[kernel] r13665 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu May 21 15:24:12 UTC 2009 

Author: dannf
Date: Thu May 21 15:24:09 2009
New Revision: 13665

Log:
* Fix selinux panic introduced by the fix for CVE-2009-1184
  (Closes: #528860)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch
   dists/lenny-security/linux-2.6/debian/patches/series/15lenny3
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu May 21 06:22:39 2009	(r13664)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu May 21 15:24:09 2009	(r13665)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.26-15lenny3) UNRELEASED; urgency=low
+
+  * Fix selinux panic introduced by the fix for CVE-2009-1184
+    (Closes: #528860)
+
+ -- dann frazier <dannf at debian.org>  Thu, 21 May 2009 09:20:47 -0600
+
 linux-2.6 (2.6.26-15lenny2) stable-security; urgency=high
 
   * mips: implement is_compat_task macro, fixing FTBFS introduced

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch	Thu May 21 15:24:09 2009	(r13665)
@@ -0,0 +1,62 @@
+This should fix the problem you are seeing with the Debian 2.6.26 kernels ... 
+let me know if you have any problems/questions.
+
+Good luck.
+
+----------  Forwarded Message  ----------
+
+Subject: [PATCH] SELinux: BUG in SELinux compat_net code
+Date: Tuesday 19 May 2009
+From: Eric Paris <eparis at redhat.com>
+To: linux-kernel at vger.kernel.org, stable at vger.kernel.org, 
+selinux at vger.kernel.org
+
+This patch is not applicable to Linus's tree as the code in question has
+been removed for 2.6.30.  I'm sending in case any of the stable
+maintainers would like to push to their branches (which I think anything
+pre 2.6.30 would like to do).
+
+Ubuntu users were experiencing a kernel panic when they enabled SELinux
+due to an old bug in our handling of the compatibility mode network
+controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
+Most distros have not used the compat_net code since the new code was
+introduced and so noone has hit this problem before.  Ubuntu is the only
+distro I know that enabled that legacy cruft by default.  But, I was ask
+to look at it and found that the above patch changed a call to
+avc_has_perm from if(send_perm) to if(!send_perm) in
+selinux_ip_postroute_iptables_compat().  The result is that users who
+turn on SELinux and have compat_net set can (and oftern will) BUG() in
+avc_has_perm_noaudit since they are requesting 0 permissions.
+
+This patch corrects that accidental bug introduction.
+
+Signed-off-by: Eric Paris <eparis at redhat.com>
+
+---
+
+ security/selinux/hooks.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff -up linux-source-2.6.28/security/selinux/hooks.c.pre.send linux-
+source-2.6.28/security/selinux/hooks.c
+--- linux-source-2.6.28/security/selinux/hooks.c.pre.send	2009-05-18 
+13:23:16.043632602 -0400
++++ linux-source-2.6.28/security/selinux/hooks.c	2009-05-18 13:23:27.899632772 
+-0400
+@@ -4561,7 +4561,7 @@ static int selinux_ip_postroute_iptables
+ 	if (err)
+ 		return err;
+ 
+-	if (send_perm != 0)
++	if (!send_perm)
+ 		return 0;
+ 
+ 	err = sel_netport_sid(sk->sk_protocol,
+
+
+
+-------------------------------------------------------
+-- 
+paul moore
+linux @ hp
+

Added: dists/lenny-security/linux-2.6/debian/patches/series/15lenny3
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny3	Thu May 21 15:24:09 2009	(r13665)
@@ -0,0 +1 @@
++ bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch

More information about the Kernel-svn-changes mailing list