[Glibc-bsd-commits] r2312 - in trunk/kfreebsd-6/debian: . patches

aurel32 at alioth.debian.org aurel32 at alioth.debian.org
Thu Sep 4 09:42:17 UTC 2008 

Author: aurel32
Date: 2008-09-04 09:42:17 +0000 (Thu, 04 Sep 2008)
New Revision: 2312

Added:
   trunk/kfreebsd-6/debian/patches/000_amd64.diff
   trunk/kfreebsd-6/debian/patches/000_icmp6.diff
   trunk/kfreebsd-6/debian/patches/000_nmount.diff
Modified:
   trunk/kfreebsd-6/debian/changelog
   trunk/kfreebsd-6/debian/patches/series
Log:
  * Fix amd64 swapgs local privilege escalation 
    (FreeBSD-SA-08:07.amd64 / CVE-2008-3890).
  * Fix nmount(2) local arbitrary code execution 
    (FreeBSD-SA-08:08.nmount / CVE-2008-3531).
  * Fix remote kernel panics on IPv6 connections 
    (FreeBSD-SA-08:09.icmp6 /CVE-2008-3530).



Modified: trunk/kfreebsd-6/debian/changelog
===================================================================
--- trunk/kfreebsd-6/debian/changelog	2008-09-01 10:38:03 UTC (rev 2311)
+++ trunk/kfreebsd-6/debian/changelog	2008-09-04 09:42:17 UTC (rev 2312)
@@ -1,3 +1,14 @@
+kfreebsd-6 (6.3-7) unstable; urgency=high
+
+  * Fix amd64 swapgs local privilege escalation 
+    (FreeBSD-SA-08:07.amd64 / CVE-2008-3890).
+  * Fix nmount(2) local arbitrary code execution 
+    (FreeBSD-SA-08:08.nmount / CVE-2008-3531).
+  * Fix remote kernel panics on IPv6 connections 
+    (FreeBSD-SA-08:09.icmp6 /CVE-2008-3530).
+
+ -- Aurelien Jarno <aurel32 at debian.org>  Thu, 04 Sep 2008 11:36:54 +0200
+
 kfreebsd-6 (6.3-6) unstable; urgency=low
 
   [ Petr Salinger ]

Added: trunk/kfreebsd-6/debian/patches/000_amd64.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_amd64.diff	                        (rev 0)
+++ trunk/kfreebsd-6/debian/patches/000_amd64.diff	2008-09-04 09:42:17 UTC (rev 2312)
@@ -0,0 +1,25 @@
+Index: src/sys/amd64/amd64/exception.S
+===================================================================
+RCS file: /home/ncvs/src/sys/amd64/amd64/exception.S,v
+retrieving revision 1.132
+retrieving revision 1.133
+diff -u -d -r1.132 -r1.133
+--- src/sys/amd64/amd64/exception.S	24 May 2008 06:32:26 -0000	1.132
++++ src/sys/amd64/amd64/exception.S	18 Aug 2008 08:47:27 -0000	1.133
+@@ -636,13 +636,10 @@
+ 	.globl	doreti_iret_fault
+ doreti_iret_fault:
+ 	subq	$TF_RIP,%rsp		/* space including tf_err, tf_trapno */
+-	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
+-	jz	1f			/* already running with kernel GS.base */
+-	swapgs
+-1:	testl	$PSL_I,TF_RFLAGS(%rsp)
+-	jz	2f
++	testl	$PSL_I,TF_RFLAGS(%rsp)
++	jz	1f
+ 	sti
+-2:	movq	%rdi,TF_RDI(%rsp)
++1:	movq	%rdi,TF_RDI(%rsp)
+ 	movq	%rsi,TF_RSI(%rsp)
+ 	movq	%rdx,TF_RDX(%rsp)
+ 	movq	%rcx,TF_RCX(%rsp)

Added: trunk/kfreebsd-6/debian/patches/000_icmp6.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_icmp6.diff	                        (rev 0)
+++ trunk/kfreebsd-6/debian/patches/000_icmp6.diff	2008-09-04 09:42:17 UTC (rev 2312)
@@ -0,0 +1,23 @@
+Index: src/sys/netinet6/icmp6.c
+===================================================================
+RCS file: /home/ncvs/src/sys/netinet6/icmp6.c,v
+retrieving revision 1.80.2.4
+diff -u -p -r1.80.2.4 icmp6.c
+--- src/sys/netinet6/icmp6.c	31 Aug 2008 21:54:24 -0000	1.80.2.4
++++ src/sys/netinet6/icmp6.c	1 Sep 2008 23:03:44 -0000
+@@ -1117,6 +1117,15 @@ icmp6_mtudisc_update(struct ip6ctlparam 
+ 	if (!validated)
+ 		return;
+ 
++	/*
++	 * In case the suggested mtu is less than IPV6_MMTU, we
++	 * only need to remember that it was for above mentioned
++	 * "alwaysfrag" case.
++	 * Try to be as close to the spec as possible.
++	 */
++	if (mtu < IPV6_MMTU)
++		mtu = IPV6_MMTU - 8;
++
+ 	bzero(&inc, sizeof(inc));
+ 	inc.inc_flags = 1; /* IPv6 */
+ 	inc.inc6_faddr = *dst;

Added: trunk/kfreebsd-6/debian/patches/000_nmount.diff
===================================================================
--- trunk/kfreebsd-6/debian/patches/000_nmount.diff	                        (rev 0)
+++ trunk/kfreebsd-6/debian/patches/000_nmount.diff	2008-09-04 09:42:17 UTC (rev 2312)
@@ -0,0 +1,17 @@
+Index: src/sys/kern/vfs_mount.c
+===================================================================
+RCS file: /usr/ncvs/src/sys/kern/vfs_mount.c,v
+retrieving revision 1.265.2.3
+diff -u -r1.265.2.3 vfs_mount.c
+--- src/sys/kern/vfs_mount.c	6 Apr 2008 10:02:20 -0000	1.265.2.3
++++ src/sys/kern/vfs_mount.c	17 Jul 2008 15:39:37 -0000
+@@ -1830,7 +1830,8 @@
+ 		}
+ 		if (*t != NULL)
+ 			continue;
+-		sprintf(errmsg, "mount option <%s> is unknown", p);
++		snprintf(errmsg, sizeof(errmsg),
++		    "mount option <%s> is unknown", p);
+ 		printf("%s\n", errmsg);
+ 		ret = EINVAL;
+ 	}

Modified: trunk/kfreebsd-6/debian/patches/series
===================================================================
--- trunk/kfreebsd-6/debian/patches/series	2008-09-01 10:38:03 UTC (rev 2311)
+++ trunk/kfreebsd-6/debian/patches/series	2008-09-04 09:42:17 UTC (rev 2312)
@@ -1,5 +1,8 @@
 000_sendfile.diff -p1
 000_nfe.diff -p1
+000_amd64.diff -p1
+000_icmp6.diff -p1
+000_nmount.diff -p1
 001_misc.diff -p1
 003_glibc_dev_aicasm.diff -p1
 004_xargs.diff -p1

More information about the Glibc-bsd-commits mailing list