[kernel] r16828 - in dists/lenny-security/linux-2.6/debian: . patches/debian patches/series

[Dann Frazier]

Author: dannf
Date: Mon Jan 17 19:41:52 2011
New Revision: 16828

Log:
econet: Disable auto-loading as mitigation against local exploits. This
module has been shown to be broken, so this risk of this affecting
real users is insignificant.

Added:
   dists/lenny-security/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
      - copied unchanged from r16824, dists/sid/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 19:22:38 2011	(r16827)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 17 19:41:52 2011	(r16828)
@@ -14,6 +14,9 @@
   * exec: make argv/envp memory visible to oom-killer (CVE-2010-4243)
   * af_unix: limit unix_tot_inflight (CVE-2010-4249)
   * do_exit(): make sure that we run with get_fs() == USER_DS (CVE-2010-4258)
+  * econet: Disable auto-loading as mitigation against local exploits. This
+    module has been shown to be broken, so this risk of this affecting
+    real users is insignificant.
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Copied: dists/lenny-security/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch (from r16824, dists/sid/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch	Mon Jan 17 19:41:52 2011	(r16828, copy of r16824, dists/sid/linux-2.6/debian/patches/debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch)
@@ -0,0 +1,34 @@
+From e8e7c6dabb1049086882b1160895598ec9492b57 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 3/3] econet: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation.  We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'econet' protocol is unmaintained and is of mainly historical
+interest.  The Debian system does not appear to include any applications
+that use it.  Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/econet/af_econet.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 0e0254f..60a38f7 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -1171,4 +1171,4 @@ module_init(econet_proto_init);
+ module_exit(econet_proto_exit);
+ 
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_ECONET);
++/* MODULE_ALIAS_NETPROTO(PF_ECONET); */
+-- 
+1.7.2.3
+

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 19:22:38 2011	(r16827)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 17 19:41:52 2011	(r16828)
@@ -13,3 +13,4 @@
 + bugfix/all/af_unix-limit-unix_tot_inflight.patch
 + bugfix/all/scm-lower-SCM_MAX_FD.patch
 + bugfix/all/do_exit-make-sure-that-we-run-with-get_fs-USER_DS.patch
++ debian/econet-Disable-auto-loading-as-mitigation-against-lo.patch