.6.8-2.6.8 2.6.8-13 Added: releases/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/2.6.8-13/ - copied from r10585, /dists/sarge/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10593 - dists/sarge-security/kernel/s390/kernel-image-2.6.8-s390-2.6.8
Author: dannf Date: Tue Feb 19 09:02:59 2008 New Revision: 10593 Log: rebasing from sarge branch Removed: dists/sarge-security/kernel/s390/kernel-image-2.6.8-s390-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10614 - dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches
Author: dannf Date: Wed Feb 20 01:20:38 2008 New Revision: 10614 Log: 2.6.8 compilation fix Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch Wed Feb 20 01:20:38 2008 @@ -57,13 +57,13 @@ if (block 0) { - printk(minix_bmap: block0); + printk(MINIX-fs: block_to_path: block %ld 0 on dev %s\n, -+ block, bdevname(sb-s_bdev, b)); ++ block, bdevname(inode-i_sb-s_bdev, b)); } else if (block = (minix_sb(inode-i_sb)-s_max_size/BLOCK_SIZE)) { - printk(minix_bmap: blockbig); + if (printk_ratelimit()) + printk(MINIX-fs: block_to_path: + block %ld too big on dev %s\n, -+ block, bdevname(sb-s_bdev, b)); ++ block, bdevname(inode-i_sb-s_bdev, b)); } else if (block 7) { offsets[n++] = block; } else if ((block -= 7) 256) { ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10615 - in dists/sarge-security/kernel: alpha/kernel-image-2.6.8-alpha-2.6.8 amd64/kernel-image-2.6.8-amd64-2.6.8 hppa/kernel-image-2.6.8-hppa-2.6.8 i386/kernel-image-2.6.8-i386-2.6.8 m68k/k
Author: dannf Date: Wed Feb 20 01:58:18 2008 New Revision: 10615 Log: rebasing from sarge branch Removed: dists/sarge-security/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/ dists/sarge-security/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/ dists/sarge-security/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/ dists/sarge-security/kernel/i386/kernel-image-2.6.8-i386-2.6.8/ dists/sarge-security/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/ dists/sarge-security/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/ dists/sarge-security/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10616 - in dists/sarge-security/kernel: alpha/kernel-image-2.6.8-alpha-2.6.8 alpha/kernel-image-2.6.8-alpha-2.6.8/debian amd64/kernel-image-2.6.8-amd64-2.6.8 amd64/kernel-image-2.6.8-amd64-2
Author: dannf Date: Wed Feb 20 02:04:25 2008 New Revision: 10616 Log: rebasing from sarge branch Added: dists/sarge-security/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/ - copied from r10578, /dists/sarge/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/ dists/sarge-security/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/debian/changelog dists/sarge-security/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/debian/control - copied unchanged from r10584, /dists/sarge/kernel/alpha/kernel-image-2.6.8-alpha-2.6.8/debian/control dists/sarge-security/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/ - copied from r10578, /dists/sarge/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/ dists/sarge-security/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/debian/changelog dists/sarge-security/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/debian/control - copied unchanged from r10584, /dists/sarge/kernel/amd64/kernel-image-2.6.8-amd64-2.6.8/debian/control dists/sarge-security/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/ - copied from r10578, /dists/sarge/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/ dists/sarge-security/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/debian/changelog dists/sarge-security/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/debian/control - copied unchanged from r10584, /dists/sarge/kernel/hppa/kernel-image-2.6.8-hppa-2.6.8/debian/control dists/sarge-security/kernel/i386/kernel-image-2.6.8-i386-2.6.8/ - copied from r10578, /dists/sarge/kernel/i386/kernel-image-2.6.8-i386-2.6.8/ dists/sarge-security/kernel/i386/kernel-image-2.6.8-i386-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/i386/kernel-image-2.6.8-i386-2.6.8/debian/changelog dists/sarge-security/kernel/i386/kernel-image-2.6.8-i386-2.6.8/debian/control - copied unchanged from r10584, /dists/sarge/kernel/i386/kernel-image-2.6.8-i386-2.6.8/debian/control dists/sarge-security/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/ - copied from r10578, /dists/sarge/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/ dists/sarge-security/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/debian/changelog dists/sarge-security/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/debian/control - copied unchanged from r10584, /dists/sarge/kernel/m68k/kernel-image-2.6.8-m68k-2.6.8/debian/control dists/sarge-security/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/ - copied from r10578, /dists/sarge/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/ dists/sarge-security/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/debian/rules - copied unchanged from r10584, /dists/sarge/kernel/powerpc/kernel-patch-powerpc-2.6.8-2.6.8/debian/rules dists/sarge-security/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/ - copied from r10578, /dists/sarge/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/ dists/sarge-security/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/debian/changelog - copied unchanged from r10584, /dists/sarge/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/debian/changelog dists/sarge-security/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/debian/control - copied unchanged from r10584, /dists/sarge/kernel/sparc/kernel-image-2.6.8-sparc-2.6.8/debian/control ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10576 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Tue Feb 19 07:21:41 2008 New Revision: 10576 Log: * mmap-VM_DONTEXPAND.dpatch [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Tue Feb 19 07:21:41 2008 @@ -73,8 +73,12 @@ [SECURITY] Avoid seeding with the same values at boot time when a system has no entropy source See CVE-2007-2453 + * mmap-VM_DONTEXPAND.dpatch +[SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register +a fault handler but do not bounds check the offset argument +See CVE-2008-0007 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 15:32:34 -0700 + -- dann frazier [EMAIL PROTECTED] Tue, 19 Feb 2008 00:18:26 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mmap-VM_DONTEXPAND.dpatch Tue Feb 19 07:21:41 2008 @@ -0,0 +1,122 @@ +From: Nick Piggin [EMAIL PROTECTED] +Date: Sat, 2 Feb 2008 02:08:53 + (+0100) +Subject: vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) +X-Git-Tag: v2.6.22.17~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.22.y.git;a=commitdiff_plain;h=83af8eda68a3f0c227d0eb05348e58ae27a62e7e + +vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) + +Drivers that register a -fault handler, but do not range-check the +offset argument, must set VM_DONTEXPAND in the vm_flags in order to +prevent an expanding mremap from overflowing the resource. + +I've audited the tree and attempted to fix these problems (usually by +adding VM_DONTEXPAND where it is not obvious). + +Signed-off-by: Nick Piggin [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +Signed-off-by: Greg Kroah-Hartman [EMAIL PROTECTED] +--- +commit 70fc53fa115cefe9ddb33bc284f77a7b10fabbbf +Author: Willy Tarreau [EMAIL PROTECTED] +Date: Sun Feb 3 18:32:33 2008 +0100 + +security: insufficient range checks in certain fault handlers + +This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers. +This deals with security vulnerability CVE-2008-0007. + +Drivers that register a -nopage handler, that does not range-check its +offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the +offset is within bounds. + +Signed-off-by: Willy Tarreau [EMAIL PROTECTED] + +Ported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff --git a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c +index f25aaa5..ef50f2d 100644 +--- a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c +@@ -256,6 +256,7 @@ int drm_mmap_dma(struct file *filp, struct vm_area_struct *vma) + + vma-vm_ops = drm_vm_dma_ops; + vma-vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + #if LINUX_VERSION_CODE 0x020203 /* KERNEL_VERSION(2,2,3) */ + /* In Linux 2.2.3 and above, this is +@@ -358,6 +359,7 @@ int drm_mmap(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; /* This should never happen. */ + } + vma-vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + #if LINUX_VERSION_CODE 0x020203 /* KERNEL_VERSION(2,2,3) */ + /* In Linux 2.2.3 and above, this is +diff --git a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h +index 4eadbf0..337a1a8 100644 +--- a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h +@@ -342,6 +342,7 @@ int DRM(mmap_dma)(struct file *filp, struct vm_area_struct *vma) + + vma-vm_ops = DRM(vm_dma_ops); + vma-vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + vma-vm_file = filp; /* Needed for drm_vm_open() */ + DRM(vm_open)(vma); + return 0; +@@ -475,6 +476,7 @@ int DRM(mmap)(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; /* This should never happen. */ + } + vma-vm_flags
[kernel] r10577 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Tue Feb 19 07:37:39 2008 New Revision: 10577 Log: revert r10558, patch is for the wrong issue and is a duplicate of random-bound-check-ordering.dpatch Removed: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Tue Feb 19 07:37:39 2008 @@ -69,16 +69,12 @@ [SECURITY] Fix stack-based buffer overflow in the random number generator See CVE-2007-3105 - * random-fix-seeding-with-zero-entropy.dpatch -[SECURITY] Avoid seeding with the same values at boot time when a -system has no entropy source -See CVE-2007-2453 * mmap-VM_DONTEXPAND.dpatch [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007 - -- dann frazier [EMAIL PROTECTED] Tue, 19 Feb 2008 00:18:26 -0700 + -- dann frazier [EMAIL PROTECTED] Tue, 19 Feb 2008 00:34:37 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Tue Feb 19 07:37:39 2008 @@ -18,5 +18,4 @@ + usb-pwc-disconnect-block.dpatch + powerpc-chrp-null-deref.dpatch + random-bound-check-ordering.dpatch -+ random-fix-seeding-with-zero-entropy.dpatch + mmap-VM_DONTEXPAND.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10562 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:30:06 2008 New Revision: 10562 Log: * 264_mmap-VM_DONTEXPAND.diff [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/264_mmap-VM_DONTEXPAND.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:30:06 2008 @@ -78,8 +78,12 @@ If userspace still has the device open it can result, the driver would wait for the device to close, blocking the USB subsystem. See CVE-2007-5093 + * 264_mmap-VM_DONTEXPAND.diff +[SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register +a fault handler but do not bounds check the offset argument +See CVE-2008-0007 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:56:01 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:59:56 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/264_mmap-VM_DONTEXPAND.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/264_mmap-VM_DONTEXPAND.diff Sun Feb 17 18:30:06 2008 @@ -0,0 +1,101 @@ +commit 70fc53fa115cefe9ddb33bc284f77a7b10fabbbf +Author: Willy Tarreau [EMAIL PROTECTED] +Date: Sun Feb 3 18:32:33 2008 +0100 + +security: insufficient range checks in certain fault handlers + +This is the 2.4 version of Nick Piggin's work on 2.6 fault handlers. +This deals with security vulnerability CVE-2008-0007. + +Drivers that register a -nopage handler, that does not range-check its +offset argument, must set VM_DONTEXPAND in the vm_flags to ensure the +offset is within bounds. + +Signed-off-by: Willy Tarreau [EMAIL PROTECTED] + +diff --git a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c +index f25aaa5..ef50f2d 100644 +--- a/drivers/char/drm-4.0/vm.c b/drivers/char/drm-4.0/vm.c +@@ -256,6 +256,7 @@ int drm_mmap_dma(struct file *filp, struct vm_area_struct *vma) + + vma-vm_ops = drm_vm_dma_ops; + vma-vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + #if LINUX_VERSION_CODE 0x020203 /* KERNEL_VERSION(2,2,3) */ + /* In Linux 2.2.3 and above, this is +@@ -358,6 +359,7 @@ int drm_mmap(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; /* This should never happen. */ + } + vma-vm_flags |= VM_LOCKED | VM_SHM; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + #if LINUX_VERSION_CODE 0x020203 /* KERNEL_VERSION(2,2,3) */ + /* In Linux 2.2.3 and above, this is +diff --git a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h +index 4eadbf0..337a1a8 100644 +--- a/drivers/char/drm/drm_vm.h b/drivers/char/drm/drm_vm.h +@@ -342,6 +342,7 @@ int DRM(mmap_dma)(struct file *filp, struct vm_area_struct *vma) + + vma-vm_ops = DRM(vm_dma_ops); + vma-vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + vma-vm_file = filp; /* Needed for drm_vm_open() */ + DRM(vm_open)(vma); + return 0; +@@ -475,6 +476,7 @@ int DRM(mmap)(struct file *filp, struct vm_area_struct *vma) + return -EINVAL; /* This should never happen. */ + } + vma-vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + vma-vm_file = filp; /* Needed for drm_vm_open() */ + DRM(vm_open)(vma); +diff --git a/drivers/sound/via82cxxx_audio.c b/drivers/sound/via82cxxx_audio.c +index 864f164..db5da3c 100644 +--- a/drivers/sound/via82cxxx_audio.c b/drivers/sound/via82cxxx_audio.c +@@ -2111,6 +2111,7 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma, + { + struct via_info *card = vma-vm_private_data; + struct via_channel *chan = card-ch_out; ++ unsigned long max_bufs; + struct page *dmapage; + unsigned long pgoff; + int rd, wr; +@@ -2135,14 +2136,11 @@ static struct page * via_mm_nopage (struct vm_area_struct * vma, + rd = card-ch_in.is_mapped; + wr = card-ch_out.is_mapped; + +-#ifndef VIA_NDEBUG +- { +- unsigned long
[kernel] r10563 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:30:27 2008 New Revision: 10563 Log: * 265_powerpc-chrp-null-deref.diff [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/265_powerpc-chrp-null-deref.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:30:27 2008 @@ -82,8 +82,12 @@ [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007 + * 265_powerpc-chrp-null-deref.diff +[SECURITY][powerpc] Fix NULL pointer dereference if get_property +fails on the subarchitecture +See CVE-2007-6694 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:59:56 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 15:12:16 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/265_powerpc-chrp-null-deref.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/265_powerpc-chrp-null-deref.diff Sun Feb 17 18:30:27 2008 @@ -0,0 +1,53 @@ +commit 6a6e6213bcca62326b087df9df6f585ec2c5326a +Author: dann frazier [EMAIL PROTECTED] +Date: Thu Feb 14 15:10:20 2008 -0700 + +2.4: [POWERPC] CHRP: Fix possible NULL pointer dereference + +This is a 2.4 backport of a linux-2.6 change by Cyrill Gorcunov. +(commit 9ac71d00398674aaec664f30559f0a21d963862f) + +CVE-2007-6694 was assigned for this issue. +This backport has been compile-tested only. + +Commit log from 2.6 follows. + +This fixes a possible NULL pointer dereference inside of strncmp() if +of_get_property() fails. + +diff --git a/arch/ppc/platforms/chrp_setup.c b/arch/ppc/platforms/chrp_setup.c +index 0ffbbd2..28747db 100644 +--- a/arch/ppc/platforms/chrp_setup.c b/arch/ppc/platforms/chrp_setup.c +@@ -121,7 +121,7 @@ chrp_show_cpuinfo(struct seq_file *m) + seq_printf(m, machine\t\t: CHRP %s\n, model); + + /* longtrail (goldengate) stuff */ +- if (!strncmp(model, IBM,LongTrail, 13)) { ++ if (model !strncmp(model, IBM,LongTrail, 13)) { + /* VLSI VAS96011/12 `Golden Gate 2' */ + /* Memory banks */ + sdramen = (in_le32((unsigned *)(gg2_pci_config_base+ +@@ -210,14 +210,20 @@ static void __init sio_fixup_irq(const char *name, u8 device, u8 level, + static void __init sio_init(void) + { + struct device_node *root; ++ const char *model; + +- if ((root = find_path_device(/)) +- !strncmp(get_property(root, model, NULL), IBM,LongTrail, 13)) { ++ root = find_path_device(/); ++ if (!root) ++ return; ++ ++ model = get_property(root, model, NULL); ++ if (model !strncmp(model, IBM,LongTrail, 13)) { + /* logical device 0 (KBC/Keyboard) */ + sio_fixup_irq(keyboard, 0, 1, 2); + /* select logical device 1 (KBC/Mouse) */ + sio_fixup_irq(mouse, 1, 12, 2); + } ++ + } + + Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Sun Feb 17 18:30:27 2008 @@ -24,3 +24,4 @@ + 262_aacraid-ioctl-perm-check.diff + 263_usb-pwc-disconnect-block.diff + 264_mmap-VM_DONTEXPAND.diff ++ 265_powerpc-chrp-null-deref.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10564 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:30:58 2008 New Revision: 10564 Log: 266_ipv4-fib_props-out-of-bounds.diff Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:30:58 2008 @@ -24,6 +24,7 @@ [SECURITY] Fix information leaks in setsockopt() implementations See CVE-2007-1353 * 246_dn_fib-out-of-bounds.diff +266_ipv4-fib_props-out-of-bounds.diff [SECURITY] Fix out of bounds condition in dn_fib_props[] See CVE-2007-2172 * 247_reset-pdeathsig-on-suid.diff @@ -87,7 +88,7 @@ fails on the subarchitecture See CVE-2007-6694 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 15:12:16 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 15:15:55 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff Sun Feb 17 18:30:58 2008 @@ -0,0 +1,38 @@ +commit 230c62b9e7000cfb407a079a21ad0f077f164b21 +Author: Willy Tarreau [EMAIL PROTECTED] +Date: Sat Apr 14 17:44:03 2007 +0200 + +[IPv4] fib: Fix out of bound access of fib_props[] + +Backported from 2.6. Bug found and fixed by Thomas Graf : + +Fixes a typo which caused fib_props[] to have the wrong size +and makes sure the value used to index the array which is +provided by userspace via netlink is checked to avoid out of +bound access. + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index afdf4bb..b930371 100644 +--- a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +@@ -83,7 +83,7 @@ static struct + { + int error; + u8 scope; +-} fib_props[RTA_MAX+1] = { ++} fib_props[RTN_MAX+1] = { + { 0, RT_SCOPE_NOWHERE}, /* RTN_UNSPEC */ + { 0, RT_SCOPE_UNIVERSE},/* RTN_UNICAST */ + { 0, RT_SCOPE_HOST},/* RTN_LOCAL */ +@@ -431,6 +431,11 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta, + const int nhs = 1; + #endif + ++ if (r-rtm_type RTN_MAX) { ++ err = -EINVAL; ++ goto errout; ++ } ++ + /* Fast check to catch the most weird cases */ + if (fib_props[r-rtm_type].scope r-rtm_scope) + goto err_inval; Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Sun Feb 17 18:30:58 2008 @@ -25,3 +25,4 @@ + 263_usb-pwc-disconnect-block.diff + 264_mmap-VM_DONTEXPAND.diff + 265_powerpc-chrp-null-deref.diff ++ 266_ipv4-fib_props-out-of-bounds.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10559 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:28:18 2008 New Revision: 10559 Log: * 261_listxattr-mem-corruption.diff [SECURITY] Fix userspace corruption vulnerability caused by incorrectly promoted return values in bad_inode_ops This patches changes the kernel ABI. See CVE-2006-5753 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/261_listxattr-mem-corruption.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:28:18 2008 @@ -65,8 +65,13 @@ [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 + * 261_listxattr-mem-corruption.diff +[SECURITY] Fix userspace corruption vulnerability caused by +incorrectly promoted return values in bad_inode_ops +This patches changes the kernel ABI. +See CVE-2006-5753 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 23:32:09 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:48:39 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/261_listxattr-mem-corruption.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/261_listxattr-mem-corruption.diff Sun Feb 17 18:28:18 2008 @@ -0,0 +1,279 @@ +commit f654703d45148071037e8b904e7a674c6d78466a +Author: dann frazier [EMAIL PROTECTED] +Date: Wed Jan 23 23:12:12 2008 -0700 + +2.4: fix memory corruption from misinterpreted bad_inode_ops return values + +This is a 2.4 backport of a linux-2.6 change by Eric Sandeen +(commit be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8) + +CVE-2006-5753 was assigned for this issue. + +I've built and boot-tested this, but I'm not sure how to exercise +these codepaths. + +Commit log from 2.6 follows. + + CVE-2006-5753 is for a case where an inode can be marked bad, switching + the ops to bad_inode_ops, which are all connected as: + + static int return_EIO(void) + { + return -EIO; + } + + #define EIO_ERROR ((void *) (return_EIO)) + + static struct inode_operations bad_inode_ops = + { + .create = bad_inode_create + ...etc... + + The problem here is that the void cast causes return types to not be + promoted, and for ops such as listxattr which expect more than 32 bits of + return value, the 32-bit -EIO is interpreted as a large positive 64-bit + number, i.e. 0xfffa instead of 0xfffa. + + This goes particularly badly when the return value is taken as a number of + bytes to copy into, say, a user's buffer for example... + + I originally had coded up the fix by creating a return_EIO_TYPE macro + for each return type, like this: + + static int return_EIO_int(void) + { + return -EIO; + } + #define EIO_ERROR_INT ((void *) (return_EIO_int)) + + static struct inode_operations bad_inode_ops = + { + .create = EIO_ERROR_INT, + ...etc... + + but Al felt that it was probably better to create an EIO-returner for each + actual op signature. Since so few ops share a signature, I just went ahead + created an EIO function for each individual file inode op that returns + a value. + +Signed-off-by: dann frazier [EMAIL PROTECTED] + +diff --git a/fs/bad_inode.c b/fs/bad_inode.c +index 850ba5e..b6b1d7d 100644 +--- a/fs/bad_inode.c b/fs/bad_inode.c +@@ -9,6 +9,76 @@ + #include linux/fs.h + #include linux/stat.h + #include linux/sched.h ++#include linux/poll.h ++ ++static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin) ++{ ++ return -EIO; ++} ++ ++static ssize_t bad_file_read(struct file *filp, char __user *buf, ++ size_t size, loff_t *ppos) ++{ ++return -EIO; ++} ++ ++static ssize_t bad_file_write(struct file *filp, const char __user *buf, ++ size_t siz, loff_t *ppos) ++{ ++return -EIO; ++} ++ ++static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir) ++{ ++ return -EIO; ++} ++ ++static unsigned int bad_file_poll(struct file *filp, poll_table *wait) ++{ ++ return POLLERR; ++} ++ ++static int
[kernel] r10558 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:25:35 2008 New Revision: 10558 Log: * random-fix-seeding-with-zero-entropy.dpatch [SECURITY] Avoid seeding with the same values at boot time when a system has no entropy source See CVE-2007-2453 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sun Feb 17 18:25:35 2008 @@ -69,8 +69,12 @@ [SECURITY] Fix stack-based buffer overflow in the random number generator See CVE-2007-3105 + * random-fix-seeding-with-zero-entropy.dpatch +[SECURITY] Avoid seeding with the same values at boot time when a +system has no entropy source +See CVE-2007-2453 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 21:46:22 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 15:32:34 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch Sun Feb 17 18:25:35 2008 @@ -0,0 +1,42 @@ +From: Matt Mackall [EMAIL PROTECTED] +Date: Thu, 19 Jul 2007 18:30:14 + (-0700) +Subject: random: fix bound check ordering (CVE-2007-3105) +X-Git-Tag: v2.6.23-rc1~259 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd + +random: fix bound check ordering (CVE-2007-3105) + +If root raised the default wakeup threshold over the size of the +output pool, the pool transfer function could overflow the stack with +RNG bytes, causing a DoS or potential privilege escalation. + +(Bug reported by the PaX Team [EMAIL PROTECTED]) + +Cc: Theodore Tso [EMAIL PROTECTED] +Cc: Willy Tarreau [EMAIL PROTECTED] +Signed-off-by: Matt Mackall [EMAIL PROTECTED] +Signed-off-by: Chris Wright [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c +--- kernel-source-2.6.8.orig/drivers/char/random.c 2007-05-26 02:54:38.0 -0600 kernel-source-2.6.8/drivers/char/random.c 2008-02-11 21:15:53.0 -0700 +@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s + { + if (r-entropy_count nbytes * 8 + r-entropy_count r-poolinfo.POOLBITS) { +- int bytes = max_t(int, random_read_wakeup_thresh / 8, +- min_t(int, nbytes, TMP_BUF_SIZE)); ++ /* If we're limited, always leave two wakeup worth's BITS */ ++ int bytes = nbytes; ++ ++ /* pull at least as many as BYTES as wakeup BITS */ ++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, TMP_BUF_SIZE); + + DEBUG_ENT(%04d %04d : going to reseed %s with %d bits + (%d of %d requested)\n, Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Sun Feb 17 18:25:35 2008 @@ -18,3 +18,4 @@ + usb-pwc-disconnect-block.dpatch + powerpc-chrp-null-deref.dpatch + random-bound-check-ordering.dpatch ++ random-fix-seeding-with-zero-entropy.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10561 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:29:42 2008 New Revision: 10561 Log: * 263_usb-pwc-disconnect-block.diff [SECURITY] Fix issue with unplugging webcams that use the pwc driver. If userspace still has the device open it can result, the driver would wait for the device to close, blocking the USB subsystem. See CVE-2007-5093 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/263_usb-pwc-disconnect-block.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:29:42 2008 @@ -73,8 +73,13 @@ * 262_aacraid-ioctl-perm-check.diff [SECURITY] Require admin capabilities to issue ioctls to aacraid devices See CVE-2007-4308 + * 263_usb-pwc-disconnect-block.diff +[SECURITY] Fix issue with unplugging webcams that use the pwc driver. +If userspace still has the device open it can result, the driver would +wait for the device to close, blocking the USB subsystem. +See CVE-2007-5093 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:51:41 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:56:01 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/263_usb-pwc-disconnect-block.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/263_usb-pwc-disconnect-block.diff Sun Feb 17 18:29:42 2008 @@ -0,0 +1,122 @@ +commit 1994e10c56cfb36df0e03090e5c917c973d3df69 +Author: dann frazier [EMAIL PROTECTED] +Date: Wed Feb 6 19:06:18 2008 -0700 + +2.4: USB: fix DoS in pwc USB video driver + +This is a 2.4 backport of a linux-2.6 change by Oliver Neukum. +(commit 85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d) + +CVE-2007-5093 was assigned for this issue. +This backport has been compile-tested only. + +Commit log from 2.6 follows. + + the pwc driver has a disconnect method that waits for user space to + close the device. This opens up an opportunity for a DoS attack, + blocking the USB subsystem and making khubd's task busy wait in + kernel space. This patch shifts freeing resources to close if an opened + device is disconnected. + +Signed-off-by: dann frazier [EMAIL PROTECTED] + +diff --git a/drivers/usb/pwc-if.c b/drivers/usb/pwc-if.c +index e458515..a1c3989 100644 +--- a/drivers/usb/pwc-if.c b/drivers/usb/pwc-if.c +@@ -1055,11 +1055,16 @@ static int pwc_video_open(struct video_device *vdev, int mode) + return 0; + } + ++static void pwc_cleanup(struct pwc_device *pdev) ++{ ++ video_unregister_device(pdev-vdev); ++} ++ + /* Note that all cleanup is done in the reverse order as in _open */ + static void pwc_video_close(struct video_device *vdev) + { + struct pwc_device *pdev; +- int i; ++ int i, hint; + + Trace(TRACE_OPEN, video_close called(vdev = 0x%p).\n, vdev); + +@@ -1083,8 +1088,9 @@ static void pwc_video_close(struct video_device *vdev) + pwc_isoc_cleanup(pdev); + pwc_free_buffers(pdev); + ++ lock_kernel(); + /* Turn off LEDS and power down camera, but only when not unplugged */ +- if (pdev-error_status != EPIPE) { ++ if (!pdev-unplugged) { + if (pwc_set_leds(pdev, 0, 0) 0) + Info(Failed to set LED on/off time.\n); + if (power_save) { +@@ -1092,9 +1098,18 @@ static void pwc_video_close(struct video_device *vdev) + if (i 0) + Err(Failed to power down camera (%d)\n, i); + } ++ pdev-vopen = 0; ++ Trace(TRACE_OPEN, video_close()\n); ++ } else { ++ pwc_cleanup(pdev); ++ /* Free memory (don't set pdev to 0 just yet) */ ++ kfree(pdev); ++ /* search device_hint[] table if we occupy a slot, by any chance */ ++ for (hint = 0; hint MAX_DEV_HINTS; hint++) ++ if (device_hint[hint].pdev == pdev) ++ device_hint[hint].pdev = NULL; + } +- pdev-vopen = 0; +- Trace(TRACE_OPEN, video_close()\n); ++ unlock_kernel(); + } + + /* +@@ -1897,19 +1912,20 @@ static void usb_pwc_disconnect(struct usb_device *udev, void *ptr) + /* Alert waiting processes
[kernel] r10560 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 18:29:22 2008 New Revision: 10560 Log: * 262_aacraid-ioctl-perm-check.diff [SECURITY] Require admin capabilities to issue ioctls to aacraid devices See CVE-2007-4308 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/262_aacraid-ioctl-perm-check.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:29:22 2008 @@ -70,8 +70,11 @@ incorrectly promoted return values in bad_inode_ops This patches changes the kernel ABI. See CVE-2006-5753 + * 262_aacraid-ioctl-perm-check.diff +[SECURITY] Require admin capabilities to issue ioctls to aacraid devices +See CVE-2007-4308 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:48:39 -0700 + -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 14:51:41 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/262_aacraid-ioctl-perm-check.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/262_aacraid-ioctl-perm-check.diff Sun Feb 17 18:29:22 2008 @@ -0,0 +1,32 @@ +commit c6cd2bb1a74822d28a4c2d26f169b781820168da +Author: dann frazier [EMAIL PROTECTED] +Date: Tue Feb 5 03:33:28 2008 -0700 + +2.4: [SCSI] aacraid: Fix security hole + +This is a 2.4 backport of a linux-2.6 change by Alan Cox. +(commit 60395bb60e0b5e4e0808ac8eb07a92f6c9cdea1f) + +It has been build-tested only (I don't have the hardware). +CVE-2007-4308 was assigned for this issue. + +Commit log from 2.6 follows. + + On the SCSI layer ioctl path there is no implicit permissions check for + ioctls (and indeed other drivers implement unprivileged ioctls). aacraid + however allows all sorts of very admin only things to be done so should + check. + +diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c +index 57d0a40..c6d7bdf 100644 +--- a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c +@@ -683,6 +683,8 @@ static int aac_cfg_release(struct inode * inode, struct file * file ) + static int aac_cfg_ioctl(struct inode * inode, struct file * file, unsigned int cmd, unsigned long arg ) + { + struct aac_dev *dev = aac_devices[MINOR(inode-i_rdev)]; ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + return aac_do_ioctl(dev, cmd, (void *)arg); + } + Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Sun Feb 17 18:29:22 2008 @@ -21,3 +21,4 @@ + 259_ext2_readdir-infinite-loop.diff + 260_ext2-skip-pages-past-num-blocks.diff + 261_listxattr-mem-corruption.diff ++ 262_aacraid-ioctl-perm-check.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10565 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Sun Feb 17 23:20:40 2008 New Revision: 10565 Log: build fix from upstream Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/267_ipv4-fib_props-out-of-bounds-2.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 23:20:40 2008 @@ -25,6 +25,7 @@ See CVE-2007-1353 * 246_dn_fib-out-of-bounds.diff 266_ipv4-fib_props-out-of-bounds.diff +267_ipv4-fib_props-out-of-bounds-2.diff [SECURITY] Fix out of bounds condition in dn_fib_props[] See CVE-2007-2172 * 247_reset-pdeathsig-on-suid.diff @@ -88,7 +89,7 @@ fails on the subarchitecture See CVE-2007-6694 - -- dann frazier [EMAIL PROTECTED] Thu, 14 Feb 2008 15:15:55 -0700 + -- dann frazier [EMAIL PROTECTED] Sun, 17 Feb 2008 16:19:46 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/267_ipv4-fib_props-out-of-bounds-2.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/267_ipv4-fib_props-out-of-bounds-2.diff Sun Feb 17 23:20:40 2008 @@ -0,0 +1,25 @@ +commit 366592901204f1ca8422b591b7de1ffe0f78d51a +Author: Urs Thermann [EMAIL PROTECTED] +Date: Sun Apr 22 17:43:50 2007 +0200 + +[PATCH] recent patch to fib_semantics broke build + +Fix label name. + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index b930371..ef8f407 100644 +--- a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +@@ -431,10 +431,8 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta, + const int nhs = 1; + #endif + +- if (r-rtm_type RTN_MAX) { +- err = -EINVAL; +- goto errout; +- } ++ if (r-rtm_type RTN_MAX) ++ goto err_inval; + + /* Fast check to catch the most weird cases */ + if (fib_props[r-rtm_type].scope r-rtm_scope) Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Sun Feb 17 23:20:40 2008 @@ -26,3 +26,4 @@ + 264_mmap-VM_DONTEXPAND.diff + 265_powerpc-chrp-null-deref.diff + 266_ipv4-fib_props-out-of-bounds.diff ++ 267_ipv4-fib_props-out-of-bounds-2.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10569 - dists/sarge-security/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/debian
-honor-mount-opts-2.diff + Fix some regressions with respect to file types (e.g., symlinks) + introduced by the fix for CVE-2006-5871 in 2.4.27-10sarge5 +* 241_bluetooth-capi-size-checks.diff + [SECURITY] Add additional length checks to avoid potential remote + DoS attacks in the handling of CAPI messages in the bluetooth driver + See CVE-2006-6106 +* 242_ext3-fsfuzz.diff + [SECURITY] Fix a DoS vulnerability that can be triggered by a local + user with the ability to mount a corrupted ext3 filesystem + See CVE-2006-6053 +* 243_ipv6_fl_socklist-no-share.diff + [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing + ipv6_fl_socklist between the listening socket and the socket created + for connection. + See CVE-2007-1592 +* 244_bluetooth-l2cap-hci-info-leaks.diff + 245_bluetooth-l2cap-hci-info-leaks-2.diff + [SECURITY] Fix information leaks in setsockopt() implementations + See CVE-2007-1353 +* 246_dn_fib-out-of-bounds.diff + 266_ipv4-fib_props-out-of-bounds.diff + 267_ipv4-fib_props-out-of-bounds-2.diff + [SECURITY] Fix out of bounds condition in dn_fib_props[] + See CVE-2007-2172 +* 247_reset-pdeathsig-on-suid.diff + [SECURITY] Fix potential privilege escalation caused by improper + clearing of the child process' pdeath signal. + Thanks to Marcel Holtmann for the patch. + See CVE-2007-3848 +* 248_random-reseed-sizeof-fix.diff + [SECURITY] Fix a bug in the random driver reseeding code that reduces + entropy by reseeding a smaller buffer size than expected + See CVE-2007-4311 +* 249_openpromfs-signedness-bug.diff + 250_openpromfs-checks-1.diff + 251_openpromfs-checks-2.diff + 252_openpromfs-checks-3.diff + [SECURITY] Fix a number of data checks in openprom code + See CVE-2004-2731 +* 253_coredump-only-to-same-uid.diff + [SECURITY] Fix an issue where core dumping over a file that + already exists retains the ownership of the original file + See CVE-2007-6206 +* 254_cramfs-check-block-length.diff + [SECURITY] Add a sanity check of the block length in cramfs_readpage to + avoid a potential oops condition + See CVE-2006-5823 +* 255_pppoe-socket-release-mem-leak.diff + [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released + after connect but before PPPIOCGCHAN ioctl is called upon it + See CVE-2007-2525 +* 256_i4l-isdn_ioctl-mem-overrun.diff + [SECURITY] Fix potential isdn ioctl memory overrun + See CVE-2007-6151 +* 257_isdn-net-overflow.diff + [SECURITY] Fix potential overflows in the ISDN subsystem + See CVE-2007-6063 +* 258_ext2_readdir-f_pos-fix.diff, + 259_ext2_readdir-infinite-loop.diff, + 260_ext2-skip-pages-past-num-blocks.diff + [SECURITY] Add some sanity checking for a corrupted i_size in + ext2_find_entry() + See CVE-2006-6054 +* 261_listxattr-mem-corruption.diff + [SECURITY] Fix userspace corruption vulnerability caused by + incorrectly promoted return values in bad_inode_ops + This patches changes the kernel ABI. + See CVE-2006-5753 +* 262_aacraid-ioctl-perm-check.diff + [SECURITY] Require admin capabilities to issue ioctls to aacraid devices + See CVE-2007-4308 +* 263_usb-pwc-disconnect-block.diff + [SECURITY] Fix issue with unplugging webcams that use the pwc driver. + If userspace still has the device open it can result, the driver would + wait for the device to close, blocking the USB subsystem. + See CVE-2007-5093 +* 264_mmap-VM_DONTEXPAND.diff + [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register + a fault handler but do not bounds check the offset argument + See CVE-2008-0007 +* 265_powerpc-chrp-null-deref.diff + [SECURITY][powerpc] Fix NULL pointer dereference if get_property + fails on the subarchitecture + See CVE-2007-6694 + * ABI changing update, increment ABI number to 4. If you don't understand +what this means, see http://wiki.debian.org/DebianKernelABIChanges + + -- dann frazier [EMAIL PROTECTED] Sun, 17 Feb 2008 16:49:02 -0700 + kernel-image-2.4.27-i386 (2.4.27-10sarge5) stable-security; urgency=high * Build against kernel-tree-2.4.27-10sarge5: Modified: dists/sarge-security/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/debian/control == --- dists/sarge-security/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/debian/control (original) +++ dists/sarge-security/kernel-2.4/i386/kernel-image-2.4.27-i386-2.4.27/debian/control Mon Feb 18 06:15:04 2008 @@ -4,9 +4,9 @@ Maintainer: Debian Kernel Team [EMAIL PROTECTED] Uploaders: William Irwin [EMAIL PROTECTED], Sven Luther [EMAIL PROTECTED], Jens Schmalzing [EMAIL PROTECTED], Jeff Bailey [EMAIL PROTECTED
[kernel] r10571 - dists/sarge-security/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/debian
-honor-mount-opts-2.diff + Fix some regressions with respect to file types (e.g., symlinks) + introduced by the fix for CVE-2006-5871 in 2.4.27-10sarge5 +* 241_bluetooth-capi-size-checks.diff + [SECURITY] Add additional length checks to avoid potential remote + DoS attacks in the handling of CAPI messages in the bluetooth driver + See CVE-2006-6106 +* 242_ext3-fsfuzz.diff + [SECURITY] Fix a DoS vulnerability that can be triggered by a local + user with the ability to mount a corrupted ext3 filesystem + See CVE-2006-6053 +* 243_ipv6_fl_socklist-no-share.diff + [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing + ipv6_fl_socklist between the listening socket and the socket created + for connection. + See CVE-2007-1592 +* 244_bluetooth-l2cap-hci-info-leaks.diff + 245_bluetooth-l2cap-hci-info-leaks-2.diff + [SECURITY] Fix information leaks in setsockopt() implementations + See CVE-2007-1353 +* 246_dn_fib-out-of-bounds.diff + 266_ipv4-fib_props-out-of-bounds.diff + 267_ipv4-fib_props-out-of-bounds-2.diff + [SECURITY] Fix out of bounds condition in dn_fib_props[] + See CVE-2007-2172 +* 247_reset-pdeathsig-on-suid.diff + [SECURITY] Fix potential privilege escalation caused by improper + clearing of the child process' pdeath signal. + Thanks to Marcel Holtmann for the patch. + See CVE-2007-3848 +* 248_random-reseed-sizeof-fix.diff + [SECURITY] Fix a bug in the random driver reseeding code that reduces + entropy by reseeding a smaller buffer size than expected + See CVE-2007-4311 +* 249_openpromfs-signedness-bug.diff + 250_openpromfs-checks-1.diff + 251_openpromfs-checks-2.diff + 252_openpromfs-checks-3.diff + [SECURITY] Fix a number of data checks in openprom code + See CVE-2004-2731 +* 253_coredump-only-to-same-uid.diff + [SECURITY] Fix an issue where core dumping over a file that + already exists retains the ownership of the original file + See CVE-2007-6206 +* 254_cramfs-check-block-length.diff + [SECURITY] Add a sanity check of the block length in cramfs_readpage to + avoid a potential oops condition + See CVE-2006-5823 +* 255_pppoe-socket-release-mem-leak.diff + [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released + after connect but before PPPIOCGCHAN ioctl is called upon it + See CVE-2007-2525 +* 256_i4l-isdn_ioctl-mem-overrun.diff + [SECURITY] Fix potential isdn ioctl memory overrun + See CVE-2007-6151 +* 257_isdn-net-overflow.diff + [SECURITY] Fix potential overflows in the ISDN subsystem + See CVE-2007-6063 +* 258_ext2_readdir-f_pos-fix.diff, + 259_ext2_readdir-infinite-loop.diff, + 260_ext2-skip-pages-past-num-blocks.diff + [SECURITY] Add some sanity checking for a corrupted i_size in + ext2_find_entry() + See CVE-2006-6054 +* 261_listxattr-mem-corruption.diff + [SECURITY] Fix userspace corruption vulnerability caused by + incorrectly promoted return values in bad_inode_ops + This patches changes the kernel ABI. + See CVE-2006-5753 +* 262_aacraid-ioctl-perm-check.diff + [SECURITY] Require admin capabilities to issue ioctls to aacraid devices + See CVE-2007-4308 +* 263_usb-pwc-disconnect-block.diff + [SECURITY] Fix issue with unplugging webcams that use the pwc driver. + If userspace still has the device open it can result, the driver would + wait for the device to close, blocking the USB subsystem. + See CVE-2007-5093 +* 264_mmap-VM_DONTEXPAND.diff + [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register + a fault handler but do not bounds check the offset argument + See CVE-2008-0007 +* 265_powerpc-chrp-null-deref.diff + [SECURITY][powerpc] Fix NULL pointer dereference if get_property + fails on the subarchitecture + See CVE-2007-6694 + * ABI changing update, increment ABI number to 4. If you don't understand +what this means, see http://wiki.debian.org/DebianKernelABIChanges + + -- dann frazier [EMAIL PROTECTED] Sun, 17 Feb 2008 23:25:35 -0700 + kernel-image-2.4.27-ia64 (2.4.27-10sarge5) stable-security; urgency=high * Build against kernel-tree-2.4.27-10sarge5: Modified: dists/sarge-security/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/debian/control == --- dists/sarge-security/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/debian/control (original) +++ dists/sarge-security/kernel-2.4/ia64/kernel-image-2.4.27-ia64-2.4.27/debian/control Mon Feb 18 06:27:18 2008 @@ -4,9 +4,9 @@ Maintainer: Debian Kernel Team [EMAIL PROTECTED] Uploaders: dann frazier [EMAIL PROTECTED] Standards-Version: 3.6.1 -Build-Depends: debhelper (= 2), modutils, kernel-patch-2.4.27-ia64
[kernel] r10534 - dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian
Author: dannf Date: Wed Feb 13 21:14:29 2008 New Revision: 10534 Log: add missing patch name Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Feb 13 21:14:29 2008 @@ -41,7 +41,8 @@ * isdn-net-overflow.dpatch [SECURITY] Fix potential overflows in the ISDN subsystem See CVE-2007-6063 - * [SECURITY] Prevent OOPS during stack expansion when the VMA crosses + * prevent-stack-growth-into-hugetlb-region.dpatch +[SECURITY] Prevent OOPS during stack expansion when the VMA crosses into address space reserved for hugetlb pages. See CVE-2007-3739 * bugfix/cifs-honor-umask.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10533 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Wed Feb 13 21:14:07 2008 New Revision: 10533 Log: * bugfix/cifs-honor-umask.dpatch [SECURITY] Make CIFS honor a process' umask See CVE-2007-3740 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Feb 13 21:14:07 2008 @@ -44,8 +44,11 @@ * [SECURITY] Prevent OOPS during stack expansion when the VMA crosses into address space reserved for hugetlb pages. See CVE-2007-3739 + * bugfix/cifs-honor-umask.dpatch +[SECURITY] Make CIFS honor a process' umask +See CVE-2007-3740 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 14:01:28 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 14:12:35 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch Wed Feb 13 21:14:07 2008 @@ -0,0 +1,81 @@ +From: Steve French [EMAIL PROTECTED] +Date: Fri, 8 Jun 2007 14:55:14 + (+) +Subject: [CIFS] CIFS should honour umask +X-Git-Tag: v2.6.22-rc5~50^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f + +[CIFS] CIFS should honour umask + +This patch makes CIFS honour a process' umask like other filesystems. +Of course the server is still free to munge the permissions if it wants +to; but the client will send the right permissions to begin with. + +A few caveats: + +1) It only applies to filesystems that have CAP_UNIX (aka support unix +extensions) +2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms() +after remote creation + +When mode to CIFS/NTFS ACL mapping is complete we can do the +same thing for that case for servers which do not +support the Unix Extensions. + +Signed-off-by: Matt Keenen [EMAIL PROTECTED] +Signed-off-by: Steve French [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/fs/cifs/dir.c kernel-source-2.6.8/fs/cifs/dir.c +--- kernel-source-2.6.8.orig/fs/cifs/dir.c 2007-05-26 02:54:39.0 -0600 kernel-source-2.6.8/fs/cifs/dir.c 2008-02-13 14:05:50.0 -0700 +@@ -242,7 +242,8 @@ cifs_create(struct inode *inode, struct + /* If Open reported that we actually created a file + then we now have to set the mode if possible */ + if ((cifs_sb-tcon-ses-capabilities CAP_UNIX) +- (oplock CIFS_CREATE_ACTION)) ++ (oplock CIFS_CREATE_ACTION)) { ++ mode = ~current-fs-umask; + if(cifs_sb-mnt_cifs_flags CIFS_MOUNT_SET_UID) { + CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode, + (__u64)current-euid, +@@ -256,7 +257,7 @@ cifs_create(struct inode *inode, struct + 0 /* dev */, + cifs_sb-local_nls); + } +- else { ++ } else { + /* BB implement via Windows security descriptors */ + /* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/ + /* could set r/o dos attribute if mode 0222 == 0 */ +@@ -356,6 +357,7 @@ int cifs_mknod(struct inode *inode, stru + rc = -ENOMEM; + + if (full_path (pTcon-ses-capabilities CAP_UNIX)) { ++ mode = ~current-fs-umask; + if(cifs_sb-mnt_cifs_flags CIFS_MOUNT_SET_UID) { + rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path, + mode,(__u64)current-euid,(__u64)current-egid, +diff -urpN kernel-source-2.6.8.orig/fs/cifs/inode.c kernel-source-2.6.8/fs/cifs/inode.c +--- kernel-source-2.6.8.orig/fs/cifs/inode.c 2004-08-13 23:36:11.0 -0600 kernel-source-2.6.8/fs/cifs/inode.c2008-02-13 14:07:24.0 -0700 +@@ -480,7 +480,8 @@ cifs_mkdir(struct inode *inode, struct d + d_instantiate(direntry, newinode); + if(direntry-d_inode) + direntry-d_inode
[kernel] r10535 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Wed Feb 13 22:19:19 2008 New Revision: 10535 Log: * hugetlb-prio_tree-unit-fix.dpatch [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree which could be used to trigger a BUG_ON() call in exit_mmap. See CVE-2007-4133 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Feb 13 22:19:19 2008 @@ -48,8 +48,12 @@ * bugfix/cifs-honor-umask.dpatch [SECURITY] Make CIFS honor a process' umask See CVE-2007-3740 + * hugetlb-prio_tree-unit-fix.dpatch +[SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree +which could be used to trigger a BUG_ON() call in exit_mmap. +See CVE-2007-4133 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 14:12:35 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 15:18:17 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hugetlb-prio_tree-unit-fix.dpatch Wed Feb 13 22:19:19 2008 @@ -0,0 +1,88 @@ +From: Hugh Dickins [EMAIL PROTECTED] +Date: Sat, 28 Oct 2006 17:38:43 + (-0700) +Subject: [PATCH] hugetlb: fix prio_tree unit +X-Git-Tag: v2.6.19-rc4~50 +X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=856fc29505556cf263f3dcda2533cf3766c14ab6 + +[PATCH] hugetlb: fix prio_tree unit + +hugetlb_vmtruncate_list was misconverted to prio_tree: its prio_tree is in +units of PAGE_SIZE (PAGE_CACHE_SIZE) like any other, not HPAGE_SIZE (whereas +its radix_tree is kept in units of HPAGE_SIZE, otherwise slots would be +absurdly sparse). + +At first I thought the error benign, just calling __unmap_hugepage_range on +more vmas than necessary; but on 32-bit machines, when the prio_tree is +searched correctly, it happens to ensure the v_offset calculation won't +overflow. As it stood, when truncating at or beyond 4GB, it was liable to +discard pages COWed from lower offsets; or even to clear pmd entries of +preceding vmas, triggering exit_mmap's BUG_ON(nr_ptes). + +Signed-off-by: Hugh Dickins [EMAIL PROTECTED] +Cc: Adam Litke [EMAIL PROTECTED] +Cc: David Gibson [EMAIL PROTECTED] +Cc: Chen, Kenneth W [EMAIL PROTECTED] +Signed-off-by: Andrew Morton [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c kernel-source-2.6.8/fs/hugetlbfs/inode.c +--- kernel-source-2.6.8.orig/fs/hugetlbfs/inode.c 2004-08-13 23:37:40.0 -0600 kernel-source-2.6.8/fs/hugetlbfs/inode.c 2008-02-13 14:54:51.0 -0700 +@@ -265,28 +265,26 @@ static void hugetlbfs_drop_inode(struct + hugetlbfs_forget_inode(inode); + } + +-/* +- * h_pgoff is in HPAGE_SIZE units. +- * vma-vm_pgoff is in PAGE_SIZE units. +- */ + static inline void +-hugetlb_vmtruncate_list(struct prio_tree_root *root, unsigned long h_pgoff) ++hugetlb_vmtruncate_list(struct prio_tree_root *root, pgoff_t pgoff) + { + struct vm_area_struct *vma = NULL; + struct prio_tree_iter iter; + + while ((vma = vma_prio_tree_next(vma, root, iter, +- h_pgoff, ULONG_MAX)) != NULL) { +- unsigned long h_vm_pgoff; ++ pgoff, ULONG_MAX)) != NULL) { + unsigned long v_length; + unsigned long v_offset; + +- h_vm_pgoff = vma-vm_pgoff (HPAGE_SHIFT - PAGE_SHIFT); +- v_offset = (h_pgoff - h_vm_pgoff) HPAGE_SHIFT; + /* +- * Is this VMA fully outside the truncation point? ++ * Can the expression below overflow on 32-bit arches? ++ * No, because the prio_tree returns us only those vmas ++ * which overlap the truncated area starting at pgoff, ++ * and no vma on a 32-bit arch can span beyond the 4GB. +*/ +- if (h_vm_pgoff = h_pgoff) ++ if (vma-vm_pgoff pgoff) ++ v_offset = (pgoff - vma-vm_pgoff) PAGE_SHIFT; ++ else
[kernel] r10536 - dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian
Author: dannf Date: Wed Feb 13 22:20:16 2008 New Revision: 10536 Log: changelog cleanups Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Feb 13 22:20:16 2008 @@ -13,7 +13,8 @@ * aacraid-ioctl-perm-check.dpatch [SECURITY] Require admin capabilities to issue ioctls to aacraid devices See CVE-2007-4308 - * [SECURITY] Fix potential privilege escalation caused by improper + * reset-pdeathsig-on-suid.dpatch +[SECURITY] Fix potential privilege escalation caused by improper clearing of the child process' pdeath signal. See CVE-2007-3848 * bluetooth-l2cap-hci-info-leaks.dpatch @@ -45,7 +46,7 @@ [SECURITY] Prevent OOPS during stack expansion when the VMA crosses into address space reserved for hugetlb pages. See CVE-2007-3739 - * bugfix/cifs-honor-umask.dpatch + * cifs-honor-umask.dpatch [SECURITY] Make CIFS honor a process' umask See CVE-2007-3740 * hugetlb-prio_tree-unit-fix.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10537 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Thu Feb 14 03:03:50 2008 New Revision: 10537 Log: * reset-pdeathsig-on-suid.dpatch * amd64-zero-extend-32bit-ptrace.dpatch [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. See CVE-2007-4573 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 03:03:50 2008 @@ -13,7 +13,7 @@ * aacraid-ioctl-perm-check.dpatch [SECURITY] Require admin capabilities to issue ioctls to aacraid devices See CVE-2007-4308 - * reset-pdeathsig-on-suid.dpatch + * reset-pdeathsig-on-suid.dpatch [SECURITY] Fix potential privilege escalation caused by improper clearing of the child process' pdeath signal. See CVE-2007-3848 @@ -53,8 +53,11 @@ [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree which could be used to trigger a BUG_ON() call in exit_mmap. See CVE-2007-4133 + * amd64-zero-extend-32bit-ptrace.dpatch +[SECURITY] Zero extend all registers after ptrace in 32-bit entry path. +See CVE-2007-4573 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 15:18:17 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 19:59:45 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/amd64-zero-extend-32bit-ptrace.dpatch Thu Feb 14 03:03:50 2008 @@ -0,0 +1,88 @@ +From: Andi Kleen [EMAIL PROTECTED] +Date: Fri, 21 Sep 2007 14:16:18 + (+0200) +Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path. +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567 + +x86_64: Zero extend all registers after ptrace in 32bit entry path. + +Strictly it's only needed for eax. + +It actually does a little more than strictly needed -- the other registers +are already zero extended. + +Also remove the now unnecessary and non functional compat task check +in ptrace. + +This is CVE-2007-4573 + +Found by Wojciech Purczynski + +Signed-off-by: Andi Kleen [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +Adjusted to apply to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S +--- kernel-source-2.6.8.orig/arch/x86_64/ia32/ia32entry.S 2007-05-26 02:54:38.0 -0600 kernel-source-2.6.8/arch/x86_64/ia32/ia32entry.S 2008-02-13 19:50:46.0 -0700 +@@ -35,6 +35,18 @@ + movq%rax,R8(%rsp) + .endm + ++ .macro LOAD_ARGS32 offset ++ movl \offset(%rsp),%r11d ++ movl \offset+8(%rsp),%r10d ++ movl \offset+16(%rsp),%r9d ++ movl \offset+24(%rsp),%r8d ++ movl \offset+40(%rsp),%ecx ++ movl \offset+48(%rsp),%edx ++ movl \offset+56(%rsp),%esi ++ movl \offset+64(%rsp),%edi ++ movl \offset+72(%rsp),%eax ++ .endm ++ + /* + * 32bit SYSENTER instruction entry. + * +@@ -107,7 +119,7 @@ sysenter_tracesys: + movq$-ENOSYS,RAX(%rsp) /* really needed? */ + movq%rsp,%rdi/* pt_regs - arg1 */ + callsyscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl%ebp, %ebp + /* no need to do an access_ok check here because rbp has been +@@ -188,7 +200,7 @@ cstar_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi/* pt_regs - arg1 */ + call syscall_trace_enter +- LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ ++ LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST + movl RSP-ARGOFFSET(%rsp), %r8d + /* no need to do an access_ok check here because r8 has been +@@ -252,7 +264,7 @@ ia32_tracesys: + movq $-ENOSYS,RAX(%rsp) /* really needed? */ + movq %rsp,%rdi/* pt_regs - arg1 */ + call
[kernel] r10538 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Thu Feb 14 03:21:29 2008 New Revision: 10538 Log: * usb-pwc-disconnect-block.dpatch [SECURITY] Fix issue with unplugging webcams that use the pwc driver. If userspace still has the device open it can result, the driver would wait for the device to close, blocking the USB subsystem. See CVE-2007-5093 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 03:21:29 2008 @@ -56,8 +56,13 @@ * amd64-zero-extend-32bit-ptrace.dpatch [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. See CVE-2007-4573 + * usb-pwc-disconnect-block.dpatch +[SECURITY] Fix issue with unplugging webcams that use the pwc driver. +If userspace still has the device open it can result, the driver would +wait for the device to close, blocking the USB subsystem. +See CVE-2007-5093 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 19:59:45 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 20:20:12 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Thu Feb 14 03:21:29 2008 @@ -15,3 +15,4 @@ + cifs-honor-umask.dpatch + hugetlb-prio_tree-unit-fix.dpatch + amd64-zero-extend-32bit-ptrace.dpatch ++ usb-pwc-disconnect-block.dpatch Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/usb-pwc-disconnect-block.dpatch Thu Feb 14 03:21:29 2008 @@ -0,0 +1,121 @@ +From: Oliver Neukum [EMAIL PROTECTED] +Date: Tue, 21 Aug 2007 05:10:42 + (+0200) +Subject: USB: fix DoS in pwc USB video driver +X-Git-Tag: v2.6.23-rc4~29^2~8 +X-Git-Url: http://git.kernel.org/gitweb.cgi?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d + +USB: fix DoS in pwc USB video driver + +the pwc driver has a disconnect method that waits for user space to +close the device. This opens up an opportunity for a DoS attack, +blocking the USB subsystem and making khubd's task busy wait in +kernel space. This patch shifts freeing resources to close if an opened +device is disconnected. + +Signed-off-by: Oliver Neukum [EMAIL PROTECTED] +CC: stable [EMAIL PROTECTED] +Signed-off-by: Greg Kroah-Hartman [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/drivers/usb/media/pwc.h kernel-source-2.6.8/drivers/usb/media/pwc.h +--- kernel-source-2.6.8.orig/drivers/usb/media/pwc.h 2004-08-13 23:37:15.0 -0600 kernel-source-2.6.8/drivers/usb/media/pwc.h2008-02-13 20:05:47.0 -0700 +@@ -144,6 +144,7 @@ struct pwc_device +char vsnapshot;/* snapshot mode */ +char vsync;/* used by isoc handler */ +char vmirror; /* for ToUCaM series */ ++ char unplugged; + +int cmd_len; +unsigned char cmd_buf[13]; +diff -urpN kernel-source-2.6.8.orig/drivers/usb/media/pwc-if.c kernel-source-2.6.8/drivers/usb/media/pwc-if.c +--- kernel-source-2.6.8.orig/drivers/usb/media/pwc-if.c2004-08-13 23:37:38.0 -0600 kernel-source-2.6.8/drivers/usb/media/pwc-if.c 2008-02-13 20:14:17.0 -0700 +@@ -1084,12 +1084,18 @@ static int pwc_video_open(struct inode * + return 0; + } + ++ ++static void pwc_cleanup(struct pwc_device *pdev) ++{ ++ video_unregister_device(pdev-vdev); ++} ++ + /* Note that all cleanup is done in the reverse order as in _open */ + static int pwc_video_close(struct inode *inode, struct file *file) + { + struct video_device *vdev = file-private_data; + struct pwc_device *pdev; +- int i; ++ int i, hint; + + Trace(TRACE_OPEN, video_close called(vdev = 0x%p).\n, vdev); + +@@ -1113,8 +1119,9 @@ static int pwc_video_close(struct inode
[kernel] r10539 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Author: dannf Date: Thu Feb 14 04:22:24 2008 New Revision: 10539 Log: * bugfix/powerpc-chrp-null-deref.patch [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 Added: dists/etch-security/linux-2.6/debian/patches/bugfix/powerpc-chrp-null-deref.patch dists/etch-security/linux-2.6/debian/patches/series/18etch2 Modified: dists/etch-security/linux-2.6/debian/changelog Modified: dists/etch-security/linux-2.6/debian/changelog == --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Thu Feb 14 04:22:24 2008 @@ -1,3 +1,12 @@ +linux-2.6 (2.6.18.dfsg.1-18etch2) UNRELEASED; urgency=low + + * bugfix/powerpc-chrp-null-deref.patch +[SECURITY][powerpc] Fix NULL pointer dereference if get_property +fails on the subarchitecture +See CVE-2007-6694 + + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 21:12:33 -0700 + linux-2.6 (2.6.18.dfsg.1-18etch1) stable-security; urgency=high * bugfix/vmsplice-security.patch Added: dists/etch-security/linux-2.6/debian/patches/bugfix/powerpc-chrp-null-deref.patch == --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/powerpc-chrp-null-deref.patch Thu Feb 14 04:22:24 2008 @@ -0,0 +1,49 @@ +commit 9ac71d00398674aaec664f30559f0a21d963862f +Author: Cyrill Gorcunov [EMAIL PROTECTED] +Date: Fri Nov 23 16:43:04 2007 +1100 + +[POWERPC] CHRP: Fix possible NULL pointer dereference + +This fixes a possible NULL pointer dereference inside of strncmp() if +of_get_property() fails. + +Signed-off-by: Cyrill Gorcunov [EMAIL PROTECTED] +Signed-off-by: Paul Mackerras [EMAIL PROTECTED] + +Backported to Debian's 2.6.18 by dann frazier [EMAIL PROTECTED] + +diff -urpN linux-source-2.6.18.orig/arch/powerpc/platforms/chrp/setup.c linux-source-2.6.18/arch/powerpc/platforms/chrp/setup.c +--- linux-source-2.6.18.orig/arch/powerpc/platforms/chrp/setup.c 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/arch/powerpc/platforms/chrp/setup.c2008-02-13 21:01:52.0 -0700 +@@ -105,7 +105,7 @@ void chrp_show_cpuinfo(struct seq_file * + seq_printf(m, machine\t\t: CHRP %s\n, model); + + /* longtrail (goldengate) stuff */ +- if (!strncmp(model, IBM,LongTrail, 13)) { ++ if (model !strncmp(model, IBM,LongTrail, 13)) { + /* VLSI VAS96011/12 `Golden Gate 2' */ + /* Memory banks */ + sdramen = (in_le32(gg2_pci_config_base + GG2_PCI_DRAM_CTRL) +@@ -192,14 +192,20 @@ static void __init sio_fixup_irq(const c + static void __init sio_init(void) + { + struct device_node *root; ++ const char *model; + +- if ((root = find_path_device(/)) +- !strncmp(get_property(root, model, NULL), IBM,LongTrail, 13)) { ++ root = find_path_device(/); ++ if (!root) ++ return; ++ ++ model = get_property(root, model, NULL); ++ if (model !strncmp(model, IBM,LongTrail, 13)) { + /* logical device 0 (KBC/Keyboard) */ + sio_fixup_irq(keyboard, 0, 1, 2); + /* select logical device 1 (KBC/Mouse) */ + sio_fixup_irq(mouse, 1, 12, 2); + } ++ + } + + Added: dists/etch-security/linux-2.6/debian/patches/series/18etch2 == --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/series/18etch2 Thu Feb 14 04:22:24 2008 @@ -0,0 +1 @@ ++ bugfix/powerpc-chrp-null-deref.patch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10542 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Author: dannf Date: Thu Feb 14 05:30:49 2008 New Revision: 10542 Log: * bugfix/mmap-VM_DONTEXPAND.patch [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007 Added: dists/etch-security/linux-2.6/debian/patches/bugfix/mmap-VM_DONTEXPAND.patch Modified: dists/etch-security/linux-2.6/debian/changelog dists/etch-security/linux-2.6/debian/patches/series/18etch2 Modified: dists/etch-security/linux-2.6/debian/changelog == --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Thu Feb 14 05:30:49 2008 @@ -4,8 +4,12 @@ [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 + * bugfix/mmap-VM_DONTEXPAND.patch +[SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register +a fault handler but do not bounds check the offset argument +See CVE-2008-0007 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 21:12:33 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 22:21:27 -0700 linux-2.6 (2.6.18.dfsg.1-18etch1) stable-security; urgency=high Added: dists/etch-security/linux-2.6/debian/patches/bugfix/mmap-VM_DONTEXPAND.patch == --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/mmap-VM_DONTEXPAND.patch Thu Feb 14 05:30:49 2008 @@ -0,0 +1,120 @@ +From: Nick Piggin [EMAIL PROTECTED] +Date: Sat, 2 Feb 2008 02:08:53 + (+0100) +Subject: vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) +X-Git-Tag: v2.6.22.17~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.22.y.git;a=commitdiff_plain;h=83af8eda68a3f0c227d0eb05348e58ae27a62e7e + +vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) + +Drivers that register a -fault handler, but do not range-check the +offset argument, must set VM_DONTEXPAND in the vm_flags in order to +prevent an expanding mremap from overflowing the resource. + +I've audited the tree and attempted to fix these problems (usually by +adding VM_DONTEXPAND where it is not obvious). + +Signed-off-by: Nick Piggin [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +Signed-off-by: Greg Kroah-Hartman [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.18 by dann frazier [EMAIL PROTECTED] + +diff -urpN linux-source-2.6.18.orig/drivers/char/drm/drm_vm.c linux-source-2.6.18/drivers/char/drm/drm_vm.c +--- linux-source-2.6.18.orig/drivers/char/drm/drm_vm.c 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/drivers/char/drm/drm_vm.c 2008-02-13 22:17:32.0 -0700 +@@ -479,6 +479,7 @@ static int drm_mmap_dma(struct file *fil + vma-vm_ops = drm_vm_dma_ops; + + vma-vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + vma-vm_file = filp;/* Needed for drm_vm_open() */ + drm_vm_open(vma); +@@ -656,6 +657,7 @@ int drm_mmap(struct file *filp, struct v + return -EINVAL; /* This should never happen. */ + } + vma-vm_flags |= VM_RESERVED; /* Don't swap */ ++ vma-vm_flags |= VM_DONTEXPAND; + + vma-vm_file = filp;/* Needed for drm_vm_open() */ + drm_vm_open(vma); +diff -urpN linux-source-2.6.18.orig/fs/ncpfs/mmap.c linux-source-2.6.18/fs/ncpfs/mmap.c +--- linux-source-2.6.18.orig/fs/ncpfs/mmap.c 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/fs/ncpfs/mmap.c2008-02-13 22:17:35.0 -0700 +@@ -47,9 +47,6 @@ static struct page* ncp_file_mmap_nopage + pos = address - area-vm_start + (area-vm_pgoff PAGE_SHIFT); + + count = PAGE_SIZE; +- if (address + PAGE_SIZE area-vm_end) { +- count = area-vm_end - address; +- } + /* what we can read in one go */ + bufsize = NCP_SERVER(inode)-buffer_size; + +diff -urpN linux-source-2.6.18.orig/kernel/relay.c linux-source-2.6.18/kernel/relay.c +--- linux-source-2.6.18.orig/kernel/relay.c2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/kernel/relay.c 2008-02-13 22:17:35.0 -0700 +@@ -84,6 +84,7 @@ int relay_mmap_buf(struct rchan_buf *buf + return -EINVAL; + + vma-vm_ops = relay_file_mmap_ops; ++ vma-vm_flags |= VM_DONTEXPAND; + vma-vm_private_data = buf; + buf-chan-cb-buf_mapped(buf, filp); + +diff -urpN linux-source-2.6.18.orig/sound/oss/via82cxxx_audio.c linux-source-2.6.18/sound/oss/via82cxxx_audio.c +--- linux-source-2.6.18.orig/sound/oss/via82cxxx_audio.c 2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/sound/oss/via82cxxx_audio.c2008-02-13 22:17:35.0 -0700 +@@ -2104,6 +2104,7 @@ static struct page * via_mm_nopage (stru
[kernel] r10540 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Thu Feb 14 04:22:44 2008 New Revision: 10540 Log: * powerpc-chrp-null-deref.dpatch [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powerpc-chrp-null-deref.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 04:22:44 2008 @@ -61,8 +61,12 @@ If userspace still has the device open it can result, the driver would wait for the device to close, blocking the USB subsystem. See CVE-2007-5093 + * powerpc-chrp-null-deref.dpatch +[SECURITY][powerpc] Fix NULL pointer dereference if get_property +fails on the subarchitecture +See CVE-2007-6694 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 20:20:12 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 21:18:45 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powerpc-chrp-null-deref.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/powerpc-chrp-null-deref.dpatch Thu Feb 14 04:22:44 2008 @@ -0,0 +1,49 @@ +commit 9ac71d00398674aaec664f30559f0a21d963862f +Author: Cyrill Gorcunov [EMAIL PROTECTED] +Date: Fri Nov 23 16:43:04 2007 +1100 + +[POWERPC] CHRP: Fix possible NULL pointer dereference + +This fixes a possible NULL pointer dereference inside of strncmp() if +of_get_property() fails. + +Signed-off-by: Cyrill Gorcunov [EMAIL PROTECTED] +Signed-off-by: Paul Mackerras [EMAIL PROTECTED] + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/arch/ppc/platforms/chrp_setup.c kernel-source-2.6.8/arch/ppc/platforms/chrp_setup.c +--- kernel-source-2.6.8.orig/arch/ppc/platforms/chrp_setup.c 2007-05-26 02:54:38.0 -0600 kernel-source-2.6.8/arch/ppc/platforms/chrp_setup.c2008-02-13 20:40:08.0 -0700 +@@ -117,7 +117,7 @@ chrp_show_cpuinfo(struct seq_file *m) + seq_printf(m, machine\t\t: CHRP %s\n, model); + + /* longtrail (goldengate) stuff */ +- if (!strncmp(model, IBM,LongTrail, 13)) { ++ if (model !strncmp(model, IBM,LongTrail, 13)) { + /* VLSI VAS96011/12 `Golden Gate 2' */ + /* Memory banks */ + sdramen = (in_le32((unsigned *)(gg2_pci_config_base+ +@@ -206,14 +206,20 @@ static void __init sio_fixup_irq(const c + static void __init sio_init(void) + { + struct device_node *root; ++ const char *model; + +- if ((root = find_path_device(/)) +- !strncmp(get_property(root, model, NULL), IBM,LongTrail, 13)) { ++ root = find_path_device(/); ++ if (!root) ++ return; ++ ++ model = get_property(root, model, NULL); ++ if (model !strncmp(model, IBM,LongTrail, 13)) { + /* logical device 0 (KBC/Keyboard) */ + sio_fixup_irq(keyboard, 0, 1, 2); + /* select logical device 1 (KBC/Mouse) */ + sio_fixup_irq(mouse, 1, 12, 2); + } ++ + } + + void pegasos_set_l2cr(void) Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Thu Feb 14 04:22:44 2008 @@ -16,3 +16,4 @@ + hugetlb-prio_tree-unit-fix.dpatch + amd64-zero-extend-32bit-ptrace.dpatch + usb-pwc-disconnect-block.dpatch ++ powerpc-chrp-null-deref.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10544 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Thu Feb 14 06:33:30 2008 New Revision: 10544 Log: * 255_pppoe-socket-release-mem-leak.diff [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released after connect but before PPPIOCGCHAN ioctl is called upon it See CVE-2007-2525 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_pppoe-socket-release-mem-leak.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Thu Feb 14 06:33:30 2008 @@ -49,6 +49,10 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 + * 255_pppoe-socket-release-mem-leak.diff +[SECURITY] fix unpriveleged memory leak when a PPPoE socket is released +after connect but before PPPIOCGCHAN ioctl is called upon it +See CVE-2007-2525 * 256_i4l-isdn_ioctl-mem-overrun.diff [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 @@ -62,7 +66,7 @@ ext2_find_entry() See CVE-2006-6054 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 23:10:11 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 23:32:09 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_pppoe-socket-release-mem-leak.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_pppoe-socket-release-mem-leak.diff Thu Feb 14 06:33:30 2008 @@ -0,0 +1,42 @@ +commit f1e981303d0f4ccbf3dcd64af41bbf85c62a7122 +Author: dann frazier [EMAIL PROTECTED] +Date: Mon Jan 21 23:10:51 2008 -0700 + +memory leak when socket is release()d before PPPIOCGCHAN has been called on it + +This is a 2.4 backport of a linux-2.6 change by Florian Zumbiehl. +(commit 202a03acf9994076055df40ae093a5c5474ad0bd) + +CVE-2007-2525 was assigned for this issue - compile-tested only. + +Commit log from 2.6 follows. + + below you find a patch that fixes a memory leak when a PPPoE socket is + release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl + ever has been called on it. + + This is somewhat of a security problem, too, since PPPoE sockets can be + created by any user, so any user can easily allocate all the machine's + RAM to non-swappable address space and thus DoS the system. + + Is there any specific reason for PPPoE sockets being available to any + unprivileged process, BTW? After all, you need a packet socket for the + discovery stage anyway, so it's unlikely that any unprivileged process + will ever need to create a PPPoE socket, no? Allocating all session IDs + for a known AC is a kind of DoS, too, after all - with Juniper ERXes, + this is really easy, actually, since they don't ever assign session ids + above 8000 ... + +diff --git a/drivers/net/pppox.c b/drivers/net/pppox.c +index 7830e4d..4883c0f 100644 +--- a/drivers/net/pppox.c b/drivers/net/pppox.c +@@ -67,7 +67,7 @@ void pppox_unbind_sock(struct sock *sk) + { + /* Clear connection to ppp device, if attached. */ + +- if (sk-state (PPPOX_BOUND|PPPOX_ZOMBIE)) { ++ if (sk-state (PPPOX_BOUND | PPPOX_CONNECTED | PPPOX_ZOMBIE)) { + ppp_unregister_channel(sk-protinfo.pppox-chan); + sk-state = PPPOX_DEAD; + } Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Thu Feb 14 06:33:30 2008 @@ -14,6 +14,7 @@ + 252_openpromfs-checks-3.diff + 253_coredump-only-to-same-uid.diff + 254_cramfs-check-block-length.diff ++ 255_pppoe-socket-release-mem-leak.diff + 256_i4l-isdn_ioctl-mem-overrun.diff + 257_isdn-net-overflow.diff + 258_ext2_readdir-f_pos-fix.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10543 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Thu Feb 14 06:28:45 2008 New Revision: 10543 Log: * 258_ext2_readdir-f_pos-fix.diff, 259_ext2_readdir-infinite-loop.diff, 260_ext2-skip-pages-past-num-blocks.diff [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff Removed: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Thu Feb 14 06:28:45 2008 @@ -49,18 +49,20 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 - * 255_ext2-skip-pages-past-num-blocks.diff -[SECURITY] Add some sanity checking for a corrupted i_size in -ext2_find_entry() -See CVE-2006-6054 * 256_i4l-isdn_ioctl-mem-overrun.diff [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 * 257_isdn-net-overflow.diff [SECURITY] Fix potential overflows in the ISDN subsystem See CVE-2007-6063 + * 258_ext2_readdir-f_pos-fix.diff, +259_ext2_readdir-infinite-loop.diff, +260_ext2-skip-pages-past-num-blocks.diff +[SECURITY] Add some sanity checking for a corrupted i_size in +ext2_find_entry() +See CVE-2006-6054 - -- dann frazier [EMAIL PROTECTED] Fri, 01 Feb 2008 14:48:58 -0600 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 23:10:11 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff Thu Feb 14 06:28:45 2008 @@ -0,0 +1,62 @@ +commit c30306fb287323591c854a0982d9fa5351859b45 +Author: dann frazier [EMAIL PROTECTED] +Date: Mon Jan 21 17:13:06 2008 -0700 + +ext2_readdir() filp-f_pos fix + +This is a 2.4 backport of a linux-2.6 change by Jan Blunck +(old-2.6-bkcvs commit 2196b4744393d4f6c06fc4d63b98556d05b90933) + +Commit log from 2.6 follows. + + [PATCH] ext2_readdir() filp-f_pos fix + + If the whole directory is read, ext2_readdir() sets the f_pos to a multiple + of the page size (because of the conditions of the outer for loop). This + sets the wrong f_pos for directory inodes on ext2 partitions with a block + size differing from the page size. + +Signed-off-by: dann frazier [EMAIL PROTECTED] + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 58b76dd..b158e60 100644 +--- a/fs/ext2/dir.c b/fs/ext2/dir.c +@@ -240,7 +240,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + loff_t pos = filp-f_pos; + struct inode *inode = filp-f_dentry-d_inode; + struct super_block *sb = inode-i_sb; +- unsigned offset = pos ~PAGE_CACHE_MASK; ++ unsigned int offset = pos ~PAGE_CACHE_MASK; + unsigned long n = pos PAGE_CACHE_SHIFT; + unsigned long npages = dir_pages(inode); + unsigned chunk_mask = ~(ext2_chunk_size(inode)-1); +@@ -258,8 +258,13 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + ext2_dirent *de; + struct page *page = ext2_get_page(inode, n); + +- if (IS_ERR(page)) ++ if (IS_ERR(page)) { ++ ext2_error(sb, __FUNCTION__, ++ bad page in #%lu, ++ inode-i_ino); ++ filp-f_pos += PAGE_CACHE_SIZE - offset; + continue; ++ } + kaddr = page_address(page); + if (need_revalidate) { + offset = ext2_validate_entry(kaddr, offset, chunk_mask); +@@ -283,12 +288,12 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + ext2_put_page(page
[kernel] r10541 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Thu Feb 14 04:48:54 2008 New Revision: 10541 Log: * random-bound-check-ordering.dpatch [SECURITY] Fix stack-based buffer overflow in the random number generator See CVE-2007-3105 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 04:48:54 2008 @@ -65,8 +65,12 @@ [SECURITY][powerpc] Fix NULL pointer dereference if get_property fails on the subarchitecture See CVE-2007-6694 + * random-bound-check-ordering.dpatch +[SECURITY] Fix stack-based buffer overflow in the random number +generator +See CVE-2007-3105 - -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 21:18:45 -0700 + -- dann frazier [EMAIL PROTECTED] Wed, 13 Feb 2008 21:46:22 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch Thu Feb 14 04:48:54 2008 @@ -0,0 +1,42 @@ +From: Matt Mackall [EMAIL PROTECTED] +Date: Thu, 19 Jul 2007 18:30:14 + (-0700) +Subject: random: fix bound check ordering (CVE-2007-3105) +X-Git-Tag: v2.6.23-rc1~259 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd + +random: fix bound check ordering (CVE-2007-3105) + +If root raised the default wakeup threshold over the size of the +output pool, the pool transfer function could overflow the stack with +RNG bytes, causing a DoS or potential privilege escalation. + +(Bug reported by the PaX Team [EMAIL PROTECTED]) + +Cc: Theodore Tso [EMAIL PROTECTED] +Cc: Willy Tarreau [EMAIL PROTECTED] +Signed-off-by: Matt Mackall [EMAIL PROTECTED] +Signed-off-by: Chris Wright [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c +--- kernel-source-2.6.8.orig/drivers/char/random.c 2007-05-26 02:54:38.0 -0600 kernel-source-2.6.8/drivers/char/random.c 2008-02-11 21:15:53.0 -0700 +@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s + { + if (r-entropy_count nbytes * 8 + r-entropy_count r-poolinfo.POOLBITS) { +- int bytes = max_t(int, random_read_wakeup_thresh / 8, +- min_t(int, nbytes, TMP_BUF_SIZE)); ++ /* If we're limited, always leave two wakeup worth's BITS */ ++ int bytes = nbytes; ++ ++ /* pull at least as many as BYTES as wakeup BITS */ ++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8); ++ /* but never more than the buffer size */ ++ bytes = min_t(int, bytes, TMP_BUF_SIZE); + + DEBUG_ENT(%04d %04d : going to reseed %s with %d bits + (%d of %d requested)\n, Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Thu Feb 14 04:48:54 2008 @@ -17,3 +17,4 @@ + amd64-zero-extend-32bit-ptrace.dpatch + usb-pwc-disconnect-block.dpatch + powerpc-chrp-null-deref.dpatch ++ random-bound-check-ordering.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10442 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Fri Feb 8 21:23:25 2008 New Revision: 10442 Log: * ext2-skip-pages-past-num-blocks.dpatch [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:23:25 2008 @@ -30,8 +30,12 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 + * ext2-skip-pages-past-num-blocks.dpatch +[SECURITY] Add some sanity checking for a corrupted i_size in +ext2_find_entry() +See CVE-2006-6054 - -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 14:08:04 -0700 + -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 14:22:01 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch Fri Feb 8 21:23:25 2008 @@ -0,0 +1,42 @@ +commit d8adb9cef7e406a9a82881695097c702bc98422f +Author: Eric Sandeen [EMAIL PROTECTED] +Date: Sat Feb 10 01:45:06 2007 -0800 + +[PATCH] ext2: skip pages past number of blocks in ext2_find_entry + +This one was pointed out on the MOKB site: + http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html + +If a directory's i_size is corrupted, ext2_find_entry() will keep +processing pages until the i_size is reached, even if there are no more +blocks associated with the directory inode. This patch puts in some +minimal sanity-checking so that we don't keep checking pages (and issuing +errors) if we know there can be no more data to read, based on the block +count of the directory inode. + +This is somewhat similar in approach to the ext3 patch I sent earlier this +year. + +Signed-off-by: Eric Sandeen [EMAIL PROTECTED] +Signed-off-by: Andrew Morton [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 0b02ba9..e89bfc8 100644 +--- a/fs/ext2/dir.c b/fs/ext2/dir.c +@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, + } + if (++n = npages) + n = 0; ++ /* next page is past the blocks we've got */ ++ if (unlikely(n (dir-i_blocks (PAGE_CACHE_SHIFT - 9 { ++ ext2_error(dir-i_sb, __FUNCTION__, ++ dir %lu size %lld exceeds block count %llu, ++ dir-i_ino, dir-i_size, ++ (unsigned long long)dir-i_blocks); ++ goto out; ++ } + } while (n != start); + out: + return NULL; Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Fri Feb 8 21:23:25 2008 @@ -8,3 +8,4 @@ + coredump-only-to-same-uid.dpatch + i4l-isdn_ioctl-mem-overrun.dpatch + cramfs-check-block-length.dpatch ++ ext2-skip-pages-past-num-blocks.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10441 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Fri Feb 8 21:09:22 2008 New Revision: 10441 Log: * cramfs-check-block-length.dpatch [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:09:22 2008 @@ -26,8 +26,12 @@ * i4l-isdn_ioctl-mem-overrun.dpatch [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 + * cramfs-check-block-length.dpatch +[SECURITY] Add a sanity check of the block length in cramfs_readpage to +avoid a potential oops condition +See CVE-2006-5823 - -- dann frazier [EMAIL PROTECTED] Sat, 05 Jan 2008 18:10:05 -0700 + -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 14:08:04 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch Fri Feb 8 21:09:22 2008 @@ -0,0 +1,39 @@ +From: Phillip Lougher [EMAIL PROTECTED] +Date: Thu, 7 Dec 2006 04:37:20 + (-0800) +Subject: [PATCH] corrupted cramfs filesystems cause kernel oops +X-Git-Tag: v2.6.20-rc1~15^2~14^2~175 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;hp=2e591bbc0d563e12f5a260fbbca0df7d5810910e + +[PATCH] corrupted cramfs filesystems cause kernel oops + +Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ +fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause +Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops +is an unchecked corrupted block length field read by cramfs_readpage(). + +This patch adds a sanity check to cramfs_readpage() which checks that the +block length field is sensible. The (PAGE_CACHE_SIZE 1) size check is +intentional, even though the uncompressed data is not going to be larger +than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than +the original source data. Mkcramfs checks that the compressed size is +always less than or equal to PAGE_CACHE_SIZE 1. Of course Cramfs could +use the original uncompressed data in this case, but it doesn't. + +Signed-off-by: Phillip Lougher [EMAIL PROTECTED] +Signed-off-by: Andrew Morton [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c +index a624c3e..0509ced 100644 +--- a/fs/cramfs/inode.c b/fs/cramfs/inode.c +@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page) + pgdata = kmap(page); + if (compr_len == 0) + ; /* hole */ ++ else if (compr_len (PAGE_CACHE_SIZE 1)) ++ printk(KERN_ERR cramfs: bad compressed blocksize %u\n, compr_len); + else { + mutex_lock(read_mutex); + bytes_filled = cramfs_uncompress_block(pgdata, Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Fri Feb 8 21:09:22 2008 @@ -7,3 +7,4 @@ + bluetooth-l2cap-hci-info-leaks.dpatch + coredump-only-to-same-uid.dpatch + i4l-isdn_ioctl-mem-overrun.dpatch ++ cramfs-check-block-length.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10445 - in dists/etch/linux-2.6.24: . debian debian/config
Author: dannf Date: Fri Feb 8 23:53:53 2008 New Revision: 10445 Log: create etchnhalf branch Added: dists/etch/linux-2.6.24/ - copied from r10444, /dists/sid/linux-2.6/ Modified: dists/etch/linux-2.6.24/debian/changelog dists/etch/linux-2.6.24/debian/config/defines Modified: dists/etch/linux-2.6.24/debian/changelog == --- /dists/sid/linux-2.6/debian/changelog (original) +++ dists/etch/linux-2.6.24/debian/changelogFri Feb 8 23:53:53 2008 @@ -1,5 +1,9 @@ -linux-2.6 (2.6.24-4) UNRELEASED; urgency=low +linux-2.6.24 (2.6.24-4~etchnhalf.1) UNRELEASED; urgency=low + [ dann frazier ] + * Branch and rename source to linux-2.6.24 targeted for etchnhalf + + [ Bastian Blank ] * Add stable release 2.6.24.1: - splice: missing user pointer access verification (CVE-2008-0009/10) - drm: the drm really should call pci_set_master.. @@ -47,7 +51,7 @@ - slab: fix bootstrap on memoryless node - DVB: cx23885: add missing subsystem ID for Hauppauge HVR1800 Retail - -- Bastian Blank [EMAIL PROTECTED] Fri, 08 Feb 2008 22:26:16 +0100 + -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 16:46:20 -0700 linux-2.6 (2.6.24-3) unstable; urgency=low Modified: dists/etch/linux-2.6.24/debian/config/defines == --- /dists/sid/linux-2.6/debian/config/defines (original) +++ dists/etch/linux-2.6.24/debian/config/defines Fri Feb 8 23:53:53 2008 @@ -1,5 +1,5 @@ [abi] -abiname: 1 +abiname: etchnhalf.1 [base] arches: ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10444 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Fri Feb 8 21:55:19 2008 New Revision: 10444 Log: * minixfs-printk-hang.dpatch [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs filesystem that would otherwise cause a system to hang (printk storm) See CVE-2006-6058 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:55:19 2008 @@ -34,8 +34,12 @@ [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 + * minixfs-printk-hang.dpatch +[SECURITY] Rate-limit printks caused by accessing a corrupted minixfs +filesystem that would otherwise cause a system to hang (printk storm) +See CVE-2006-6058 - -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 14:22:01 -0700 + -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 14:54:19 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch == --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch Fri Feb 8 21:55:19 2008 @@ -0,0 +1,69 @@ +commit f44ec6f3f89889a469773b1fd894f8fcc07c29cf +Author: Eric Sandeen [EMAIL PROTECTED] +Date: Tue Oct 16 23:27:15 2007 -0700 + +limit minixfs printks on corrupted dir i_size + +This attempts to address CVE-2006-6058 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 + +first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html + +Essentially a corrupted minix dir inode reporting a very large +i_size will loop for a very long time in minix_readdir, minix_find_entry, +etc, because on EIO they just move on to try the next page. This is +under the BKL, printk-storming as well. This can lock up the machine +for a very long time. Simply ratelimiting the printks gets things back +under control. Make the message a bit more informative while we're here. + +Signed-off-by: Eric Sandeen [EMAIL PROTECTED] +Cc: Bodo Eggert [EMAIL PROTECTED] +Signed-off-by: Andrew Morton [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] + +Backported to Debian's 2.6.8 by dann frazier [EMAIL PROTECTED] + +diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v1.c kernel-source-2.6.8/fs/minix/itree_v1.c +--- kernel-source-2.6.8.orig/fs/minix/itree_v1.c 2004-08-13 23:38:10.0 -0600 kernel-source-2.6.8/fs/minix/itree_v1.c2008-02-08 14:33:09.0 -0700 +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block 0) { +- printk(minix_bmap: block0); ++ printk(MINIX-fs: block_to_path: block %ld 0 on dev %s\n, ++ block, bdevname(inode-i_sb-s_bdev, b)); + } else if (block = (minix_sb(inode-i_sb)-s_max_size/BLOCK_SIZE)) { +- printk(minix_bmap: blockbig); ++ if (printk_ratelimit()) ++ printk(MINIX-fs: block_to_path: ++ block %ld too big on dev %s\n, ++ block, bdevname(inode-i_sb-s_bdev, b)); + } else if (block 7) { + offsets[n++] = block; + } else if ((block -= 7) 512) { +diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v2.c kernel-source-2.6.8/fs/minix/itree_v2.c +--- kernel-source-2.6.8.orig/fs/minix/itree_v2.c 2004-08-13 23:37:39.0 -0600 kernel-source-2.6.8/fs/minix/itree_v2.c2008-02-08 14:33:56.0 -0700 +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block 0) { +- printk(minix_bmap: block0); ++ printk(MINIX-fs: block_to_path: block %ld 0 on dev %s\n, ++ block, bdevname(sb-s_bdev, b)); + } else if (block = (minix_sb(inode-i_sb)-s_max_size/BLOCK_SIZE)) { +- printk(minix_bmap: blockbig); ++ if (printk_ratelimit()) ++ printk(MINIX-fs
[kernel] r10446 - dists/etch/linux-2.6.24/debian/patches/series
Author: dannf Date: Sat Feb 9 00:12:50 2008 New Revision: 10446 Log: rename series file for etchnhalf branch Added: dists/etch/linux-2.6.24/debian/patches/series/4~etchnhalf.1 - copied unchanged from r10445, /dists/etch/linux-2.6.24/debian/patches/series/4 Removed: dists/etch/linux-2.6.24/debian/patches/series/4 ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10447 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Sat Feb 9 00:29:24 2008 New Revision: 10447 Log: * isdn-net-overflow.dpatch [SECURITY] Fix potential overflows in the ISDN subsystem See CVE-2007-6063 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/isdn-net-overflow.dpatch - copied unchanged from r10444, /dists/etch-security/linux-2.6/debian/patches/bugfix/isdn-net-overflow.patch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat Feb 9 00:29:24 2008 @@ -38,8 +38,11 @@ [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs filesystem that would otherwise cause a system to hang (printk storm) See CVE-2006-6058 + * isdn-net-overflow.dpatch +[SECURITY] Fix potential overflows in the ISDN subsystem +See CVE-2007-6063 - -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 14:54:19 -0700 + -- dann frazier [EMAIL PROTECTED] Fri, 08 Feb 2008 17:28:08 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 == --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Sat Feb 9 00:29:24 2008 @@ -10,3 +10,4 @@ + cramfs-check-block-length.dpatch + ext2-skip-pages-past-num-blocks.dpatch + minixfs-printk-hang.dpatch ++ isdn-net-overflow.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10366 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Fri Feb 1 20:59:18 2008 New Revision: 10366 Log: * 256_i4l-isdn_ioctl-mem-overrun.diff [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Fri Feb 1 20:59:18 2008 @@ -53,8 +53,11 @@ [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 + * 256_i4l-isdn_ioctl-mem-overrun.diff +[SECURITY] Fix potential isdn ioctl memory overrun +See CVE-2007-6151 - -- dann frazier [EMAIL PROTECTED] Mon, 21 Jan 2008 01:00:19 -0700 + -- dann frazier [EMAIL PROTECTED] Fri, 01 Feb 2008 14:48:58 -0600 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff Fri Feb 1 20:59:18 2008 @@ -0,0 +1,59 @@ +commit eb0a06330df97dd9bbaf966cf29d755eff90ecd6 +Author: Willy Tarreau [EMAIL PROTECTED] +Date: Mon Dec 17 00:10:45 2007 +0100 + +[PATCH] isdn: fix isdn_ioctl memory overrun vulnerability + +Backport of 2.6 commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a by Karsten Keil + +I4L: fix isdn_ioctl memory overrun vulnerability + +Fix possible memory overrun issue in the isdn ioctl code. + +Found by ADLAB [EMAIL PROTECTED] + +Signed-off-by: Karsten Keil [EMAIL PROTECTED] +Cc: ADLAB [EMAIL PROTECTED] +Cc: [EMAIL PROTECTED] +Signed-off-by: Andrew Morton [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] + +Signed-off-by: Willy Tarreau [EMAIL PROTECTED] + +diff --git a/drivers/isdn/isdn_common.c b/drivers/isdn/isdn_common.c +index 3155dc8..d251886 100644 +--- a/drivers/isdn/isdn_common.c b/drivers/isdn/isdn_common.c +@@ -1442,6 +1442,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + if (copy_from_user((char *) iocts, (char *) arg, +sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; +@@ -1527,6 +1528,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + (char *) arg, +sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + drvidx = -1; + for (i = 0; i ISDN_MAX_DRIVERS; i++) +@@ -1571,7 +1573,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + } else { + p = (char *) iocts.arg; + for (i = 0; i 10; i++) { +- sprintf(bname, %s%s, ++ snprintf(bname, sizeof(bname), %s%s, + strlen(dev-drv[drvidx]-msn2eaz[i]) ? + dev-drv[drvidx]-msn2eaz[i] : _, + (i 9) ? , : \0); +@@ -1601,6 +1603,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + char *p; + if (copy_from_user((char *) iocts, (char *) arg, sizeof(isdn_ioctl_struct))) + return
[kernel] r10367 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Fri Feb 1 21:00:07 2008 New Revision: 10367 Log: * 257_isdn-net-overflow.diff [SECURITY] Fix potential overflows in the ISDN subsystem See CVE-2007-6063 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/257_isdn-net-overflow.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Fri Feb 1 21:00:07 2008 @@ -56,6 +56,9 @@ * 256_i4l-isdn_ioctl-mem-overrun.diff [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 + * 257_isdn-net-overflow.diff +[SECURITY] Fix potential overflows in the ISDN subsystem +See CVE-2007-6063 -- dann frazier [EMAIL PROTECTED] Fri, 01 Feb 2008 14:48:58 -0600 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/257_isdn-net-overflow.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/257_isdn-net-overflow.diff Fri Feb 1 21:00:07 2008 @@ -0,0 +1,58 @@ +commit f76d36ddb1a6da76d46185941f326739cbba5e41 +Author: Willy Tarreau [EMAIL PROTECTED] +Date: Mon Dec 10 07:17:13 2007 +0100 + +[PATCH] isdn: avoid copying overly-long strings + +Backport of 2.6 commit 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 by Karsten Keil + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 + +Signed-off-by: Willy Tarreau [EMAIL PROTECTED] + +diff --git a/drivers/isdn/isdn_net.c b/drivers/isdn/isdn_net.c +index 0a5bea3..e85fcc4 100644 +--- a/drivers/isdn/isdn_net.c b/drivers/isdn/isdn_net.c +@@ -2159,7 +2159,7 @@ isdn_net_find_icall(int di, int ch, int idx, setup_parm *setup) + isdn_net_dev *p; + isdn_net_phone *n; + ulong flags; +- char nr[32]; ++ char nr[ISDN_MSNLEN]; + char *my_eaz; + + /* Search name in netdev-chain */ +@@ -2169,8 +2169,10 @@ isdn_net_find_icall(int di, int ch, int idx, setup_parm *setup) + nr[0] = '0'; + nr[1] = '\0'; + printk(KERN_INFO isdn_net: Incoming call without OAD, assuming '0'\n); +- } else +- strcpy(nr, setup-phone); ++ } else { ++ strncpy(nr, setup-phone, ISDN_MSNLEN - 1); ++ nr[ISDN_MSNLEN - 1] = 0; ++ } + si1 = (int) setup-si1; + si2 = (int) setup-si2; + if (!setup-eazmsn[0]) { +@@ -2855,7 +2857,8 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg) + chidx = -1; + } + } +- strcpy(lp-msn, cfg-eaz); ++ strncpy(lp-msn, cfg-eaz, sizeof(lp-msn) - 1); ++ lp-msn[sizeof(lp-msn) - 1] = 0; + lp-pre_device = drvidx; + lp-pre_channel = chidx; + lp-onhtime = cfg-onhtime; +@@ -3004,7 +3007,8 @@ isdn_net_addphone(isdn_net_ioctl_phone * phone) + if (p) { + if (!(n = (isdn_net_phone *) kmalloc(sizeof(isdn_net_phone), GFP_KERNEL))) + return -ENOMEM; +- strcpy(n-num, phone-phone); ++ strncpy(n-num, phone-phone, sizeof(n-num) - 1); ++ n-num[sizeof(n-num) - 1] = 0; + n-next = p-local-phone[phone-outgoing 1]; + p-local-phone[phone-outgoing 1] = n; + return 0; Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Fri Feb 1 21:00:07 2008 @@ -16,3 +16,4 @@ + 254_cramfs-check-block-length.diff + 255_ext2-skip-pages-past-num-blocks.diff + 256_i4l-isdn_ioctl-mem-overrun.diff ++ 257_isdn-net-overflow.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10242 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8: . debian/patches
Author: dannf Date: Mon Jan 28 23:29:14 2008 New Revision: 10242 Log: move patch to correct directory Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/i4l-isdn_ioctl-mem-overrun.dpatch - copied unchanged from r10241, /dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/i4l-isdn_ioctl-mem-overrun.dpatch Removed: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/i4l-isdn_ioctl-mem-overrun.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10197 - dists/etch/linux-2.6/debian
Author: dannf Date: Fri Jan 25 16:49:28 2008 New Revision: 10197 Log: prepare for p-u upload Modified: dists/etch/linux-2.6/debian/changelog Modified: dists/etch/linux-2.6/debian/changelog == --- dists/etch/linux-2.6/debian/changelog (original) +++ dists/etch/linux-2.6/debian/changelog Fri Jan 25 16:49:28 2008 @@ -1,4 +1,4 @@ -linux-2.6 (2.6.18.dfsg.1-18) UNRELEASED; urgency=high +linux-2.6 (2.6.18.dfsg.1-18) stable; urgency=high [ Martin Michlmayr ] * [mips] Fix network on Cobalt RaQ1, thanks Thomas Bogendoerfer @@ -10,7 +10,7 @@ (closes: #461493). * Update abi reference files for ABI 6 - -- dann frazier [EMAIL PROTECTED] Thu, 24 Jan 2008 16:58:46 -0700 + -- dann frazier [EMAIL PROTECTED] Fri, 25 Jan 2008 00:08:38 -0700 linux-2.6 (2.6.18.dfsg.1-17etch1) stable-security; urgency=high ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10178 - in dists/etch/linux-2.6/debian: . arch arch/alpha arch/alpha/vserver arch/amd64 arch/amd64/vserver arch/amd64/xen arch/amd64/xen-vserver arch/arm arch/hppa arch/i386 arch/i386/vserve
-2.6/debian/bin/abiupdate.py == --- dists/etch/linux-2.6/debian/bin/abiupdate.py(original) +++ dists/etch/linux-2.6/debian/bin/abiupdate.pyThu Jan 24 23:56:30 2008 @@ -113,6 +113,7 @@ import urllib2 u = url(self.source, filename) filename_out = self.dir + / + filename +print u f_in = urllib2.urlopen(u) f_out = file(filename_out, 'w') while 1: Modified: dists/etch/linux-2.6/debian/changelog == --- dists/etch/linux-2.6/debian/changelog (original) +++ dists/etch/linux-2.6/debian/changelog Thu Jan 24 23:56:30 2008 @@ -11,6 +11,29 @@ -- dann frazier [EMAIL PROTECTED] Fri, 18 Jan 2008 17:19:59 -0700 +linux-2.6 (2.6.18.dfsg.1-17etch1) stable-security; urgency=high + + * bugfix/i4l-isdn_ioctl-mem-overrun.patch +[SECURITY] Fix potential isdn ioctl memory overrun +See CVE-2007-6151 + * bugfix/vfs-use-access-mode-flag.patch +[SECURITY] Use the access mode flag instead of the open flag when +testing access mode for a directory. Modify +features/all/vserver/vs2.0.2.2-rc9.patch to apply on top of this +See CVE-2008-0001 + * bugfix/fat-move-ioctl-compat-code.patch, bugfix/fat-fix-compat-ioctls.patch +[SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer +for fat ioctls +See CVE-2007-2878 + * bugfix/proc-snd-page-alloc-mem-leak.patch +[SECURITY][ABI Changer] Fix an issue in the alsa subsystem that allows a +local user to read potentially sensitive kernel memory from the proc +filesystem +See CVE-2007-4571 + * Bump ABI to 6. + + -- dann frazier [EMAIL PROTECTED] Tue, 22 Jan 2008 10:07:04 -0700 + linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high * [futex] Fix address computation in compat code, fixing hangs Modified: dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch == --- dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch (original) +++ dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch Thu Jan 24 23:56:30 2008 @@ -4775,9 +4775,9 @@ return -EACCES; flag = ~O_TRUNC; -- } else if (IS_RDONLY(inode) (flag FMODE_WRITE)) +- } else if (IS_RDONLY(inode) (acc_mode MAY_WRITE)) + } else if ((IS_RDONLY(inode) || MNT_IS_RDONLY(nd-mnt)) -+ (flag FMODE_WRITE)) ++ (acc_mode MAY_WRITE)) return -EROFS; /* * An append-only file must be opened in append mode for writing. ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10172 - dists/etch-security/linux-latest-2.6
Author: dannf Date: Wed Jan 23 21:13:53 2008 New Revision: 10172 Log: etch/etch-security updates to linux-latest-2.6 should always happen serially, so lets drop the etch-security branch and do both updates on the etch branch Removed: dists/etch-security/linux-latest-2.6/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10174 - releases/linux-latest-2.6/6etch3
Author: dannf Date: Wed Jan 23 21:15:50 2008 New Revision: 10174 Log: tag 6etch3 Added: releases/linux-latest-2.6/6etch3/ - copied from r10173, /dists/etch/linux-latest-2.6/ ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10158 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Mon Jan 21 08:03:11 2008 New Revision: 10158 Log: * 255_ext2-skip-pages-past-num-blocks.diff [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Jan 21 08:03:11 2008 @@ -49,8 +49,12 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 + * 255_ext2-skip-pages-past-num-blocks.diff +[SECURITY] Add some sanity checking for a corrupted i_size in +ext2_find_entry() +See CVE-2006-6054 - -- dann frazier [EMAIL PROTECTED] Mon, 21 Jan 2008 00:48:39 -0700 + -- dann frazier [EMAIL PROTECTED] Mon, 21 Jan 2008 01:00:19 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Mon Jan 21 08:03:11 2008 @@ -0,0 +1,43 @@ +From: Eric Sandeen [EMAIL PROTECTED] +Date: Sat, 30 Dec 2006 23:30:32 + (-0500) +Subject: [PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054) +X-Git-Tag: v2.6.19.2~20 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.19.y.git;a=commitdiff_plain;h=8d312ae11257a259d78e122fd73274b8ef4789d1 + +[PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054) + +This one was pointed out on the MOKB site: +http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html + +If a directory's i_size is corrupted, ext2_find_entry() will keep processing +pages until the i_size is reached, even if there are no more blocks associated +with the directory inode. This patch puts in some minimal sanity-checking +so that we don't keep checking pages (and issuing errors) if we know there +can be no more data to read, based on the block count of the directory inode. + +This is somewhat similar in approach to the ext3 patch I sent earlier this +year. + +Signed-off-by: Eric Sandeen [EMAIL PROTECTED] +Signed-off-by: Chris Wright [EMAIL PROTECTED] +--- + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 3e7a84a..852780b 100644 +--- a/fs/ext2/dir.c b/fs/ext2/dir.c +@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, + } + if (++n = npages) + n = 0; ++ /* next page is past the blocks we've got */ ++ if (unlikely(n (dir-i_blocks (PAGE_CACHE_SHIFT - 9 { ++ ext2_error(dir-i_sb, __FUNCTION__, ++ dir %lu size %lld exceeds block count %llu, ++ dir-i_ino, dir-i_size, ++ (unsigned long long)dir-i_blocks); ++ goto out; ++ } + } while (n != start); + out: + return NULL; Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Mon Jan 21 08:03:11 2008 @@ -14,3 +14,4 @@ + 252_openpromfs-checks-3.diff + 253_coredump-only-to-same-uid.diff + 254_cramfs-check-block-length.diff ++ 255_ext2-skip-pages-past-num-blocks.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10159 - dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches
Author: dannf Date: Mon Jan 21 08:15:40 2008 New Revision: 10159 Log: compile fix; missing goto target Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Mon Jan 21 08:15:40 2008 @@ -22,11 +22,11 @@ Signed-off-by: Chris Wright [EMAIL PROTECTED] --- -diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c -index 3e7a84a..852780b 100644 a/fs/ext2/dir.c -+++ b/fs/ext2/dir.c -@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, +Backported to Debian's 2.4.27 by dann frazier [EMAIL PROTECTED] + +--- kernel-source-2.4.27/fs/ext2/dir.c.orig2006-12-05 01:32:40.0 -0700 kernel-source-2.4.27/fs/ext2/dir.c 2008-01-21 01:07:49.309563953 -0700 +@@ -336,7 +336,16 @@ struct ext2_dir_entry_2 * ext2_find_entr } if (++n = npages) n = 0; @@ -39,5 +39,7 @@ + goto out; + } } while (n != start); - out: ++out: return NULL; + + found: ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10154 - in dists/etch/linux-2.6.22/debian: . patches/bugfix patches/series
Author: dannf Date: Mon Jan 21 00:23:22 2008 New Revision: 10154 Log: * Add stable release 2.6.22.14 - ide: fix serverworks.c UDMA regression - ALSA: hda-codec - Add array terminator for dmic in STAC codec - ALSA: hdsp - Fix zero division - Fix endianness bug in U32 classifier. - Fix netlink timeouts. - ocfs2: fix write() performance regression - forcedeth msi bugfix - i4l: fix random freezes with AVM B1 drivers - i4l: Fix random hard freeze with AVM c4 card - NETFILTER: nf_conntrack_tcp: fix connection reopening - USB: usbserial - fix potential deadlock between write() and IRQ - i2c/eeprom: Recognize VGN as a valid Sony Vaio name prefix - i2c/eeprom: Hide Sony Vaio serial numbers - i2c-pasemi: Fix NACK detection - fix param_sysfs_builtin name length check - fix tmpfs BUG and AOP_WRITEPAGE_ACTIVATE - hptiop: avoid buffer overflow when returning sense data - Fix crypto_alloc_comp() error checking. - USB: kobil_sct: trivial backport to fix libct - Fix TEQL oops. - Fix error returns in sys_socketpair() - Fix compat futex hangs. - x86: fix TSC clock source calibration error - SLUB: Fix memory leak by not reusing cpu_slab - writeback: don't propagate AOP_WRITEPAGE_ACTIVATE - USB: mutual exclusion for EHCI init and port resets Added: dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.14 Modified: dists/etch/linux-2.6.22/debian/changelog dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1 Modified: dists/etch/linux-2.6.22/debian/changelog == --- dists/etch/linux-2.6.22/debian/changelog(original) +++ dists/etch/linux-2.6.22/debian/changelogMon Jan 21 00:23:22 2008 @@ -6,8 +6,35 @@ (CVE-2007-5500) - TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501) + * Add stable release 2.6.22.14 +- ide: fix serverworks.c UDMA regression +- ALSA: hda-codec - Add array terminator for dmic in STAC codec +- ALSA: hdsp - Fix zero division +- Fix endianness bug in U32 classifier. +- Fix netlink timeouts. +- ocfs2: fix write() performance regression +- forcedeth msi bugfix +- i4l: fix random freezes with AVM B1 drivers +- i4l: Fix random hard freeze with AVM c4 card +- NETFILTER: nf_conntrack_tcp: fix connection reopening +- USB: usbserial - fix potential deadlock between write() and IRQ +- i2c/eeprom: Recognize VGN as a valid Sony Vaio name prefix +- i2c/eeprom: Hide Sony Vaio serial numbers +- i2c-pasemi: Fix NACK detection +- fix param_sysfs_builtin name length check +- fix tmpfs BUG and AOP_WRITEPAGE_ACTIVATE +- hptiop: avoid buffer overflow when returning sense data +- Fix crypto_alloc_comp() error checking. +- USB: kobil_sct: trivial backport to fix libct +- Fix TEQL oops. +- Fix error returns in sys_socketpair() +- Fix compat futex hangs. +- x86: fix TSC clock source calibration error +- SLUB: Fix memory leak by not reusing cpu_slab +- writeback: don't propagate AOP_WRITEPAGE_ACTIVATE +- USB: mutual exclusion for EHCI init and port resets - -- dann frazier [EMAIL PROTECTED] Sun, 20 Jan 2008 16:58:43 -0700 + -- dann frazier [EMAIL PROTECTED] Sun, 20 Jan 2008 17:14:34 -0700 linux-2.6 (2.6.22-6) unstable; urgency=low Added: dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.14 == --- (empty file) +++ dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.14 Mon Jan 21 00:23:22 2008 @@ -0,0 +1,1314 @@ +diff --git a/arch/i386/kernel/tsc.c b/arch/i386/kernel/tsc.c +index f64b81f..8e02ed6 100644 +--- a/arch/i386/kernel/tsc.c b/arch/i386/kernel/tsc.c +@@ -122,7 +122,7 @@ unsigned long native_calculate_cpu_khz(void) + { + unsigned long long start, end; + unsigned long count; +- u64 delta64; ++ u64 delta64 = (u64)ULLONG_MAX; + int i; + unsigned long flags; + +@@ -134,6 +134,7 @@ unsigned long native_calculate_cpu_khz(void) + rdtscll(start); + mach_countup(count); + rdtscll(end); ++ delta64 = min(delta64, (end - start)); + } + /* +* Error: ECTCNEVERSET +@@ -144,8 +145,6 @@ unsigned long native_calculate_cpu_khz(void) + if (count = 1) + goto err; + +- delta64 = end - start; +- + /* cpu freq too fast: */ + if (delta64 (1ULL32)) + goto err; +diff --git a/drivers/i2c/busses/i2c-pasemi.c b/drivers/i2c/busses/i2c-pasemi.c +index 58e3271..dcf5dec 100644 +--- a/drivers/i2c/busses/i2c-pasemi.c b/drivers/i2c/busses/i2c-pasemi.c +@@ -51,6 +51,7 @@ struct pasemi_smbus { + #define MRXFIFO_DATA_M0x00ff + + #define SMSTA_XEN 0x0800 ++#define SMSTA_MTN 0x0020 + + #define CTL_MRR 0x0400 + #define CTL_MTR 0x0200 +@@ -98,6 +99,10
[kernel] r10155 - in dists/etch/linux-2.6.22/debian: . patches/bugfix patches/series
Author: dannf Date: Mon Jan 21 00:30:13 2008 New Revision: 10155 Log: * Add stable release 2.6.22.15 - IPV4: Remove bogus ifdef mess in arp_process - forcedeth: new mcp79 pci ids - forcedeth boot delay fix - PFKEY: Sending an SADB_GET responds with an SADB_GET - Future of Linux 2.6.22.y series - USB: fix up EHCI startup synchronization - RXRPC: Add missing select on CRYPTO - NET: Corrects a bug in ip_rt_acct_read() - IPV6: Restore IPv6 when MTU is big enough - UNIX: EOF on non-blocking SOCK_SEQPACKET - Revert Fix SMP poweroff hangs - Linux 2.6.22.15 - libcrc32c: keep intermediate crc state in cpu order - CRYPTO api: Fix potential race in crypto_remove_spawn - tmpfs: restore missing clear_highpage - TCP: MTUprobe: fix potential sk_send_head corruption - fb_ddc: fix DDC lines quirk - isdn: avoid copying overly-long strings - I4L: fix isdn_ioctl memory overrun vulnerability - nf_nat: fix memset error - atl1: disable broken 64-bit DMA - knfsd: Validate filehandle type in fsid_source - USB: make the microtek driver and HAL cooperate - TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure - XFRM: Fix leak of expired xfrm_states - NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON - DECNET: dn_nl_deladdr() almost always returns no error - BRIDGE: Lost call to br_fdb_fini() in br_init() error path - BRIDGE: Properly dereference the br_should_route_hook - TCP: Problem bug with sysctl_tcp_congestion_control function - wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() - TCP: illinois: Incorrect beta usage - futex: fix for futex_wait signal stack corruption - libata: kill spurious NCQ completion detection - hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) - ATM: [he] initialize lock and tasklet earlier Added: dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.15 Modified: dists/etch/linux-2.6.22/debian/changelog dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1 Modified: dists/etch/linux-2.6.22/debian/changelog == --- dists/etch/linux-2.6.22/debian/changelog(original) +++ dists/etch/linux-2.6.22/debian/changelogMon Jan 21 00:30:13 2008 @@ -33,8 +33,46 @@ - SLUB: Fix memory leak by not reusing cpu_slab - writeback: don't propagate AOP_WRITEPAGE_ACTIVATE - USB: mutual exclusion for EHCI init and port resets + * Add stable release 2.6.22.15 +- IPV4: Remove bogus ifdef mess in arp_process +- forcedeth: new mcp79 pci ids +- forcedeth boot delay fix +- PFKEY: Sending an SADB_GET responds with an SADB_GET +- Future of Linux 2.6.22.y series +- USB: fix up EHCI startup synchronization +- RXRPC: Add missing select on CRYPTO +- NET: Corrects a bug in ip_rt_acct_read() +- IPV6: Restore IPv6 when MTU is big enough +- UNIX: EOF on non-blocking SOCK_SEQPACKET +- Revert Fix SMP poweroff hangs +- Linux 2.6.22.15 +- libcrc32c: keep intermediate crc state in cpu order +- CRYPTO api: Fix potential race in crypto_remove_spawn +- tmpfs: restore missing clear_highpage +- TCP: MTUprobe: fix potential sk_send_head corruption +- fb_ddc: fix DDC lines quirk +- isdn: avoid copying overly-long strings +- I4L: fix isdn_ioctl memory overrun vulnerability +- nf_nat: fix memset error +- atl1: disable broken 64-bit DMA +- knfsd: Validate filehandle type in fsid_source +- USB: make the microtek driver and HAL cooperate +- TEXTSEARCH: Do not allow zero length patterns in the textsearch + infrastructure +- XFRM: Fix leak of expired xfrm_states +- NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON +- DECNET: dn_nl_deladdr() almost always returns no error +- BRIDGE: Lost call to br_fdb_fini() in br_init() error path +- BRIDGE: Properly dereference the br_should_route_hook +- TCP: Problem bug with sysctl_tcp_congestion_control function +- wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() +- TCP: illinois: Incorrect beta usage +- futex: fix for futex_wait signal stack corruption +- libata: kill spurious NCQ completion detection +- hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) +- ATM: [he] initialize lock and tasklet earlier - -- dann frazier [EMAIL PROTECTED] Sun, 20 Jan 2008 17:14:34 -0700 + -- dann frazier [EMAIL PROTECTED] Sun, 20 Jan 2008 17:25:23 -0700 linux-2.6 (2.6.22-6) unstable; urgency=low Added: dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.15 == --- (empty file) +++ dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.15 Mon Jan 21 00:30:13 2008 @@ -0,0 +1,1091 @@ +diff --git a/crypto/algapi.c b/crypto/algapi.c +index f137a43..ec286a2 100644 +--- a/crypto/algapi.c b/crypto/algapi.c
[kernel] r10156 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Mon Jan 21 01:06:50 2008 New Revision: 10156 Log: * 253_coredump-only-to-same-uid.diff [SECURITY] Fix an issue where core dumping over a file that already exists retains the ownership of the original file See CVE-2007-6206 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/253_coredump-only-to-same-uid.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Jan 21 01:06:50 2008 @@ -41,6 +41,10 @@ 252_openpromfs-checks-3.diff [SECURITY] Fix a number of data checks in openprom code See CVE-2004-2731 + * 253_coredump-only-to-same-uid.diff +[SECURITY] Fix an issue where core dumping over a file that +already exists retains the ownership of the original file +See CVE-2007-6206 -- dann frazier [EMAIL PROTECTED] Mon, 12 Nov 2007 16:29:16 -0700 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/253_coredump-only-to-same-uid.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/253_coredump-only-to-same-uid.diff Mon Jan 21 01:06:50 2008 @@ -0,0 +1,35 @@ +From: Willy Tarreau [EMAIL PROTECTED] +Date: Mon, 10 Dec 2007 06:00:14 + (+0100) +Subject: [PATCH] vfs: coredumping fix +X-Git-Tag: v2.4.36-rc1~4 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=62b548a60eaff6f986e9b3f5fd602ddae451b33e + +[PATCH] vfs: coredumping fix + +Backport of 2.6 commit c46f739dd39db3b07ab5deb4e3ec81e1c04a91af by Ingo Molnar. + +fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043 + +only allow coredumping to the same uid that the coredumping +task runs under. + +Signed-off-by: Willy Tarreau [EMAIL PROTECTED] +--- + +diff --git a/fs/exec.c b/fs/exec.c +index 1d23db6..87d06b1 100644 +--- a/fs/exec.c b/fs/exec.c +@@ -1167,6 +1167,12 @@ int do_coredump(long signr, struct pt_regs * regs) + + if (!S_ISREG(inode-i_mode)) + goto close_fail; ++ /* ++ * Dont allow local users get cute and trick others to coredump ++ * into their pre-created files: ++ */ ++ if (inode-i_uid != current-fsuid) ++ goto close_fail; + if (!file-f_op) + goto close_fail; + if (!file-f_op-write) Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Mon Jan 21 01:06:50 2008 @@ -12,3 +12,4 @@ + 250_openpromfs-checks-1.diff + 251_openpromfs-checks-2.diff + 252_openpromfs-checks-3.diff ++ 253_coredump-only-to-same-uid.diff ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10157 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Author: dannf Date: Mon Jan 21 07:53:09 2008 New Revision: 10157 Log: * 254_cramfs-check-block-length.diff [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Jan 21 07:53:09 2008 @@ -45,8 +45,12 @@ [SECURITY] Fix an issue where core dumping over a file that already exists retains the ownership of the original file See CVE-2007-6206 + * 254_cramfs-check-block-length.diff +[SECURITY] Add a sanity check of the block length in cramfs_readpage to +avoid a potential oops condition +See CVE-2006-5823 - -- dann frazier [EMAIL PROTECTED] Mon, 12 Nov 2007 16:29:16 -0700 + -- dann frazier [EMAIL PROTECTED] Mon, 21 Jan 2008 00:48:39 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff == --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff Mon Jan 21 07:53:09 2008 @@ -0,0 +1,51 @@ +From: Moritz Muehlenhoff [EMAIL PROTECTED] +Date: Sun, 11 Nov 2007 17:02:24 + (+0100) +Subject: [PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) +X-Git-Tag: v2.4.36-pre2~3 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=bf45d0bda54148841426979209d5f1df4f4d34e0 + +[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) + +From http://projects.info-pull.com/mokb/MOKB-07-11-2006.html : + +| The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a +| denial of service (crash) via a malformed filesystem that uses zlib +| compression that triggers memory corruption, as demonstrated using cramfs. + +We could reproduce this with 2.4.27, since there aren't any changes to git +for cramfs since initial import this is likely unfixed in 2.4.35 too. +2.6 patch below. + +http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8bb0269160df2a60764013994d0bc5165406cf4a + +| Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ +| fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause +| Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops +| is an unchecked corrupted block length field read by cramfs_readpage(). +| +| This patch adds a sanity check to cramfs_readpage() which checks that the +| block length field is sensible. The (PAGE_CACHE_SIZE 1) size check is +| intentional, even though the uncompressed data is not going to be larger +| than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than +| the original source data. Mkcramfs checks that the compressed size is +| always less than or equal to PAGE_CACHE_SIZE 1. Of course Cramfs could +| use the original uncompressed data in this case, but it doesn't. +| +| Signed-off-by: Phillip Lougher [EMAIL PROTECTED] +| Signed-off-by: Andrew Morton [EMAIL PROTECTED] +| Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c +index 8fb1e70..71495ac 100644 +--- a/fs/cramfs/inode.c b/fs/cramfs/inode.c +@@ -404,6 +404,8 @@ static int cramfs_readpage(struct file *file, struct page * page) + pgdata = kmap(page); + if (compr_len == 0) + ; /* hole */ ++ else if (compr_len (PAGE_CACHE_SIZE 1)) ++ printk(KERN_ERR cramfs: bad compressed blocksize %u\n, compr_len); + else { + down(read_mutex); + bytes_filled = cramfs_uncompress_block(pgdata, Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 == --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Mon Jan 21 07:53:09 2008
[kernel] r10144 - in dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Author: dannf Date: Sat Jan 19 00:50:03 2008 New Revision: 10144 Log: * ia64-fix-unaligned-fp-corruption.dpatch: [ia64] Fix an issue with unaligned accesses and certain floating point instructions that can result in silent user data corruption (closes: #461493). Added: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ia64-fix-unaligned-fp-corruption.dpatch - copied unchanged from r10143, /dists/etch/linux-2.6/debian/patches/bugfix/ia64-fix-unaligned-fp-corruption.patch dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-18 Modified: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Modified: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog == --- dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat Jan 19 00:50:03 2008 @@ -1,3 +1,12 @@ +kernel-source-2.6.8 (2.6.8-18) UNRELEASED; urgency=low + + * ia64-fix-unaligned-fp-corruption.dpatch: +[ia64] Fix an issue with unaligned accesses and certain floating point +instructions that can result in silent user data corruption +(closes: #461493). + + -- dann frazier [EMAIL PROTECTED] Fri, 18 Jan 2008 17:45:18 -0700 + kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high [ Simon Horman ] Added: dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-18 == --- (empty file) +++ dists/sarge/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-18 Sat Jan 19 00:50:03 2008 @@ -0,0 +1 @@ ++ ia64-fix-unaligned-fp-corruption.dpatch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
[kernel] r10130 - in dists/etch/linux-2.6.22/debian: . patches/series templates
Author: dannf Date: Thu Jan 17 20:27:43 2008 New Revision: 10130 Log: * Create linux-2.6.22 package from linux-2.6_2.6.22-6, a fallback choice for etchnhalf Added: dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1 dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1-extra Removed: dists/etch/linux-2.6.22/debian/patches/series/1 dists/etch/linux-2.6.22/debian/patches/series/1-extra dists/etch/linux-2.6.22/debian/patches/series/2 dists/etch/linux-2.6.22/debian/patches/series/2-extra dists/etch/linux-2.6.22/debian/patches/series/3 dists/etch/linux-2.6.22/debian/patches/series/4 dists/etch/linux-2.6.22/debian/patches/series/5 dists/etch/linux-2.6.22/debian/patches/series/6 dists/etch/linux-2.6.22/debian/patches/series/6-extra Modified: dists/etch/linux-2.6.22/debian/changelog dists/etch/linux-2.6.22/debian/templates/control.source.in Modified: dists/etch/linux-2.6.22/debian/changelog == --- dists/etch/linux-2.6.22/debian/changelog(original) +++ dists/etch/linux-2.6.22/debian/changelogThu Jan 17 20:27:43 2008 @@ -1,3 +1,9 @@ +linux-2.6.22 (2.6.22-1~etchnahalf.1) UNRELEASED; urgency=low + + * Create linux-2.6.22 package from linux-2.6_2.6.22-6, targeting etch + + -- dann frazier [EMAIL PROTECTED] Thu, 17 Jan 2008 13:10:36 -0700 + linux-2.6 (2.6.22-6) unstable; urgency=low [ Martin Michlmayr ] Added: dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1 == --- (empty file) +++ dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1Thu Jan 17 20:27:43 2008 @@ -0,0 +1,62 @@ ++ debian/version.patch ++ debian/kernelvariables.patch ++ debian/doc-build-parallel.patch ++ debian/scripts-kconfig-reportoldconfig.patch ++ debian/powerpc-mkvmlinuz-support-ppc.patch ++ debian/powerpc-mkvmlinuz-support-powerpc.patch + ++ debian/drivers-ata-ata_piix-postpone-pata.patch + ++ bugfix/powerpc/build-links.patch ++ bugfix/powerpc/mv643xx-hotplug-support.patch ++ bugfix/powerpc/oldworld-boot-fix.patch ++ bugfix/powerpc/prep-utah-ide-interrupt.patch ++ bugfix/powerpc/serial.patch ++ bugfix/mips/ide-scan.patch ++ bugfix/mips/ip22-zilog-console.patch ++ bugfix/mips/sgi-ioc3.patch ++ bugfix/mips/64bit-tulip.patch ++ bugfix/mips/tulip_dc21143.patch ++ features/mips/qemu-vga.patch ++ features/mips/sb1-duart.patch ++ features/arm/ixp4xx-npe-driver-0.3.1.patch ++ features/arm/ixp4xx-net-driver-improve-mac-handling.patch ++ features/arm/nslu2-i2c-gpio-driver-support.patch ++ features/arm/nas100d-i2c-gpio-driver-support.patch ++ features/arm/nslu2-mac_plat_info.patch ++ features/arm/nas100d-mac_plat_info.patch ++ features/arm/nslu2-setup-mac.patch ++ features/arm/nas100d-setup-mac.patch ++ bugfix/drivers-bus_to_virt.patch ++ bugfix/sparc/drivers_net-broken.patch ++ bugfix/arm/rtc-rs5c372-n2100.patch ++ bugfix/forcedeth-napi-broken.patch ++ bugfix/ia64/hardcode-arch-script-output.patch ++ features/fintek-f75375.patch ++ features/alpha/isa-mapping-support.patch ++ bugfix/powerpc/libgcc-__ucmpdi2.patch ++ bugfix/arm/disable-broken-config-options-1.patch ++ bugfix/alpha/request_irq-retval.patch ++ bugfix/2.6.22.1 ++ bugfix/mips/cobalt-ide-resources.patch ++ bugfix/hppa/use-generic-compat_sys_getdents.patch ++ bugfix/powerpc/i8042-pegasos.patch ++ bugfix/sparc/sun4u-pci-config-space.patch ++ bugfix/2.6.22.2 ++ bugfix/2.6.22.3 ++ bugfix/2.6.22.4 ++ bugfix/2.6.22.5 +- bugfix/sparc/sun4u-pci-config-space.patch ++ bugfix/mips/i8259-disable-method.patch ++ bugfix/mips/fix-build-elf64.patch ++ bugfix/2.6.22.6 ++ bugfix/2.6.22.7 ++ bugfix/2.6.22.8 ++ bugfix/2.6.22.9 ++ bugfix/2.6.22.10 ++ bugfix/mips/ip22-disable-early-printk.patch ++ bugfix/mips/ip22-fix-second-hpc-check.patch ++ bugfix/mips/ip22-fix-argument-order.patch ++ bugfix/2.6.22.11 +- bugfix/all/fix-some-cases-of-missed-ipv6-dad.patch ++ bugfix/2.6.22.12-rc1 Added: dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1-extra == --- (empty file) +++ dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1-extra Thu Jan 17 20:27:43 2008 @@ -0,0 +1,51 @@ ++ bugfix/arm/nas100d-pata-artop-single-port.patch arm + +# Submitted ++ bugfix/m68k/falconide_intr_lock-reentrant.diff m68k +#+ bugfix/m68k/600-task_thread_info.diff m68k ++ bugfix/m68k/633-atari_scc.diff m68k ++ bugfix/m68k/130-adbraw.diff m68k +#+ bugfix/m68k/133-arch.diff m68k +#+ bugfix/m68k/134-atari-fat.diff m68k ++ bugfix/m68k/141-ide.diff m68k ++ bugfix/m68k/143-ioext.diff m68k ++ bugfix/m68k/149-mc68681.diff m68k ++ bugfix/m68k/152-pci.diff m68k ++ bugfix/m68k/448-ide.diff m68k ++ bugfix/m68k/478-serial.diff m68k +#+ bugfix/m68k/631-thread_stack.diff m68k ++ bugfix/m68k/atari-rom-isa.diff m68k ++ bugfix/m68k/atari-ethernec.diff m68k ++ bugfix/m68k/unnecessary-m68k_memoffset.diff m68k ++ bugfix/m68k/atari
[kernel] r10111 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Author: dannf Date: Tue Jan 15 23:46:19 2008 New Revision: 10111 Log: * bugfix/vfs-use-access-mode-flag.patch [SECURITY] Use the access mode flag instead of the open flag when testing access mode for a directory. See CVE-2008-0001 Added: dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-use-access-mode-flag.patch Modified: dists/etch-security/linux-2.6/debian/changelog dists/etch-security/linux-2.6/debian/patches/series/17etch1 Modified: dists/etch-security/linux-2.6/debian/changelog == --- dists/etch-security/linux-2.6/debian/changelog (original) +++ dists/etch-security/linux-2.6/debian/changelog Tue Jan 15 23:46:19 2008 @@ -3,8 +3,12 @@ * bugfix/i4l-isdn_ioctl-mem-overrun.patch [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 + * bugfix/vfs-use-access-mode-flag.patch +[SECURITY] Use the access mode flag instead of the open flag when +testing access mode for a directory. +See CVE-2008-0001 - -- dann frazier [EMAIL PROTECTED] Sat, 05 Jan 2008 17:27:50 -0700 + -- dann frazier [EMAIL PROTECTED] Tue, 15 Jan 2008 16:44:15 -0700 linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high Added: dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-use-access-mode-flag.patch == --- (empty file) +++ dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-use-access-mode-flag.patch Tue Jan 15 23:46:19 2008 @@ -0,0 +1,52 @@ +From: Linus Torvalds [EMAIL PROTECTED] +Date: Sat, 12 Jan 2008 22:06:34 + (-0800) +Subject: Use access mode instead of open flags to determine needed permissions +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a + +Use access mode instead of open flags to determine needed permissions + +Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka +VFS: Allow the filesystem to return a full file pointer on open intent +to be exact), Trond changed the open logic to keep track of the original +flags to a file open, in order to pass down the the intent of a dentry +lookup to the low-level filesystem. + +However, when doing that reorganization, it changed the meaning of +namei_flags, and thus inadvertently changed the test of access mode for +directories (and RO filesystem) to use the wrong flag. So fix those +test back to use access mode (acc_mode) rather than the open flag +(flag). + +Issue noticed by Bill Roman at Datalight. + +Reported-and-tested-by: Bill Roman [EMAIL PROTECTED] +Acked-by: Trond Myklebust [EMAIL PROTECTED] +Acked-by: Al Viro [EMAIL PROTECTED] +Cc: Christoph Hellwig [EMAIL PROTECTED] +Cc: Andrew Morton [EMAIL PROTECTED] +Signed-off-by: Linus Torvalds [EMAIL PROTECTED] +--- + +Adjusted to apply to Debian's 2.6.18 by dann frazier [EMAIL PROTECTED] + +diff -urpN linux-source-2.6.18.orig/fs/namei.c linux-source-2.6.18/fs/namei.c +--- linux-source-2.6.18.orig/fs/namei.c2006-09-19 21:42:06.0 -0600 linux-source-2.6.18/fs/namei.c 2008-01-15 16:42:10.0 -0700 +@@ -1500,7 +1500,7 @@ int may_open(struct nameidata *nd, int a + if (S_ISLNK(inode-i_mode)) + return -ELOOP; + +- if (S_ISDIR(inode-i_mode) (flag FMODE_WRITE)) ++ if (S_ISDIR(inode-i_mode) (acc_mode MAY_WRITE)) + return -EISDIR; + + error = vfs_permission(nd, acc_mode); +@@ -1519,7 +1519,7 @@ int may_open(struct nameidata *nd, int a + return -EACCES; + + flag = ~O_TRUNC; +- } else if (IS_RDONLY(inode) (flag FMODE_WRITE)) ++ } else if (IS_RDONLY(inode) (acc_mode MAY_WRITE)) + return -EROFS; + /* +* An append-only file must be opened in append mode for writing. Modified: dists/etch-security/linux-2.6/debian/patches/series/17etch1 == --- dists/etch-security/linux-2.6/debian/patches/series/17etch1 (original) +++ dists/etch-security/linux-2.6/debian/patches/series/17etch1 Tue Jan 15 23:46:19 2008 @@ -1 +1,2 @@ + bugfix/i4l-isdn_ioctl-mem-overrun.patch ++ bugfix/vfs-use-access-mode-flag.patch ___ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes