[kernel] r10558 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Sun Feb 17 18:25:36 UTC 2008 

Author: dannf
Date: Sun Feb 17 18:25:35 2008
New Revision: 10558

Log:
* random-fix-seeding-with-zero-entropy.dpatch
  [SECURITY] Avoid seeding with the same values at boot time when a
  system has no entropy source
  See CVE-2007-2453

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Feb 17 18:25:35 2008
@@ -69,8 +69,12 @@
     [SECURITY] Fix stack-based buffer overflow in the random number
     generator
     See CVE-2007-3105
+  * random-fix-seeding-with-zero-entropy.dpatch
+    [SECURITY] Avoid seeding with the same values at boot time when a
+    system has no entropy source
+    See CVE-2007-2453
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 21:46:22 -0700
+ -- dann frazier <dannf at debian.org>  Thu, 14 Feb 2008 15:32:34 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch	Sun Feb 17 18:25:35 2008
@@ -0,0 +1,42 @@
+From: Matt Mackall <mpm at selenic.com>
+Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
+Subject: random: fix bound check ordering (CVE-2007-3105)
+X-Git-Tag: v2.6.23-rc1~259
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd
+
+random: fix bound check ordering (CVE-2007-3105)
+
+If root raised the default wakeup threshold over the size of the
+output pool, the pool transfer function could overflow the stack with
+RNG bytes, causing a DoS or potential privilege escalation.
+
+(Bug reported by the PaX Team <pageexec at freemail.hu>)
+
+Cc: Theodore Tso <tytso at mit.edu>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Matt Mackall <mpm at selenic.com>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c
+--- kernel-source-2.6.8.orig/drivers/char/random.c	2007-05-26 02:54:38.000000000 -0600
++++ kernel-source-2.6.8/drivers/char/random.c	2008-02-11 21:15:53.000000000 -0700
+@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s
+ {
+ 	if (r->entropy_count < nbytes * 8 &&
+ 	    r->entropy_count < r->poolinfo.POOLBITS) {
+-		int bytes = max_t(int, random_read_wakeup_thresh / 8,
+-				min_t(int, nbytes, TMP_BUF_SIZE));
++		/* If we're limited, always leave two wakeup worth's BITS */
++		int bytes = nbytes;
++
++		/* pull at least as many as BYTES as wakeup BITS */
++		bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
++		/* but never more than the buffer size */
++		bytes = min_t(int, bytes, TMP_BUF_SIZE);
+ 
+ 		DEBUG_ENT("%04d %04d : going to reseed %s with %d bits "
+ 			  "(%d of %d requested)\n",

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Sun Feb 17 18:25:35 2008
@@ -18,3 +18,4 @@
 + usb-pwc-disconnect-block.dpatch
 + powerpc-chrp-null-deref.dpatch
 + random-bound-check-ordering.dpatch
++ random-fix-seeding-with-zero-entropy.dpatch

More information about the Kernel-svn-changes mailing list