[kernel] r10558 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Feb 17 18:25:36 UTC 2008
Author: dannf
Date: Sun Feb 17 18:25:35 2008
New Revision: 10558
Log:
* random-fix-seeding-with-zero-entropy.dpatch
[SECURITY] Avoid seeding with the same values at boot time when a
system has no entropy source
See CVE-2007-2453
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sun Feb 17 18:25:35 2008
@@ -69,8 +69,12 @@
[SECURITY] Fix stack-based buffer overflow in the random number
generator
See CVE-2007-3105
+ * random-fix-seeding-with-zero-entropy.dpatch
+ [SECURITY] Avoid seeding with the same values at boot time when a
+ system has no entropy source
+ See CVE-2007-2453
- -- dann frazier <dannf at debian.org> Wed, 13 Feb 2008 21:46:22 -0700
+ -- dann frazier <dannf at debian.org> Thu, 14 Feb 2008 15:32:34 -0700
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/random-fix-seeding-with-zero-entropy.dpatch Sun Feb 17 18:25:35 2008
@@ -0,0 +1,42 @@
+From: Matt Mackall <mpm at selenic.com>
+Date: Thu, 19 Jul 2007 18:30:14 +0000 (-0700)
+Subject: random: fix bound check ordering (CVE-2007-3105)
+X-Git-Tag: v2.6.23-rc1~259
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5a021e9ffd56c22700133ebc37d607f95be8f7bd
+
+random: fix bound check ordering (CVE-2007-3105)
+
+If root raised the default wakeup threshold over the size of the
+output pool, the pool transfer function could overflow the stack with
+RNG bytes, causing a DoS or potential privilege escalation.
+
+(Bug reported by the PaX Team <pageexec at freemail.hu>)
+
+Cc: Theodore Tso <tytso at mit.edu>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Matt Mackall <mpm at selenic.com>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/drivers/char/random.c kernel-source-2.6.8/drivers/char/random.c
+--- kernel-source-2.6.8.orig/drivers/char/random.c 2007-05-26 02:54:38.000000000 -0600
++++ kernel-source-2.6.8/drivers/char/random.c 2008-02-11 21:15:53.000000000 -0700
+@@ -1321,8 +1321,13 @@ static inline void xfer_secondary_pool(s
+ {
+ if (r->entropy_count < nbytes * 8 &&
+ r->entropy_count < r->poolinfo.POOLBITS) {
+- int bytes = max_t(int, random_read_wakeup_thresh / 8,
+- min_t(int, nbytes, TMP_BUF_SIZE));
++ /* If we're limited, always leave two wakeup worth's BITS */
++ int bytes = nbytes;
++
++ /* pull at least as many as BYTES as wakeup BITS */
++ bytes = max_t(int, bytes, random_read_wakeup_thresh / 8);
++ /* but never more than the buffer size */
++ bytes = min_t(int, bytes, TMP_BUF_SIZE);
+
+ DEBUG_ENT("%04d %04d : going to reseed %s with %d bits "
+ "(%d of %d requested)\n",
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Sun Feb 17 18:25:35 2008
@@ -18,3 +18,4 @@
+ usb-pwc-disconnect-block.dpatch
+ powerpc-chrp-null-deref.dpatch
+ random-bound-check-ordering.dpatch
++ random-fix-seeding-with-zero-entropy.dpatch
More information about the Kernel-svn-changes
mailing list