[kernel] r16571 - in dists/trunk/linux-2.6/debian: . patches/debian patches/series
Ben Hutchings
benh at alioth.debian.org
Sat Nov 20 02:31:39 UTC 2010
Author: benh
Date: Sat Nov 20 02:31:37 2010
New Revision: 16571
Log:
decnet: Disable auto-loading as mitigation against local exploits
Added:
dists/trunk/linux-2.6/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
Modified:
dists/trunk/linux-2.6/debian/changelog
dists/trunk/linux-2.6/debian/patches/series/1~experimental.2
Modified: dists/trunk/linux-2.6/debian/changelog
==============================================================================
--- dists/trunk/linux-2.6/debian/changelog Sat Nov 20 02:28:43 2010 (r16570)
+++ dists/trunk/linux-2.6/debian/changelog Sat Nov 20 02:31:37 2010 (r16571)
@@ -12,9 +12,9 @@
has stalled and is a source of security bugs.
* Disable Econet protocol. It is unmaintained upstream, probably broken,
and of historical interest only.
- * af_802154,rds: Disable auto-loading as mitigation against local exploits.
- These protocol modules are not widely used and can be explicitly loaded
- or aliased on systems where they are wanted.
+ * af_802154,decnet,rds: Disable auto-loading as mitigation against local
+ exploits. These protocol modules are not widely used and can be
+ explicitly loaded or aliased on systems where they are wanted.
-- maximilian attems <max at stro.at> Wed, 31 Oct 2010 13:23:11 +0200
Added: dists/trunk/linux-2.6/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux-2.6/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch Sat Nov 20 02:31:37 2010 (r16571)
@@ -0,0 +1,37 @@
+From 0061a6e7c7e5fef1d257cb2c2d9180f655ea5c1a Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 20 Nov 2010 02:24:55 +0000
+Subject: [PATCH] decnet: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation. We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'decnet' protocol is unmaintained and of mostly historical
+interest, and the user-space support package 'dnet-common' loads the
+module explicitly. Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/decnet/af_decnet.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index 7a58c87..ed9e2b0 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -2358,7 +2358,7 @@ void dn_unregister_sysctl(void);
+ MODULE_DESCRIPTION("The Linux DECnet Network Protocol");
+ MODULE_AUTHOR("Linux DECnet Project Team");
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_DECnet);
++/* MODULE_ALIAS_NETPROTO(PF_DECnet); */
+
+ static char banner[] __initdata = KERN_INFO "NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n";
+
+--
+1.7.2.3
+
Modified: dists/trunk/linux-2.6/debian/patches/series/1~experimental.2
==============================================================================
--- dists/trunk/linux-2.6/debian/patches/series/1~experimental.2 Sat Nov 20 02:28:43 2010 (r16570)
+++ dists/trunk/linux-2.6/debian/patches/series/1~experimental.2 Sat Nov 20 02:31:37 2010 (r16571)
@@ -1,2 +1,3 @@
+ debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
+ debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
++ debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
More information about the Kernel-svn-changes
mailing list