[kernel] r13538 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun May 3 19:01:59 UTC 2009
Author: dannf
Date: Sun May 3 19:01:57 2009
New Revision: 13538
Log:
Fix unreached code in selinux_ip_postroute_iptables_compat()
(CVE-2009-1184)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun May 3 18:59:15 2009 (r13537)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun May 3 19:01:57 2009 (r13538)
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.26-15lenny1) UNRELEASED; urgency=high
+linux-2.6 (2.6.26-15lenny1) stable-security; urgency=high
* copy_process: fix CLONE_PARENT && parent_exec_id interaction
(CVE-2009-0028)
@@ -15,8 +15,10 @@
* cifs: Fix memory overwrite when saving nativeFileSystem field during mount
(CVE-2009-1439)
* agp: zero pages before sending to userspace (CVE-2009-1192)
+ * Fix unreached code in selinux_ip_postroute_iptables_compat()
+ (CVE-2009-1184)
- -- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
+ -- dann frazier <dannf at debian.org> Sun, 03 May 2009 13:00:51 -0600
linux-2.6 (2.6.26-15) stable; urgency=high
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat.patch Sun May 3 19:01:57 2009 (r13538)
@@ -0,0 +1,31 @@
+commit 910c9e41186762de3717baaf392ab5ff0c454496
+Author: Eugene Teo <eteo at redhat.com>
+Date: Mon Apr 13 10:04:41 2009 +0800
+
+ unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)
+
+ Not upstream in 2.6.30, as the function was removed there, making this a
+ non-issue.
+
+ Node and port send checks can skip in the compat_net=1 case. This bug
+ was introduced in commit effad8d.
+
+ Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+ Reported-by: Dan Carpenter <error27 at gmail.com>
+ Acked-by: James Morris <jmorris at namei.org>
+ Acked-by: Paul Moore <paul.moore at hp.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/security/selinux/hooks.c linux-source-2.6.26/security/selinux/hooks.c
+--- linux-source-2.6.26.orig/security/selinux/hooks.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/security/selinux/hooks.c 2009-05-03 12:29:51.000000000 -0600
+@@ -4416,6 +4416,7 @@ static int selinux_ip_postroute_iptables
+ if (err)
+ return err;
+ err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
++ if (err)
+ return err;
+
+ err = sel_netnode_sid(addrp, family, &node_sid);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sun May 3 18:59:15 2009 (r13537)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Sun May 3 19:01:57 2009 (r13538)
@@ -12,3 +12,4 @@
+ bugfix/all/cifs-fix-buffer-size-for-tcon-nativeFileSystem-field.patch
+ bugfix/all/cifs-remove-unneeded-bcc_ptr-update-in-CIFSTCon.patch
+ bugfix/all/agp-zero-pages-before-sending-to-userspace.patch
++ bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat.patch
More information about the Kernel-svn-changes
mailing list