[linux] 01/01: dccp: Disable auto-loading as mitigation against local exploits
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Feb 16 19:13:44 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit 8cf32305243bf42d59462a745fed68a28e5efb73
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Feb 16 19:11:26 2017 +0000
dccp: Disable auto-loading as mitigation against local exploits
---
debian/changelog | 1 +
...ding-as-mitigation-against-local-exploits.patch | 41 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 43 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index da5338d..e628440 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -246,6 +246,7 @@ linux (4.9.10-1) UNRELEASED; urgency=medium
* pegasus: Use heap buffers for all register access (Closes: #852556)
* test-patches: Use the pkg.linux.notools build profile
* test-patches: Set default number of jobs to number of available processors
+ * dccp: Disable auto-loading as mitigation against local exploits
[ Roger Shimizu ]
* [armel] ARM: dts: orion5x-lschl: Fix model name
diff --git a/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
new file mode 100644
index 0000000..8358318
--- /dev/null
+++ b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Thu, 16 Feb 2017 19:09:17 +0000
+Subject: dccp: Disable auto-loading as mitigation against local exploits
+Forwarded: not-needed
+
+We can mitigate the effect of vulnerabilities in obscure protocols by
+preventing unprivileged users from loading the modules, so that they
+are only exploitable on systems where the administrator has chosen to
+load the protocol.
+
+The 'dccp' protocol is not actively maintained or widely used.
+Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
+ * values directly, Also cover the case where the protocol is not specified,
+ * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
+ */
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme at mandriva.com>");
+ MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
+ * values directly, Also cover the case where the protocol is not specified,
+ * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
+ */
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
+-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme at mandriva.com>");
+ MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");
diff --git a/debian/patches/series b/debian/patches/series
index 9f05b49..eed5066 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,6 +29,7 @@ features/all/aufs4/aufs4-standalone.patch
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
+debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/fs-enable-link-security-restrictions-by-default.patch
# Set various features runtime-disabled by default
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list