[kernel] r10153 - in dists/etch/linux-2.6.22/debian: . patches/bugfix patches/series

Mon Jan 21 00:13:16 UTC 2008

Author: dannf
Date: Mon Jan 21 00:13:16 2008
New Revision: 10153

Log:
* Add stable release 2.6.22.13
  - wait_task_stopped: Check p->exit_state instead of TASK_TRACED
    (CVE-2007-5500)
  - TCP: Make sure write_queue_from does not begin with NULL ptr
    (CVE-2007-5501)

Added:
   dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.13
Modified:
   dists/etch/linux-2.6.22/debian/changelog
   dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1

Modified: dists/etch/linux-2.6.22/debian/changelog
==============================================================================

--- dists/etch/linux-2.6.22/debian/changelog	(original)
+++ dists/etch/linux-2.6.22/debian/changelog	Mon Jan 21 00:13:16 2008
@@ -1,8 +1,13 @@
 linux-2.6.22 (2.6.22-1~etchnahalf.1) UNRELEASED; urgency=low
 
   * Create linux-2.6.22 package from linux-2.6_2.6.22-6, targeting etch
+  * Add stable release 2.6.22.13
+    - wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+      (CVE-2007-5500)
+    - TCP: Make sure write_queue_from does not begin with NULL ptr
+      (CVE-2007-5501)
 
- -- dann frazier <dannf at debian.org>  Thu, 17 Jan 2008 13:10:36 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 20 Jan 2008 16:58:43 -0700
 
 linux-2.6 (2.6.22-6) unstable; urgency=low
 

Added: dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.13
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6.22/debian/patches/bugfix/2.6.22.13	Mon Jan 21 00:13:16 2008
@@ -0,0 +1,37 @@
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 5c8ecba..e3adc46 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1336,8 +1336,7 @@ static int wait_task_stopped(struct task_struct *p, int delayed_group_leader,
+ 		int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED;
+ 
+ 		exit_code = p->exit_code;
+-		if (unlikely(!exit_code) ||
+-		    unlikely(p->state & TASK_TRACED))
++		if (unlikely(!exit_code) || unlikely(p->exit_state))
+ 			goto bail_ref;
+ 		return wait_noreap_copyout(p, pid, uid,
+ 					   why, (exit_code << 8) | 0x7f,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index e33fb3d..2e1d8e7 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -994,6 +994,9 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
+ 	if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window))
+ 		return 0;
+ 
++	if (!tp->packets_out)
++		goto out;
++
+ 	/* SACK fastpath:
+ 	 * if the only SACK change is the increase of the end_seq of
+ 	 * the first block then only apply that SACK block
+@@ -1262,6 +1265,8 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
+ 	    (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark)))
+ 		tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0);
+ 
++out:
++
+ #if FASTRETRANS_DEBUG > 0
+ 	BUG_TRAP((int)tp->sacked_out >= 0);
+ 	BUG_TRAP((int)tp->lost_out >= 0);

Modified: dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1
==============================================================================
--- dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1	(original)
+++ dists/etch/linux-2.6.22/debian/patches/series/1~etchnahalf.1	Mon Jan 21 00:13:16 2008
@@ -60,3 +60,4 @@
 + bugfix/2.6.22.11
 - bugfix/all/fix-some-cases-of-missed-ipv6-dad.patch
 + bugfix/2.6.22.12-rc1
++ bugfix/2.6.22.13

