[kernel] r10541 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Feb 14 04:48:57 UTC 2008
Author: dannf
Date: Thu Feb 14 04:48:54 2008
New Revision: 10541
Log:
* random-bound-check-ordering.dpatch
[SECURITY] Fix stack-based buffer overflow in the random number
generator
See CVE-2007-3105
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Thu Feb 14 04:48:54 2008
@@ -65,8 +65,12 @@
[SECURITY][powerpc] Fix NULL pointer dereference if get_property
fails on the subarchitecture
See CVE-2007-6694
+ * random-bound-check-ordering.dpatch
+ [SECURITY] Fix stack-based buffer overflow in the random number
+ generator
+ See CVE-2007-3105
- -- dann frazier <dannf at debian.org> Wed, 13 Feb 2008 21:18:45 -0700
+ -- dann frazier <dannf at debian.org> Wed, 13 Feb 2008 21:46:22 -0700
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-bound-check-ordering.dpatch Thu Feb 14 04:48:54 2008
@@ -0,0 +1,42 @@
+From: Matt Mackall <mpm at selenic.com>
+Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
+Subject: random: fix bound check ordering (CVE-2007-3105)
+X-Git-Tag: v2.6.23-rc1~259
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd
+
+random: fix bound check ordering (CVE-2007-3105)
+
+If root raised the default wakeup threshold over the size of the
+output pool, the pool transfer function could overflow the stack with
+RNG bytes, causing a DoS or potential privilege escalation.
+
+(Bug reported by the PaX Team <pageexec at freemail.hu>)
+
+Cc: Theodore Tso <tytso at mit.edu>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Matt Mackall <mpm at selenic.com>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c
+--- kernel-source-2.6.8.orig/drivers/char/random.c 2007-05-26 02:54:38.000000000 -0600
++++ kernel-source-2.6.8/drivers/char/random.c 2008-02-11 21:15:53.000000000 -0700
+@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s
+ {
+ if (r->entropy_count < nbytes * 8 &&
+ r->entropy_count < r->poolinfo.POOLBITS) {
+- int bytes = max_t(int, random_read_wakeup_thresh / 8,
+- min_t(int, nbytes, TMP_BUF_SIZE));
++ /* If we're limited, always leave two wakeup worth's BITS */
++ int bytes = nbytes;
++
++ /* pull at least as many as BYTES as wakeup BITS */
++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
++ /* but never more than the buffer size */
++ bytes = min_t(int, bytes, TMP_BUF_SIZE);
+
+ DEBUG_ENT("%04d %04d : going to reseed %s with %d bits "
+ "(%d of %d requested)\n",
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Thu Feb 14 04:48:54 2008
@@ -17,3 +17,4 @@
+ amd64-zero-extend-32bit-ptrace.dpatch
+ usb-pwc-disconnect-block.dpatch
+ powerpc-chrp-null-deref.dpatch
++ random-bound-check-ordering.dpatch
More information about the Kernel-svn-changes
mailing list