Author: horms
Date: 2005-03-23 08:32:38 +0100 (Wed, 23 Mar 2005)
New Revision: 2799
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/151_atm_get_addr_signedness_fix.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/152_tty_copy_from_read_buf_signedness_fixes.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/153_ppp_async_dos.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
Log:
* [SECURITY] Fix ATM copy-to-user usage. See: CAN-2005-0531.
See: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
(closes: #296905)
* 152-n_tty_copy_from_read_buf_signedness_fixes.diff:
[SECURITY] copy_from_read_buf() fix. See: CAN-2005-0530
See: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
(closes: #296906)
* 153_ppp_async_dos.diff:
[SECURITY] mote Linux DoS on ppp servers. See: CAN-2005-0384
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-03-23 06:14:36 UTC (rev 2798)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-03-23 07:32:38 UTC (rev 2799)
@@ -59,7 +59,7 @@
See CAN-2005-0210. (Simon Horman)
* 148_ip_evitor_smp_loop.diff:
- Fix theoretical loop on SMP in ip_evictor().
+ Fix theoretical loop on SMP in ip_evictor().
(Simon Horman, Andres Salomon)
* 149_fragment_queue_flush.diff:
@@ -72,8 +72,22 @@
*** http://oss.sgi.com/archives/netdev/2005-01/msg01048.html
*** (Simon Horman, Andres Salomon)
- -- Simon Horman <horms@debian.org> Tue, 22 Mar 2005 18:40:19 +0900
+ * 151_atm_get_addr_signedness_fix.diff:
+ [SECURITY] Fix ATM copy-to-user usage. See: CAN-2005-0531.
+ See: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ (closes: #296905) (Simon Horman)
+ * 152-n_tty_copy_from_read_buf_signedness_fixes.diff:
+ [SECURITY] copy_from_read_buf() fix. See: CAN-2005-0530
+ See: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
+ (closes: #296906) (Simon Horman)
+
+ * 153_ppp_async_dos.diff:
+ [SECURITY] mote Linux DoS on ppp servers. See: CAN-2005-0384
+ (Simon Horman)
+
+ -- Simon Horman <horms@debian.org> Wed, 23 Mar 2005 13:51:59 +0900
+
kernel-source-2.4.27 (2.4.27-8) unstable; urgency=high
* add dh_fixperms to the build targets to kernel-patch-debian-2.4.27
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/151_atm_get_addr_signedness_fix.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/151_atm_get_addr_signedness_fix.diff 2005-03-23 06:14:36 UTC (rev 2798)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/151_atm_get_addr_signedness_fix.diff 2005-03-23 07:32:38 UTC (rev 2799)
@@ -0,0 +1,34 @@
+# origin: Horms <horms@verge.net.au>
+# backport cset: 1.1982.55.14 (2.6) key=4208e1fcfccuD-eH2OGM5mBhihmQ3A
+# backport URL: http://linux.bkbits.net:8080/linux-2.6/cset@4208e1fcfccuD-eH2OGM5mBhihmQ3A
+# inclusion: backport from 2.6, submitted upstream
+# descrition: Fix ATM copy-to-user usage.
+# revision date: Wed, 23 Mar 2005 12:47:43 +0900
+#
+# Backport of ATM copy-to-user signedness fix from 2.6
+#
+# Signed-off-by: Simon Horman <horms@verge.net.au>
+
+===== net/atm/addr.h 1.2 vs edited =====
+--- 1.2/net/atm/addr.h 2002-02-05 16:39:14 +09:00
++++ edited/net/atm/addr.h 2005-03-23 13:40:46 +09:00
+@@ -13,6 +13,6 @@
+ void atm_reset_addr(struct atm_dev *dev);
+ int atm_add_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr);
+ int atm_del_addr(struct atm_dev *dev,struct sockaddr_atmsvc *addr);
+-int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc *u_buf,int size);
++int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc *u_buf,size_t size);
+
+ #endif
+===== net/atm/addr.c 1.4 vs edited =====
+--- 1.4/net/atm/addr.c 2003-09-04 12:31:04 +09:00
++++ edited/net/atm/addr.c 2005-03-23 13:41:03 +09:00
+@@ -114,7 +114,7 @@
+ }
+
+
+-int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc *u_buf,int size)
++int atm_get_addr(struct atm_dev *dev,struct sockaddr_atmsvc *u_buf,size_t size)
+ {
+ unsigned long flags;
+ struct atm_dev_addr *walk;
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/152_tty_copy_from_read_buf_signedness_fixes.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/152_tty_copy_from_read_buf_signedness_fixes.diff 2005-03-23 06:14:36 UTC (rev 2798)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/152_tty_copy_from_read_buf_signedness_fixes.diff 2005-03-23 07:32:38 UTC (rev 2799)
@@ -0,0 +1,23 @@
+# origin: Horms <horms@vergenet.net.au>
+# backport cset: 1.1982.29.36 (2.6) key=420181322LZmhPTewcCOLkubGwOL3w
+# backport url: http://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3w
+# inclusion: submitted upstream
+# description: [PATCH] Fix sign checks in copy_from_read_buf()
+# revision date: Wed, 23 Mar 2005 13:15:20 +0900
+#
+# Backport of copy_from_read_buf() signedness fix from 2.6
+#
+# Signed-off-by: Simon Horman <horms@verge.net.au>
+
+===== drivers/char/n_tty.c 1.7 vs edited =====
+--- 1.7/drivers/char/n_tty.c 2004-12-16 22:57:23 +09:00
++++ edited/drivers/char/n_tty.c 2005-03-23 13:08:37 +09:00
+@@ -1095,7 +1095,7 @@
+
+ {
+ int retval;
+- ssize_t n;
++ size_t n;
+ unsigned long flags;
+
+ retval = 0;
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/153_ppp_async_dos.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/153_ppp_async_dos.diff 2005-03-23 06:14:36 UTC (rev 2798)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/153_ppp_async_dos.diff 2005-03-23 07:32:38 UTC (rev 2799)
@@ -0,0 +1,43 @@
+# origin: marcelo (BitKeeper)
+# cset: 1.1583 (2.4) key=42388250emER3koZtkQ3YSiP7eNDpg
+# URL: http://linux.bkbits.net:8080/linux-2.4/cset@42388250emER3koZtkQ3YSiP7eNDpg
+# inclusion: upstream
+# descrition: Paul Mackerras: Remote Linux DoS on ppp servers (CAN-2005-0384)
+# revision date: Wed, 23 Mar 2005 13:47:45 +0900
+#
+# S rset: ChangeSet|1.1582..1.1583
+# I rset: drivers/net/ppp_async.c|1.9..1.10
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/03/16 13:35:16-03:00 marcelo@logos.cnet
+# Paul Mackerras: Remote Linux DoS on ppp servers (CAN-2005-0384)
+#
+# drivers/net/ppp_async.c
+# 2005/03/16 13:34:30-03:00 marcelo@logos.cnet +1 -1
+# Paul Mackerras: Remote Linux DoS on ppp servers (CAN-2005-0384)
+#
+#
+===== drivers/net/ppp_async.c 1.9 vs 1.10 =====
+--- 1.9/drivers/net/ppp_async.c 2004-12-16 22:57:23 +09:00
++++ 1.10/drivers/net/ppp_async.c 2005-03-17 01:34:30 +09:00
+@@ -996,7 +996,7 @@ static void async_lcp_peek(struct asyncp
+ data += 4;
+ dlen -= 4;
+ /* data[0] is code, data[1] is length */
+- while (dlen >= 2 && dlen >= data[1]) {
++ while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
+ switch (data[0]) {
+ case LCP_MRU:
+ val = (data[2] << 8) + data[3];
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-03-23 06:14:36 UTC (rev 2798)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-9 2005-03-23 07:32:38 UTC (rev 2799)
@@ -15,5 +15,8 @@
+ 147_ip_copy_metadata_leak.diff
+ 148_ip_evictor_smp_loop.diff
+ 149_fragment_queue_flush.diff
-+ 150_private_fragment_queues-1.diff
-+ 150_private_fragment_queues-2.diff
+#ABI Change+ 150_private_fragment_queues-1.diff
+#ABI Change+ 150_private_fragment_queues-2.diff
++ 151_atm_get_addr_signedness_fix.diff
++ 152_tty_copy_from_read_buf_signedness_fixes.diff
++ 153_ppp_async_dos.diff