[Glibc-bsd-commits] r5683 - in branches/wheezy/kfreebsd-9/debian: . patches
stevenc-guest at alioth.debian.org
stevenc-guest at alioth.debian.org
Wed Nov 5 01:48:52 UTC 2014
Author: stevenc-guest
Date: 2014-11-05 01:48:52 +0000 (Wed, 05 Nov 2014)
New Revision: 5683
Added:
branches/wheezy/kfreebsd-9/debian/patches/SA-14_25.setlogin.patch
Modified:
branches/wheezy/kfreebsd-9/debian/changelog
branches/wheezy/kfreebsd-9/debian/patches/series
Log:
Pick SVN r274112 from FreeBSD 9.1-RELEASE to fix SA-14:25 / CVE-2014-8476:
Kernel stack disclosure in setlogin(2) / getlogin(2) (Closes: #768104)
Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog 2014-11-04 01:43:38 UTC (rev 5682)
+++ branches/wheezy/kfreebsd-9/debian/changelog 2014-11-05 01:48:52 UTC (rev 5683)
@@ -7,8 +7,11 @@
security issues (CVE-2014-3953)
* Pick SVN 273412 from FreeBSD 9-STABLE to fix SA-14:22 / CVE-2014-3711:
Memory leak in sandboxed namei lookup (Closes: #766275)
- -- Steven Chamberlain <steven at pyro.eu.org> Tue, 08 Jul 2014 23:03:16 +0000
+ * Pick SVN r274112 from FreeBSD 9.1-RELEASE to fix SA-14:25 / CVE-2014-8476:
+ Kernel stack disclosure in setlogin(2) / getlogin(2) (Closes: #768104)
+ -- Steven Chamberlain <steven at pyro.eu.org> Wed, 05 Nov 2014 01:17:16 +0000
+
kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high
* Team upload.
Added: branches/wheezy/kfreebsd-9/debian/patches/SA-14_25.setlogin.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-14_25.setlogin.patch (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-14_25.setlogin.patch 2014-11-05 01:48:52 UTC (rev 5683)
@@ -0,0 +1,69 @@
+Description:
+ Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:25]
+ (CVE-2014-8476)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-14:25.setlogin.asc
+Bug-Debian: http://bugs.debian.org/768104
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=274112
+
+--- a/sys/kern/kern_prot.c
++++ b/sys/kern/kern_prot.c
+@@ -2073,19 +2073,20 @@
+ int
+ sys_getlogin(struct thread *td, struct getlogin_args *uap)
+ {
+- int error;
+ char login[MAXLOGNAME];
+ struct proc *p = td->td_proc;
++ size_t len;
+
+ if (uap->namelen > MAXLOGNAME)
+ uap->namelen = MAXLOGNAME;
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+- bcopy(p->p_session->s_login, login, uap->namelen);
++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+- error = copyout(login, uap->namebuf, uap->namelen);
+- return(error);
++ if (len > uap->namelen)
++ return (ERANGE);
++ return (copyout(login, uap->namebuf, len));
+ }
+
+ /*
+@@ -2104,21 +2105,23 @@
+ int error;
+ char logintmp[MAXLOGNAME];
+
++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
++
+ error = priv_check(td, PRIV_PROC_SETLOGIN);
+ if (error)
+ return (error);
+ error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
+- if (error == ENAMETOOLONG)
+- error = EINVAL;
+- else if (!error) {
+- PROC_LOCK(p);
+- SESS_LOCK(p->p_session);
+- (void) memcpy(p->p_session->s_login, logintmp,
+- sizeof(logintmp));
+- SESS_UNLOCK(p->p_session);
+- PROC_UNLOCK(p);
++ if (error != 0) {
++ if (error == ENAMETOOLONG)
++ error = EINVAL;
++ return (error);
+ }
+- return (error);
++ PROC_LOCK(p);
++ SESS_LOCK(p->p_session);
++ strcpy(p->p_session->s_login, logintmp);
++ SESS_UNLOCK(p->p_session);
++ PROC_UNLOCK(p);
++ return (0);
+ }
+
+ void
Modified: branches/wheezy/kfreebsd-9/debian/patches/series
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/series 2014-11-04 01:43:38 UTC (rev 5682)
+++ branches/wheezy/kfreebsd-9/debian/patches/series 2014-11-05 01:48:52 UTC (rev 5683)
@@ -23,6 +23,7 @@
EN-14_06.exec.patch
SA-14_17.kern.patch
SA-14_22.namei.patch
+SA-14_25.setlogin.patch
# Other patches that might or might not be mergeable
001_misc.diff
More information about the Glibc-bsd-commits
mailing list