[kernel] r14963 - in dists: lenny-security/linux-2.6/debian lenny-security/linux-2.6/debian/patches/bugfix/all lenny-security/linux-2.6/debian/patches/series lenny/linux-2.6/debian lenny/linux-2.6/debian/patches/bugfix/all lenny/linux-2.6/debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jan 21 06:34:45 UTC 2010
Author: dannf
Date: Thu Jan 21 06:34:41 2010
New Revision: 14963
Log:
move security fixes to security branch
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
- copied unchanged from r14961, dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
- copied unchanged from r14961, dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
Deleted:
dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/22
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Jan 21 05:50:34 2010 (r14962)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Jan 21 06:34:41 2010 (r14963)
@@ -1,6 +1,12 @@
linux-2.6 (2.6.26-21lenny1) UNRELEASED; urgency=high
+ [ dann frazier ]
* mac80211: fix spurious delBA handling (CVE-2009-4027)
+
+ [ Ben Hutchings ]
+ * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
+ (CVE-2010-0003)
+ * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
-- dann frazier <dannf at debian.org> Tue, 19 Jan 2010 22:24:31 -0700
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch (from r14961, dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch Thu Jan 21 06:34:41 2010 (r14963, copy of r14961, dists/lenny/linux-2.6/debian/patches/bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch)
@@ -0,0 +1,47 @@
+From f21c582a940198ef810e7744c9f91cdafd1a6ed5 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fwestphal at astaro.com>
+Date: Fri, 8 Jan 2010 17:31:24 +0100
+Subject: [PATCH] netfilter: ebtables: enforce CAP_NET_ADMIN
+
+commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+normal users are currently allowed to set/modify ebtables rules.
+Restrict it to processes with CAP_NET_ADMIN.
+
+Note that this cannot be reproduced with unmodified ebtables binary
+because it uses SOCK_RAW.
+
+Signed-off-by: Florian Westphal <fwestphal at astaro.com>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/bridge/netfilter/ebtables.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 32afff8..d6beca9 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1436,6 +1436,9 @@ static int do_ebt_set_ctl(struct sock *sk,
+ {
+ int ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch(cmd) {
+ case EBT_SO_SET_ENTRIES:
+ ret = do_replace(user, len);
+@@ -1455,6 +1458,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
+ struct ebt_replace tmp;
+ struct ebt_table *t;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (copy_from_user(&tmp, user, sizeof(tmp)))
+ return -EFAULT;
+
+--
+1.6.6
+
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch (from r14961, dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch Thu Jan 21 06:34:41 2010 (r14963, copy of r14961, dists/lenny/linux-2.6/debian/patches/bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch)
@@ -0,0 +1,52 @@
+From e3f94f64a91768da5b136b22dc5faa2447ec2ac8 Mon Sep 17 00:00:00 2001
+From: Andi Kleen <andi at firstfloor.org>
+Date: Fri, 8 Jan 2010 14:42:52 -0800
+Subject: [PATCH] kernel/signal.c: fix kernel information leak with print-fatal-signals=1
+
+commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream.
+
+When print-fatal-signals is enabled it's possible to dump any memory
+reachable by the kernel to the log by simply jumping to that address from
+user space.
+
+Or crash the system if there's some hardware with read side effects.
+
+The fatal signals handler will dump 16 bytes at the execution address,
+which is fully controlled by ring 3.
+
+In addition when something jumps to a unmapped address there will be up to
+16 additional useless page faults, which might be potentially slow (and at
+least is not very efficient)
+
+Fortunately this option is off by default and only there on i386.
+
+But fix it by checking for kernel addresses and also stopping when there's
+a page fault.
+
+Signed-off-by: Andi Kleen <ak at linux.intel.com>
+Cc: Ingo Molnar <mingo at elte.hu>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ kernel/signal.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index de2b649..efcdc95 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt_regs *regs, int signr)
+ for (i = 0; i < 16; i++) {
+ unsigned char insn;
+
+- __get_user(insn, (unsigned char *)(regs->ip + i));
++ if (get_user(insn, (unsigned char *)(regs->ip + i)))
++ break;
+ printk("%02x ", insn);
+ }
+ }
+--
+1.6.6
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny1 Thu Jan 21 05:50:34 2010 (r14962)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny1 Thu Jan 21 06:34:41 2010 (r14963)
@@ -1 +1,3 @@
+ bugfix/all/mac80211-fix-spurious-delBA-handling.patch
++ bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
++ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Jan 21 05:50:34 2010 (r14962)
+++ dists/lenny/linux-2.6/debian/changelog Thu Jan 21 06:34:41 2010 (r14963)
@@ -15,9 +15,6 @@
* x86: Increase MIN_GAP to include randomized stack (Closes: #559035)
* bnx2: Add PCI IDs for Broadcom 5716 and 5716S (Closes: #565353)
* bnx2: Fix several crash bugs (Closes: #565960)
- * kernel/signal.c: fix kernel information leak with print-fatal-signals=1
- (CVE-2010-0003)
- * netfilter: ebtables: enforce CAP_NET_ADMIN (CVE-2010-0007)
* audit: Fix memory management bugs (Closes: #562815)
- fix braindamage in audit_tree.c untag_chunk()
- fix more leaks in audit_tree.c tag_chunk()
Modified: dists/lenny/linux-2.6/debian/patches/series/22
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/22 Thu Jan 21 05:50:34 2010 (r14962)
+++ dists/lenny/linux-2.6/debian/patches/series/22 Thu Jan 21 06:34:41 2010 (r14963)
@@ -10,7 +10,5 @@
+ bugfix/all/bnx2-Allow-phy-reset-to-be-skipped-during-chip-reset.patch
+ bugfix/all/bnx2-Prevent-ethtool-s-from-crashing-when-device-is-down.patch
+ bugfix/all/bnx2-Fix-panic-in-bnx2_poll_work.patch
-+ bugfix/all/signal-fix-information-leak-with-print-fatal-signals.patch
-+ bugfix/all/netfilter-ebtables-enforce-CAP_NET_ADMIN.patch
+ bugfix/all/fix-braindamage-in-audit_tree.c-untag_chunk.patch
+ bugfix/all/fix-more-leaks-in-audit_tree.c-tag_chunk.patch
More information about the Kernel-svn-changes
mailing list