[kernel] r13335 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Mon Apr 6 01:28:48 UTC 2009

Author: dannf
Date: Mon Apr  6 01:28:47 2009
New Revision: 13335

Log:
nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Sun Apr  5 20:07:50 2009	(r13334)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  6 01:28:47 2009	(r13335)
@@ -9,6 +9,7 @@
   * shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM (CVE-2009-0859)
     This issue does not effect pre-build Debian kernels.
   * Fix an off-by-two memory error in console selection (CVE-2009-1046)
+  * nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)
 
  -- dann frazier <dannf at debian.org>  Fri, 03 Apr 2009 19:12:51 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch	Mon Apr  6 01:28:47 2009	(r13335)
@@ -0,0 +1,36 @@
+commit 76a67ec6fb79ff3570dcb5342142c16098299911
+Author: J. Bruce Fields <bfields at citi.umich.edu>
+Date:   Mon Mar 16 18:34:20 2009 -0400
+
+    nfsd: nfsd should drop CAP_MKNOD for non-root
+    
+    Since creating a device node is normally an operation requiring special
+    privilege, Igor Zhbanov points out that it is surprising (to say the
+    least) that a client can, for example, create a device node on a
+    filesystem exported with root_squash.
+    
+    So, make sure CAP_MKNOD is among the capabilities dropped when an nfsd
+    thread handles a request from a non-root user.
+    
+    Reported-by: Igor Zhbanov <izh1979 at gmail.com>
+    Cc: stable at kernel.org
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/include/linux/capability.h linux-source-2.6.26/include/linux/capability.h
+--- linux-source-2.6.26.orig/include/linux/capability.h	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/include/linux/capability.h	2009-04-05 19:17:27.000000000 -0600
+@@ -382,8 +382,10 @@ typedef struct kernel_cap_struct {
+ # define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
+ # define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }})
+ # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } })
+-# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \
+-					CAP_FS_MASK_B1 } })
++# define CAP_NFSD_SET     ((kernel_cap_t){{ CAP_FS_MASK_B0 \
++					    | CAP_TO_MASK(CAP_SYS_RESOURCE) \
++					    | CAP_TO_MASK(CAP_MKNOD), \
++					    CAP_FS_MASK_B1 } })
+ 
+ #endif /* _KERNEL_CAPABILITY_U32S != 2 */
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Sun Apr  5 20:07:50 2009	(r13334)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1	Mon Apr  6 01:28:47 2009	(r13335)
@@ -5,3 +5,4 @@
 + bugfix/all/seccomp-fix-32+64-syscall-hole.patch
 + bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
 + bugfix/all/fix-off-by-2-error-in-console-selection.patch
++ bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch

