[kernel] r21698 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Raphael Geissert]

Author: geissert
Date: Thu Aug  7 11:37:54 2014
New Revision: 21698

Log:
Add patch for CVE-2014-4943

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/CVE-2014-4943.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug  7 11:34:32 2014	(r21697)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug  7 11:37:54 2014	(r21698)
@@ -5,6 +5,9 @@
   * CVE-2014-4654: ALSA: control: Check authorization for commands.
   * CVE-2014-4655: ALSA: control: Maintain the user_ctl_count value properly.
 
+  [ Raphael Geissert ]
+  * CVE-2014-4943: net: ppol2tp: don't fall back on UDP [get|set]sockopt
+
  -- Holger Levsen <holger at debian.org>  Sat, 12 Jul 2014 21:07:09 +0200
 
 linux-2.6 (2.6.32-48squeeze8) squeeze-lts; urgency=high

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/CVE-2014-4943.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/CVE-2014-4943.patch	Thu Aug  7 11:37:54 2014	(r21698)
@@ -0,0 +1,53 @@
+From 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Mon, 14 Jul 2014 17:02:31 -0700
+Subject: net/l2tp: don't fall back on UDP [get|set]sockopt
+
+The l2tp [get|set]sockopt() code has fallen back to the UDP functions
+for socket option levels != SOL_PPPOL2TP since day one, but that has
+never actually worked, since the l2tp socket isn't an inet socket.
+
+As David Miller points out:
+
+  "If we wanted this to work, it'd have to look up the tunnel and then
+   use tunnel->sk, but I wonder how useful that would be"
+
+Since this can never have worked so nobody could possibly have depended
+on that functionality, just remove the broken code and return -EINVAL.
+
+Reported-by: Sasha Levin <sasha.levin at oracle.com>
+Acked-by: James Chapman <jchapman at katalix.com>
+Acked-by: David Miller <davem at davemloft.net>
+Cc: Phil Turnbull <phil.turnbull at oracle.com>
+Cc: Vegard Nossum <vegard.nossum at oracle.com>
+Cc: Willy Tarreau <w at 1wt.eu>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+[geissert: adjust file paths and context for 2.6.32]
+
+diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
+index 950909f..13752d9 100644
+--- a/drivers/net/pppol2tp.c
++++ b/drivers/net/pppol2tp.c
+@@ -2188,7 +2188,7 @@ static int pppol2tp_setsockopt(struct socket *sock, int level, int optname,
+ 	int err;
+ 
+ 	if (level != SOL_PPPOL2TP)
+-		return udp_prot.setsockopt(sk, level, optname, optval, optlen);
++		return -EINVAL;
+ 
+ 	if (optlen < sizeof(int))
+ 		return -EINVAL;
+@@ -2312,7 +2312,7 @@ static int pppol2tp_getsockopt(struct socket *sock, int level, int optname,
+ 	int err;
+ 
+ 	if (level != SOL_PPPOL2TP)
+-		return udp_prot.getsockopt(sk, level, optname, optval, optlen);
++		return -EINVAL;
+ 
+ 	if (get_user(len, (int __user *) optlen))
+ 		return -EFAULT;
+-- 
+cgit v0.10.1
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9	Thu Aug  7 11:34:32 2014	(r21697)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze9	Thu Aug  7 11:37:54 2014	(r21698)
@@ -1,2 +1,3 @@
 + bugfix/all/CVE-2014-4653.patch
 + bugfix/all/CVE-2014-4654+4655.patch  
++ bugfix/all/CVE-2014-4943.patch