[kernel] r16563 - in dists/sid/linux-2.6/debian: . patches/debian patches/series

Ben Hutchings benh at alioth.debian.org
Fri Nov 19 02:51:02 UTC 2010 

Author: benh
Date: Fri Nov 19 02:50:57 2010
New Revision: 16563

Log:
af_802154,econet,rds: Disable auto-loading as mitigation against local exploits

Added:
   dists/sid/linux-2.6/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
   dists/sid/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
   dists/sid/linux-2.6/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/28

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Thu Nov 18 02:34:18 2010	(r16562)
+++ dists/sid/linux-2.6/debian/changelog	Fri Nov 19 02:50:57 2010	(r16563)
@@ -46,6 +46,9 @@
     - Prevent crashing when parsing bad X.25 facilities (CVE-2010-4164)
   * tcp: Increase TCP_MAXSEG socket option minimum (CVE-2010-4165)
   * rds: Fix integer overflow in RDS cmsg handling
+  * af_802154,econet,rds: Disable auto-loading as mitigation against local
+    exploits.  These protocol modules are not widely used and can be
+    explicitly loaded or aliased on systems where they are wanted.
 
   [ dann frazier ]
   * [vserver] Update patch to 2.6.32.25-vs2.3.0.36.29.6

Added: dists/sid/linux-2.6/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch	Fri Nov 19 02:50:57 2010	(r16563)
@@ -0,0 +1,34 @@
+From 086fa0c78e77b68ffc83c5b14bfdd425e63f024e Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation.  We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
+not present in the 'lenny' kernel, and seems to receive only sporadic
+maintenance.  Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ieee802154/af_ieee802154.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/ieee802154/af_ieee802154.c b/net/ieee802154/af_ieee802154.c
+index cd949d5..8f49dd5 100644
+--- a/net/ieee802154/af_ieee802154.c
++++ b/net/ieee802154/af_ieee802154.c
+@@ -363,4 +363,4 @@ module_init(af_ieee802154_init);
+ module_exit(af_ieee802154_remove);
+ 
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
++/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */
+-- 
+1.7.2.3
+

Added: dists/sid/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch	Fri Nov 19 02:50:57 2010	(r16563)
@@ -0,0 +1,34 @@
+From e8e7c6dabb1049086882b1160895598ec9492b57 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 3/3] econet: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation.  We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'econet' protocol is unmaintained and is of mainly historical
+interest.  The Debian system does not appear to include any applications
+that use it.  Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/econet/af_econet.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 0e0254f..60a38f7 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -1171,4 +1171,4 @@ module_init(econet_proto_init);
+ module_exit(econet_proto_exit);
+ 
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_ECONET);
++/* MODULE_ALIAS_NETPROTO(PF_ECONET); */
+-- 
+1.7.2.3
+

Added: dists/sid/linux-2.6/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch	Fri Nov 19 02:50:57 2010	(r16563)
@@ -0,0 +1,34 @@
+From 6f9debf7c17b33ab9bb254c6c3cc1480f14d3ec2 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation.  We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'rds' protocol is one such protocol that has been found to be
+vulnerable, and which was not present in the 'lenny' kernel.
+Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/rds/af_rds.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
+index 98e0538..d8d4525 100644
+--- a/net/rds/af_rds.c
++++ b/net/rds/af_rds.c
+@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets"
+ 		   " v" DRV_VERSION " (" DRV_RELDATE ")");
+ MODULE_VERSION(DRV_VERSION);
+ MODULE_LICENSE("Dual BSD/GPL");
+-MODULE_ALIAS_NETPROTO(PF_RDS);
++/* MODULE_ALIAS_NETPROTO(PF_RDS); */
+-- 
+1.7.2.3
+

Modified: dists/sid/linux-2.6/debian/patches/series/28
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/28	Thu Nov 18 02:34:18 2010	(r16562)
+++ dists/sid/linux-2.6/debian/patches/series/28	Fri Nov 19 02:50:57 2010	(r16563)
@@ -40,3 +40,6 @@
 + bugfix/all/x25-Prevent-crashing-when-parsing-bad-X.25-facilities.patch
 + bugfix/all/tcp-Increase-TCP_MAXSEG-socket-option-minimum.patch
 + bugfix/all/rds-Integer-overflow-in-RDS-cmsg-handling.patch
++ debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
++ debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
++ debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch

More information about the Kernel-svn-changes mailing list