[kernel] r17981 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/features/all/vserver patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 21 21:51:13 UTC 2011
Author: dannf
Date: Sun Aug 21 21:51:11 2011
New Revision: 17981
Log:
proc: restrict access to /proc/PID/io (CVE-2011-2495)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
- copied, changed from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Aug 21 15:20:47 2011 (r17980)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Aug 21 21:51:11 2011 (r17981)
@@ -4,6 +4,7 @@
* Fix regression in fix for CVE-2011-1768 (Closes: #633738)
* taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
* NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
+ * proc: restrict access to /proc/PID/io (CVE-2011-2495)
[ Moritz Muehlenhoff ]
* ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch)
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch Sun Aug 21 15:20:47 2011 (r17980, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/proc-restrict-access-to-proc-pid-io.patch Sun Aug 21 21:51:11 2011 (r17981)
@@ -15,36 +15,28 @@
Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.26]
diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 8a84210..fc5bc27 100644
+index 3f20d5d..bce2890 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
-@@ -2708,6 +2708,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
- struct task_io_accounting acct = task->ioac;
- unsigned long flags;
-
-+ if (!ptrace_may_access(task, PTRACE_MODE_READ))
+@@ -2378,6 +2378,9 @@ static int proc_base_fill_cache(struct file *filp, void *dirent,
+ #ifdef CONFIG_TASK_IO_ACCOUNTING
+ static int proc_pid_io_accounting(struct task_struct *task, char *buffer)
+ {
++ if (!ptrace_may_attach(task))
+ return -EACCES;
+
- if (whole && lock_task_sighand(task, &flags)) {
- struct task_struct *t = task;
-
-@@ -2839,7 +2842,7 @@ static const struct pid_entry tgid_base_stuff[] = {
- REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations),
+ return sprintf(buffer,
+ #ifdef CONFIG_TASK_XACCT
+ "rchar: %llu\n"
+@@ -2470,7 +2473,7 @@ static const struct pid_entry tgid_base_stuff[] = {
+ REG("coredump_filter", S_IRUGO|S_IWUSR, coredump_filter),
#endif
#ifdef CONFIG_TASK_IO_ACCOUNTING
-- INF("io", S_IRUGO, proc_tgid_io_accounting),
-+ INF("io", S_IRUSR, proc_tgid_io_accounting),
- #endif
- #ifdef CONFIG_HARDWALL
- INF("hardwall", S_IRUGO, proc_pid_hardwall),
-@@ -3181,7 +3184,7 @@ static const struct pid_entry tid_base_stuff[] = {
- REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),
+- INF("io", S_IRUGO, pid_io_accounting),
++ INF("io", S_IRUSR, pid_io_accounting),
#endif
- #ifdef CONFIG_TASK_IO_ACCOUNTING
-- INF("io", S_IRUGO, proc_tid_io_accounting),
-+ INF("io", S_IRUSR, proc_tid_io_accounting),
- #endif
- #ifdef CONFIG_HARDWALL
- INF("hardwall", S_IRUGO, proc_pid_hardwall),
+ };
+
Modified: dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Sun Aug 21 15:20:47 2011 (r17980)
+++ dists/lenny-security/linux-2.6/debian/patches/features/all/vserver/vs2.3.0.35.patch Sun Aug 21 21:51:11 2011 (r17981)
@@ -6961,7 +6961,7 @@
#ifdef CONFIG_AUDITSYSCALL
@@ -2471,6 +2487,7 @@ static const struct pid_entry tgid_base_
#ifdef CONFIG_TASK_IO_ACCOUNTING
- INF("io", S_IRUGO, pid_io_accounting),
+ INF("io", S_IRUSR, pid_io_accounting),
#endif
+ ONE("nsproxy", S_IRUGO, pid_nsproxy),
};
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Sun Aug 21 15:20:47 2011 (r17980)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Sun Aug 21 21:51:11 2011 (r17981)
@@ -6,3 +6,4 @@
+ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
+ bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
+ debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
++ bugfix/all/proc-restrict-access-to-proc-pid-io.patch
More information about the Kernel-svn-changes
mailing list