r4100 - in
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
. patches patches/series
Simon Horman
horms at costa.debian.org
Thu Sep 1 03:58:38 UTC 2005
Author: horms
Date: 2005-09-01 03:58:37 +0000 (Thu, 01 Sep 2005)
New Revision: 4100
Added:
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/186_linux-zlib-fixes-2.diff
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/187_zisofs-2.diff
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/188_fix-dst-leak-in-icmp_push_reply.diff
Modified:
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
Log:
* There was a bit of a screw up in 2.4.27-11 (by me)
as 183_zisofs.diff was actually a copy of 182_linux-zlib-fixes.diff,
and due to a quirk in the apply scripts, basically caused
the zlib 182_linux-zlib-fixes.diff fixes to be reversed,
and thus neither patch was applied. 186_linux-zlib-fixes-2.diff
and 187_zisofs-2.diff resolve this problem. More information below.
(closes: #325871)
* 186_linux-zlib-fixes-2.diff
[Security] Fix security bugs in the Linux zlib implementations.
See CAN-2005-2458, CAN-2005-2459
From 2.6.12.5 and 2.6.12.6
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi?id=94584
* 187_zisofs-2.diff
[Security] Check input buffer size in zisofs
From 2.6.12.5
See CAN-2005-2457.
What 183_zisofs.diff (incorectly annotated as zisofs.dpatch)
should have been.
* 188_fix-dst-leak-in-icmp_push_reply.diff
[Maybe-Security: Can remote traffic trigger this]
Fix DST leak in icmp_push_reply()
From 2.6.12.6
Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-08-31 17:11:41 UTC (rev 4099)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-09-01 03:58:37 UTC (rev 4100)
@@ -5,18 +5,48 @@
[Security, x86_64] 32 bit ltrace oops when tracing 64 bit executable
http://lkml.org/lkml/2005/1/5/245
http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA
+
* 185_net-sockglue-cap.diff
[Security] Restrict socket policy loading to CAP_NET_ADMIN.
From 2.6.12.6
See CAN-2005-2555.
+
* control
Add build dependancy on gcc-3.3 (closes: #324591)
+
* zisofs.dpatch (actually 183_zisofs.dpatch) from the previous release
now has a CAN number.
See CAN-2005-2457.
- -- Simon Horman <horms at debian.org> Wed, 31 Aug 2005 19:07:22 +0900
+ * There was a bit of a screw up in 2.4.27-11 (by me)
+ as 183_zisofs.diff was actually a copy of 182_linux-zlib-fixes.diff,
+ and due to a quirk in the apply scripts, basically caused
+ the zlib 182_linux-zlib-fixes.diff fixes to be reversed,
+ and thus neither patch was applied. 186_linux-zlib-fixes-2.diff
+ and 187_zisofs-2.diff resolve this problem. More information below.
+ (closes: #325871)
+ * 186_linux-zlib-fixes-2.diff
+ [Security] Fix security bugs in the Linux zlib implementations.
+ See CAN-2005-2458, CAN-2005-2459
+ From 2.6.12.5 and 2.6.12.6
+ http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
+ http://bugs.gentoo.org/show_bug.cgi?id=94584
+
+ * 187_zisofs-2.diff
+ [Security] Check input buffer size in zisofs
+ From 2.6.12.5
+ See CAN-2005-2457.
+ What 183_zisofs.diff (incorectly annotated as zisofs.dpatch)
+ should have been.
+
+ * 188_fix-dst-leak-in-icmp_push_reply.diff
+ [Maybe-Security: Can remote traffic trigger this]
+ Fix DST leak in icmp_push_reply()
+ From 2.6.12.6
+
+ -- Simon Horman <horms at debian.org> Thu, 1 Sep 2005 12:27:12 +0900
+
kernel-source-2.4.27 (2.4.27-11) unstable; urgency=low
[ Simon Horman ]
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/186_linux-zlib-fixes-2.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/186_linux-zlib-fixes-2.diff 2005-08-31 17:11:41 UTC (rev 4099)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/186_linux-zlib-fixes-2.diff 2005-09-01 03:58:37 UTC (rev 4100)
@@ -0,0 +1,92 @@
+From security-bounces at linux.kernel.org Mon Jul 25 15:16:42 2005
+Date: Mon, 25 Jul 2005 23:16:13 +0100
+From: Tim Yamin <plasmaroo at gentoo.org>
+To: security at kernel.org
+Subject: [PATCH] Update in-kernel zlib routines (CAN-2005-2458, CAN-2005-2459)
+
+Fix outstanding security bugs in the Linux zlib implementations. See:
+
+a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
+CAN-2005-2458
+
+b) http://bugs.gentoo.org/show_bug.cgi?id=94584
+CAN-2005-2459
+
+Signed-off-by: Tim Yamin <plasmaroo at gentoo.org>
+Signed-off-by: Tavis Ormandy <taviso at gentoo.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ arch/ppc64/boot/zlib.c | 3 ++-
+ lib/inflate.c | 16 +++++++++-------
+ lib/zlib_inflate/inftrees.c | 2 +-
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+Index: linux-2.6.12.y/lib/inflate.c
+===================================================================
+--- linux-2.6.12.y.orig/lib/inflate.c
++++ linux-2.6.12.y/lib/inflate.c
+@@ -326,7 +326,7 @@ DEBG("huft1 ");
+ {
+ *t = (struct huft *)NULL;
+ *m = 0;
+- return 0;
++ return 2;
+ }
+
+ DEBG("huft2 ");
+@@ -374,6 +374,7 @@ DEBG("huft5 ");
+ if ((j = *p++) != 0)
+ v[x[j]++] = i;
+ } while (++i < n);
++ n = x[g]; /* set n to length of v */
+
+ DEBG("h6 ");
+
+@@ -410,12 +411,13 @@ DEBG1("1 ");
+ DEBG1("2 ");
+ f -= a + 1; /* deduct codes from patterns left */
+ xp = c + k;
+- while (++j < z) /* try smaller tables up to z bits */
+- {
+- if ((f <<= 1) <= *++xp)
+- break; /* enough codes to use up j bits */
+- f -= *xp; /* else deduct codes from patterns */
+- }
++ if (j < z)
++ while (++j < z) /* try smaller tables up to z bits */
++ {
++ if ((f <<= 1) <= *++xp)
++ break; /* enough codes to use up j bits */
++ f -= *xp; /* else deduct codes from patterns */
++ }
+ }
+ DEBG1("3 ");
+ z = 1 << j; /* table entries for j-bit table */
+Index: linux-2.6.12.y/lib/zlib_inflate/inftrees.c
+===================================================================
+
+Ommitted as it was subsequently reversed in 2.6.8.6
+
+
+Index: linux-2.6.12.y/arch/ppc64/boot/zlib.c
+===================================================================
+--- linux-2.6.12.y.orig/arch/ppc64/boot/zlib.c
++++ linux-2.6.12.y/arch/ppc64/boot/zlib.c
+@@ -1307,7 +1307,7 @@ local int huft_build(
+ {
+ *t = (inflate_huft *)Z_NULL;
+ *m = 0;
+- return Z_OK;
++ return Z_DATA_ERROR;
+ }
+
+
+@@ -1351,6 +1351,7 @@ local int huft_build(
+ if ((j = *p++) != 0)
+ v[x[j]++] = i;
+ } while (++i < n);
++ n = x[g]; /* set n to length of v */
+
+
+ /* Generate the Huffman codes and for each, make the table entries */
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/187_zisofs-2.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/187_zisofs-2.diff 2005-08-31 17:11:41 UTC (rev 4099)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/187_zisofs-2.diff 2005-09-01 03:58:37 UTC (rev 4100)
@@ -0,0 +1,64 @@
+From torvalds at osdl.org Sat Aug 6 11:33:12 2005
+Date: Sat, 6 Aug 2005 11:33:11 -0700 (PDT)
+From: Linus Torvalds <torvalds at osdl.org>
+To: Tim Yamin <plasmaroo at gentoo.org>
+cc: "H. Peter Anvin" <hpa at zytor.com>, Chris Wright <chrisw at osdl.org>,
+ security at kernel.org
+Subject: Check input buffer size in zisofs
+
+Add fakey 'deflateBound()' function to the in-kernel zlib routines
+
+It's not the real deflateBound() in newer zlib libraries, partly because
+the upcoming usage of it won't have the "stream" available, so we can't
+have the same interfaces anyway.
+
+This uses the new deflateBound() thing to sanity-check the input to the
+zlib decompressor before we even bother to start reading in the blocks.
+
+Problem noted by Tim Yamin <plasmaroo at gentoo.org>
+
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+---
+ fs/isofs/compress.c | 6 ++++++
+ include/linux/zlib.h | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+Rediffed by Horms for Debian's 2.4.27
+
+Index: linux-2.6.12.y/include/linux/zlib.h
+===================================================================
+--- a/include/linux/zlib.h 2005-09-01 11:36:50.000000000 +0900
++++ b/include/linux/zlib.h 2005-09-01 11:37:39.000000000 +0900
+@@ -516,6 +516,11 @@
+ stream state was inconsistent (such as zalloc or state being NULL).
+ */
+
++static inline unsigned long deflateBound(unsigned long s)
++{
++ return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
++}
++
+ ZEXTERN int ZEXPORT zlib_deflateParams OF((z_streamp strm,
+ int level,
+ int strategy));
+Index: linux-2.6.12.y/fs/isofs/compress.c
+===================================================================
+--- linux-2.6.12.y.orig/fs/isofs/compress.c
++++ linux-2.6.12.y/fs/isofs/compress.c
+@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
+ cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
+ brelse(bh);
+
++ if (cstart > cend)
++ goto eio;
++
+ csize = cend-cstart;
+
++ if (csize > deflateBound(1UL << zisofs_block_shift))
++ goto eio;
++
+ /* Now page[] contains an array of pages, any of which can be NULL,
+ and the locks on which we hold. We should now read the data and
+ release the pages. If the pages are NULL the decompressed data
Added: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/188_fix-dst-leak-in-icmp_push_reply.diff
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/188_fix-dst-leak-in-icmp_push_reply.diff 2005-08-31 17:11:41 UTC (rev 4099)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/188_fix-dst-leak-in-icmp_push_reply.diff 2005-09-01 03:58:37 UTC (rev 4100)
@@ -0,0 +1,39 @@
+From linux-kernel-owner+chrisw=40osdl.org-S932397AbVHRS7i at vger.kernel.org Thu Aug 18 12:00:13 2005
+Date: Thu, 18 Aug 2005 20:59:37 +0200
+From: Patrick McHardy <kaber at trash.net>
+To: Ollie Wild <aaw at rincewind.tv>
+CC: linux-kernel at vger.kernel.org, Maillist netdev <netdev at oss.sgi.com>
+Subject: [IPV4]: Fix DST leak in icmp_push_reply()
+
+Based upon a bug report and initial patch by
+Ollie Wild.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: "David S. Miller" <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+---
+ net/ipv4/icmp.c | 12 ++++++------
+ 1 files changed, 6 insertions(+), 6 deletions(-)
+
+Index: linux-2.6.12.y/net/ipv4/icmp.c
+===================================================================
+--- a/net/ipv4/icmp.c 2005-09-01 12:04:56.000000000 +0900
++++ b/net/ipv4/icmp.c 2005-09-01 12:24:09.000000000 +0900
+@@ -297,11 +297,12 @@
+ {
+ struct sk_buff *skb;
+
+- ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
+- icmp_param->data_len+icmp_param->head_len,
+- icmp_param->head_len,
+- ipc, rt, MSG_DONTWAIT);
+-
++ if (ip_append_data(icmp_socket->sk, icmp_glue_bits, icmp_param,
++ icmp_param->data_len+icmp_param->head_len,
++ icmp_param->head_len,
++ ipc, rt, MSG_DONTWAIT) < 0)
++ ip_flush_pending_frames(icmp_socket->sk);
++ else if ((skb = skb_peek(&icmp_socket->sk->sk_write_queue)) != NULL) {
+ if ((skb = skb_peek(&icmp_socket->sk->write_queue)) != NULL) {
+ struct icmphdr *icmph = skb->h.icmph;
+ unsigned int csum = 0;
Modified: dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12
===================================================================
--- dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12 2005-08-31 17:11:41 UTC (rev 4099)
+++ dists/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-12 2005-09-01 03:58:37 UTC (rev 4100)
@@ -1,2 +1,5 @@
+ 184_arch-x86_64-ia32-ptrace32-oops.diff
+ 185_net-sockglue-cap.diff
++ 186_linux-zlib-fixes-2.diff
++ 187_zisofs-2.diff
++ 188_fix-dst-leak-in-icmp_push_reply.diff
More information about the Kernel-svn-changes
mailing list