[Glibc-bsd-commits] r4939 - in branches/wheezy/kfreebsd-9/debian: . patches
Steven Chamberlain
stevenc-guest at alioth.debian.org
Tue Sep 10 11:45:26 UTC 2013
Author: stevenc-guest
Date: 2013-09-10 11:45:25 +0000 (Tue, 10 Sep 2013)
New Revision: 4939
Added:
branches/wheezy/kfreebsd-9/debian/patches/SA-13_12.ifioctl.diff
branches/wheezy/kfreebsd-9/debian/patches/SA-13_13.nullfs.diff
Modified:
branches/wheezy/kfreebsd-9/debian/changelog
branches/wheezy/kfreebsd-9/debian/patches/series
Log:
* Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:12 / CVE-2013-5691: ifioctl credential checks missing (Closes: #722338)
* Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:13 / CVE-2013-5710: nullfs hardlinks across mounts (Closes: #722337)
Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog 2013-09-09 22:09:15 UTC (rev 4938)
+++ branches/wheezy/kfreebsd-9/debian/changelog 2013-09-10 11:45:25 UTC (rev 4939)
@@ -1,3 +1,13 @@
+kfreebsd-9 (9.0-10+deb70.4) UNRELEASED; urgency=high
+
+ * Team upload.
+ * Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:12 / CVE-2013-5691:
+ ifioctl credential checks missing (Closes: #722338)
+ * Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:13 / CVE-2013-5710:
+ nullfs hardlinks across mounts (Closes: #722337)
+
+ -- Steven Chamberlain <steven at pyro.eu.org> Tue, 10 Sep 2013 11:57:14 +0100
+
kfreebsd-9 (9.0-10+deb70.3) wheezy-security; urgency=high
* Team upload.
Added: branches/wheezy/kfreebsd-9/debian/patches/SA-13_12.ifioctl.diff
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-13_12.ifioctl.diff (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-13_12.ifioctl.diff 2013-09-10 11:45:25 UTC (rev 4939)
@@ -0,0 +1,99 @@
+Description:
+ In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
+ and SIOCSIFNETMASK at the socket layer rather than pass them on to the
+ link layer without validation or credential checks. [SA-13:12]
+ (CVE-2013-5691)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc
+Bug-Debian: http://bugs.debian.org/722338
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255443
+
+Index: kfreebsd-9-9.0/sys/netinet6/in6.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet6/in6.c 2013-09-10 12:00:48.187797771 +0100
++++ kfreebsd-9-9.0/sys/netinet6/in6.c 2013-09-10 12:00:48.821802804 +0100
+@@ -418,6 +418,18 @@
+ case SIOCGIFSTAT_ICMP6:
+ sa6 = &ifr->ifr_addr;
+ break;
++ case SIOCSIFADDR:
++ case SIOCSIFBRDADDR:
++ case SIOCSIFDSTADDR:
++ case SIOCSIFNETMASK:
++ /*
++ * Although we should pass any non-INET6 ioctl requests
++ * down to driver, we filter some legacy INET requests.
++ * Drivers trust SIOCSIFADDR et al to come from an already
++ * privileged layer, and do not perform any credentials
++ * checks or input validation.
++ */
++ return (EINVAL);
+ default:
+ sa6 = NULL;
+ break;
+Index: kfreebsd-9-9.0/sys/netnatm/natm.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netnatm/natm.c 2009-05-20 18:00:16.000000000 +0100
++++ kfreebsd-9-9.0/sys/netnatm/natm.c 2013-09-10 12:00:48.832906800 +0100
+@@ -339,6 +339,21 @@
+ npcb = (struct natmpcb *)so->so_pcb;
+ KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
+
++ switch (cmd) {
++ case SIOCSIFADDR:
++ case SIOCSIFBRDADDR:
++ case SIOCSIFDSTADDR:
++ case SIOCSIFNETMASK:
++ /*
++ * Although we should pass any non-ATM ioctl requests
++ * down to driver, we filter some legacy INET requests.
++ * Drivers trust SIOCSIFADDR et al to come from an already
++ * privileged layer, and do not perform any credentials
++ * checks or input validation.
++ */
++ return (EINVAL);
++ }
++
+ if (ifp == NULL || ifp->if_ioctl == NULL)
+ return (EOPNOTSUPP);
+ return ((*ifp->if_ioctl)(ifp, cmd, arg));
+Index: kfreebsd-9-9.0/sys/net/if.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/net/if.c 2011-07-03 13:22:02.000000000 +0100
++++ kfreebsd-9-9.0/sys/net/if.c 2013-09-10 12:00:48.906783323 +0100
+@@ -2546,11 +2546,23 @@
+ CURVNET_RESTORE();
+ return (EOPNOTSUPP);
+ }
++
++ /*
++ * Pass the request on to the socket control method, and if the
++ * latter returns EOPNOTSUPP, directly to the interface.
++ *
++ * Make an exception for the legacy SIOCSIF* requests. Drivers
++ * trust SIOCSIFADDR et al to come from an already privileged
++ * layer, and do not perform any credentials checks or input
++ * validation.
++ */
+ #ifndef COMPAT_43
+ error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
+ data,
+ ifp, td));
+- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
++ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ error = (*ifp->if_ioctl)(ifp, cmd, data);
+ #else
+ {
+@@ -2594,7 +2606,9 @@
+ data,
+ ifp, td));
+ if (error == EOPNOTSUPP && ifp != NULL &&
+- ifp->if_ioctl != NULL)
++ ifp->if_ioctl != NULL &&
++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ error = (*ifp->if_ioctl)(ifp, cmd, data);
+ switch (ocmd) {
+
Added: branches/wheezy/kfreebsd-9/debian/patches/SA-13_13.nullfs.diff
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-13_13.nullfs.diff (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-13_13.nullfs.diff 2013-09-10 11:45:25 UTC (rev 4939)
@@ -0,0 +1,36 @@
+Description:
+ Prevent cross-mount hardlinks between different nullfs mounts of the
+ same underlying filesystem. [SA-13:13] (CVE-2013-5710)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:13.nullfs.asc
+Bug-Debian: http://bugs.debian.org/722337
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255443
+
+Index: kfreebsd-9-9.0/sys/fs/nullfs/null_vnops.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/fs/nullfs/null_vnops.c 2013-09-10 12:00:48.309797010 +0100
++++ kfreebsd-9-9.0/sys/fs/nullfs/null_vnops.c 2013-09-10 12:00:58.269784374 +0100
+@@ -816,6 +816,15 @@
+ return (error);
+ }
+
++static int
++null_link(struct vop_link_args *ap)
++{
++
++ if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
++ return (EXDEV);
++ return (null_bypass((struct vop_generic_args *)ap));
++}
++
+ /*
+ * Global vfs data structures
+ */
+@@ -829,6 +838,7 @@
+ .vop_getwritemount = null_getwritemount,
+ .vop_inactive = null_inactive,
+ .vop_islocked = vop_stdislocked,
++ .vop_link = null_link,
+ .vop_lock1 = null_lock,
+ .vop_lookup = null_lookup,
+ .vop_open = null_open,
Modified: branches/wheezy/kfreebsd-9/debian/patches/series
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/series 2013-09-09 22:09:15 UTC (rev 4938)
+++ branches/wheezy/kfreebsd-9/debian/patches/series 2013-09-10 11:45:25 UTC (rev 4939)
@@ -13,6 +13,8 @@
SA-13_08.nfsserver.patch
SA-13_09.ip_multicast.patch
SA-13_10.sctp.patch
+SA-13_12.ifioctl.diff
+SA-13_13.nullfs.diff
# Other patches that might or might not be mergeable
001_misc.diff
More information about the Glibc-bsd-commits
mailing list