Tagging tarballs

svn path=/patches/; revision=8

16 files changed, 758 insertions, 0 deletions

diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README
new file mode 100644
index 0000000..4cce70c
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README
@@ -0,0 +1,42 @@
+  * bugfix/nfnetlink_log-null-deref.patch
+    [SECURITY] Fix remotely exploitable NULL pointer dereference in
+    nfulnl_recv_config()
+    See CVE-2007-1496
+  * bugfix/nf_conntrack-set-nfctinfo.patch
+    [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
+    which allows remote attackers to bypass certain rulesets
+    See CVE-2007-1497
+  * bugfix/netlink-infinite-recursion.patch
+    [SECURITY] Fix infinite recursion bug in netlink
+    See CVE-2007-1861
+  * bugfix/nl_fib_lookup-oops.patch
+    Add fix for oops bug added by previous patch
+  * bugfix/core-dump-unreadable-PT_INTERP.patch
+    [SECURITY] Fix a vulnerability that allows local users to read
+    otherwise unreadable (but executable) files by triggering a core dump.
+    See CVE-2007-0958
+  * bugfix/appletalk-length-mismatch.patch
+    [SECURITY] Fix a remote DoS (crash) in appletalk
+    Depends upon bugfix/appletalk-endianness-annotations.patch
+    See CVE-2007-1357
+  * bugfix/cm4040-buffer-overflow.patch
+    [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver
+    See CVE-2007-0005
+  * bugfix/ipv6_fl_socklist-no-share.patch
+    [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+    ipv6_fl_socklist between the listening socket and the socket created
+    for connection.
+    See CVE-2007-1592
+  * bugfix/keys-serial-num-collision.patch
+    [SECURITY] Fix the key serial number collision avoidance code in
+    key_alloc_serial() that could lead to a local DoS (oops).
+    (closes: #398470)
+    See CVE-2007-0006
+  * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+    [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
+    to a local DoS (oops).
+    See CVE-2007-1388
+  * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+    [SECURITY] Fix kernel memory leak vulnerability in
+    ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
+    See CVE-2007-1000
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch
new file mode 100644
index 0000000..b82c4fe
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch
@@ -0,0 +1,93 @@
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 5 Apr 2007 06:52:46 +0000 (-0700)
+Subject: [APPLETALK]: Fix a remotely triggerable crash
+X-Git-Tag: v2.6.21-rc6~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a
+
+[APPLETALK]: Fix a remotely triggerable crash
+
+When we receive an AppleTalk frame shorter than what its header says,
+we still attempt to verify its checksum, and trip on the BUG_ON() at
+the end of function atalk_sum_skb() because of the length mismatch.
+
+This has security implications because this can be triggered by simply
+sending a specially crafted ethernet frame to a target victim,
+effectively crashing that host. Thus this qualifies, I think, as a
+remote DoS. Here is the frame I used to trigger the crash, in npg
+format:
+
+<Appletalk Killer>
+{
+# Ethernet header -----
+
+  XX XX XX XX XX XX  # Destination MAC
+  00 00 00 00 00 00  # Source MAC
+  00 1D              # Length
+
+# LLC header -----
+
+  AA AA 03
+  08 00 07 80 9B  # Appletalk
+
+# Appletalk header -----
+
+  00 1B        # Packet length (invalid)
+  00 01        # Fake checksum
+  00 00 00 00  # Destination and source networks
+  00 00 00 00  # Destination and source nodes and ports
+
+# Payload -----
+
+  0C 0D 0E 0F 10 11 12 13
+  14
+}
+
+The destination MAC address must be set to those of the victim.
+
+The severity is mitigated by two requirements:
+* The target host must have the appletalk kernel module loaded. I
+  suspect this isn't so frequent.
+* AppleTalk frames are non-IP, thus I guess they can only travel on
+  local networks. I am no network expert though, maybe it is possible
+  to somehow encapsulate AppleTalk packets over IP.
+
+The bug has been reported back in June 2004:
+  http://bugzilla.kernel.org/show_bug.cgi?id=2979
+But it wasn't investigated, and was closed in July 2006 as both
+reporters had vanished meanwhile.
+
+This code was new in kernel 2.6.0-test5:
+  http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
+And not modified since then, so we can assume that vanilla kernels
+2.6.0-test5 and later, and distribution kernels based thereon, are
+affected.
+
+Note that I still do not know for sure what triggered the bug in the
+real-world cases. The frame could have been corrupted by the kernel if
+we have a bug hiding somewhere. But more likely, we are receiving the
+faulty frame from the network.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 113c175..c8b7dc2 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
+ 	/*
+ 	 * Size check to see if ddp->deh_len was crap
+ 	 * (Otherwise we'll detonate most spectacularly
+-	 * in the middle of recvmsg()).
++	 * in the middle of atalk_checksum() or recvmsg()).
+ 	 */
+-	if (skb->len < sizeof(*ddp))
++	if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
++		pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
++			 "skb->len=%u)\n", len_hops & 1023, skb->len);
+ 		goto freeit;
++	}
+ 
+ 	/*
+ 	 * Any checksums. Note we don't do htons() on this == is assumed to be
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch
new file mode 100644
index 0000000..3047ff6
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch
@@ -0,0 +1,44 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Tue, 6 Mar 2007 21:12:00 +0000 (+0100)
+Subject: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
+X-Git-Tag: v2.6.21-rc3~17
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=059819a41d4331316dd8ddcf977a24ab338f4300
+
+[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
+
+Based on a patch from Don Howard <dhoward@redhat.com>
+
+When calling write() with a buffer larger than 512 bytes, the
+driver's write buffer overflows, allowing to overwrite the EIP and
+execute arbitrary code with kernel privileges.
+
+In read(), there exists a similar problem, but coming from the device.
+A malicous or buggy device sending more than 512 bytes can overflow
+of the driver's read buffer, with the same effects as above.
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Harald Welte <laforge@gnumonks.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c
+index 0e82968..f2e4ec4 100644
+--- a/drivers/char/pcmcia/cm4040_cs.c
++++ b/drivers/char/pcmcia/cm4040_cs.c
+@@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file *filp, char __user *buf,
+ 	DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read);
+ 
+ 	min_bytes_to_read = min(count, bytes_to_read + 5);
++	min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE);
+ 
+ 	DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read);
+ 
+@@ -340,7 +341,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf,
+ 		return 0;
+ 	}
+ 
+-	if (count < 5) {
++	if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) {
+ 		DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count);
+ 		return -EIO;
+ 	}
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch
new file mode 100644
index 0000000..33c7c4f
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch
@@ -0,0 +1,70 @@
+From: Alexey Dobriyan <adobriyan@openvz.org>
+Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800)
+Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP
+X-Git-Tag: v2.6.20-rc7^0~60
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b
+
+[PATCH] core-dumping unreadable binaries via PT_INTERP
+
+Proposed patch to fix #5 in
+http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+aka
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
+
+To reproduce, do
+* grab poc at the end of advisory.
+* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
+  where first "4096" is something equal to or greater than 4096.
+* ./poc /usr/bin/sudo && ls -l
+
+Here I get with 2.6.20-rc5:
+
+ -rw------- 1 ad   ad   102400 2007-01-15 19:17 core
+ ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
+
+Check for MAY_READ like binfmt_misc.c does.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 90461f4..669dbe5 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 			retval = PTR_ERR(interpreter);
+ 			if (IS_ERR(interpreter))
+ 				goto out_free_interp;
++
++			/*
++			 * If the binary is not readable then enforce
++			 * mm->dumpable = 0 regardless of the interpreter's
++			 * permissions.
++			 */
++			if (file_permission(interpreter, MAY_READ) < 0)
++				bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ 			retval = kernel_read(interpreter, 0, bprm->buf,
+ 					     BINPRM_BUF_SIZE);
+ 			if (retval != BINPRM_BUF_SIZE) {
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 6e6d456..a4d933a 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
+ 				goto error;
+ 			}
+ 
++			/*
++			 * If the binary is not readable then enforce
++			 * mm->dumpable = 0 regardless of the interpreter's
++			 * permissions.
++			 */
++			if (file_permission(interpreter, MAY_READ) < 0)
++				bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ 			retval = kernel_read(interpreter, 0, bprm->buf,
+ 					     BINPRM_BUF_SIZE);
+ 			if (retval < 0)
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch
new file mode 100644
index 0000000..8749435
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch
@@ -0,0 +1,32 @@
+From: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
+Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700)
+Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared.
+X-Git-Tag: v2.6.21-rc5~72^2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299
+
+[IPV6]: ipv6_fl_socklist is inadvertently shared.
+
+The ipv6_fl_socklist from listening socket is inadvertently shared
+with new socket created for connection.  This leads to a variety of
+interesting, but fatal, bugs. For example, removing one of the
+sockets may lead to the other socket's encountering a page fault
+when the now freed list is referenced.
+
+The fix is to not share the flow label list with the new socket.
+
+Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f57a9ba..92f9992 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ 	   First: no IPv4 options.
+ 	 */
+ 	newinet->opt = NULL;
++	newnp->ipv6_fl_list = NULL;
+ 
+ 	/* Clone RX bits */
+ 	newnp->rxopt.all = np->rxopt.all;
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch
new file mode 100644
index 0000000..1a124c2
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch
@@ -0,0 +1,42 @@
+From: David S. Miller <davem@sunset.davemloft.net>
+Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800)
+Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+X-Git-Tag: v2.6.21-rc4~99^2~7
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f
+
+[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 286c867..4e0561a 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
+ EXPORT_SYMBOL(compat_ipv6_setsockopt);
+ #endif
+ 
+-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
++static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
+ 				  char __user *optval, int len)
+ {
+-	if (!hdr)
++	struct ipv6_opt_hdr *hdr;
++
++	if (!opt || !opt->hopopt)
+ 		return 0;
++	hdr = opt->hopopt;
++
+ 	len = min_t(int, len, ipv6_optlen(hdr));
+ 	if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+ 		return -EFAULT;
+@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
+ 	{
+ 
+ 		lock_sock(sk);
+-		len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
++		len = ipv6_getsockopt_sticky(sk, np->opt,
+ 					     optval, len);
+ 		release_sock(sk);
+ 		return put_user(len, optlen);
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch
new file mode 100644
index 0000000..9875900
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch
@@ -0,0 +1,92 @@
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000)
+Subject: [PATCH] Keys: Fix key serial number collision handling
+X-Git-Tag: v2.6.21-rc2~42^2~22
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4
+
+[PATCH] Keys: Fix key serial number collision handling
+
+Fix the key serial number collision avoidance code in key_alloc_serial().
+
+This didn't use to be so much of a problem as the key serial numbers were
+allocated from a simple incremental counter, and it would have to go through
+two billion keys before it could possibly encounter a collision.  However, now
+that random numbers are used instead, collisions are much more likely.
+
+This is fixed by finding a hole in the rbtree where the next unused serial
+number ought to be and using that by going almost back to the top of the
+insertion routine and redoing the insertion with the new serial number rather
+than trying to be clever and attempting to work out the insertion point
+pointer directly.
+
+This fixes kernel BZ #7727.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index ac9326c..700400d 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key)
+ 
+ 	spin_lock(&key_serial_lock);
+ 
++attempt_insertion:
+ 	parent = NULL;
+ 	p = &key_serial_tree.rb_node;
+ 
+@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key)
+ 		else
+ 			goto serial_exists;
+ 	}
+-	goto insert_here;
++
++	/* we've found a suitable hole - arrange for this key to occupy it */
++	rb_link_node(&key->serial_node, parent, p);
++	rb_insert_color(&key->serial_node, &key_serial_tree);
++
++	spin_unlock(&key_serial_lock);
++	return;
+ 
+ 	/* we found a key with the proposed serial number - walk the tree from
+ 	 * that point looking for the next unused serial number */
+ serial_exists:
+ 	for (;;) {
+ 		key->serial++;
+-		if (key->serial < 2)
+-			key->serial = 2;
+-
+-		if (!rb_parent(parent))
+-			p = &key_serial_tree.rb_node;
+-		else if (rb_parent(parent)->rb_left == parent)
+-			p = &(rb_parent(parent)->rb_left);
+-		else
+-			p = &(rb_parent(parent)->rb_right);
++		if (key->serial < 3) {
++			key->serial = 3;
++			goto attempt_insertion;
++		}
+ 
+ 		parent = rb_next(parent);
+ 		if (!parent)
+-			break;
++			goto attempt_insertion;
+ 
+ 		xkey = rb_entry(parent, struct key, serial_node);
+ 		if (key->serial < xkey->serial)
+-			goto insert_here;
++			goto attempt_insertion;
+ 	}
+ 
+-	/* we've found a suitable hole - arrange for this key to occupy it */
+-insert_here:
+-	rb_link_node(&key->serial_node, parent, p);
+-	rb_insert_color(&key->serial_node, &key_serial_tree);
+-
+-	spin_unlock(&key_serial_lock);
+-
+ } /* end key_alloc_serial() */
+ 
+ /*****************************************************************************/
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch
new file mode 100644
index 0000000..df76325
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch
@@ -0,0 +1,65 @@
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000)
+Subject: [PATCH] NETLINK: Infinite recursion in netlink.
+X-Git-Tag: v2.6.20.8~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad
+
+[PATCH] NETLINK: Infinite recursion in netlink.
+
+[NETLINK]: Infinite recursion in netlink.
+
+Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
+which resulted in infinite recursion and stack overflow.
+
+The bug is present in all kernel versions since the feature appeared.
+
+The patch also makes some minimal cleanup:
+
+1. Return something consistent (-ENOENT) when fib table is missing
+2. Do not crash when queue is empty (does not happen, but yet)
+3. Put result of lookup
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff -urN linux-source-2.6.18.orig/net/ipv4/fib_frontend.c linux-source-2.6.18/net/ipv4/fib_frontend.c
+--- linux-source-2.6.18.orig/net/ipv4/fib_frontend.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/fib_frontend.c	2007-05-01 15:21:37.000000000 -0600
+@@ -524,6 +524,8 @@
+ 							    .fwmark = frn->fl_fwmark,
+ 							    .tos = frn->fl_tos,
+ 							    .scope = frn->fl_scope } } };
++
++	frn->err = -ENOENT;
+ 	if (tb) {
+ 		local_bh_disable();
+ 
+@@ -535,6 +537,7 @@
+ 			frn->nh_sel = res.nh_sel;
+ 			frn->type = res.type;
+ 			frn->scope = res.scope;
++			fib_res_put(&res);
+ 		}
+ 		local_bh_enable();
+ 	}
+@@ -549,6 +552,9 @@
+ 	struct fib_table *tb;
+ 	
+ 	skb = skb_dequeue(&sk->sk_receive_queue);
++	if (skb == NULL)
++		return;
++
+ 	nlh = (struct nlmsghdr *)skb->data;
+ 	if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
+ 	    nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
+@@ -561,7 +567,7 @@
+ 
+ 	nl_fib_lookup(frn, tb);
+ 	
+-	pid = nlh->nlmsg_pid;           /*pid of sending process */
++	pid = NETLINK_CB(skb).pid;       /* pid of sending process */
+ 	NETLINK_CB(skb).pid = 0;         /* from kernel */
+ 	NETLINK_CB(skb).dst_pid = pid;
+ 	NETLINK_CB(skb).dst_group = 0;  /* unicast */
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch
new file mode 100644
index 0000000..f540a67
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch
@@ -0,0 +1,35 @@
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
+Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+X-Git-Tag: v2.6.20.3~11
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
+
+nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+The individual fragments of a packet reassembled by conntrack have the
+conntrack reference from the reassembled packet attached, but nfctinfo
+is not copied. This leaves it initialized to 0, which unfortunately is
+the value of IP_CT_ESTABLISHED.
+
+The result is that all IPv6 fragments are tracked as ESTABLISHED,
+allowing them to bypass a usual ruleset which accepts ESTABLISHED
+packets early.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index a20615f..6155b80 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ 		}
+ 		nf_conntrack_get(reasm->nfct);
+ 		(*pskb)->nfct = reasm->nfct;
++		(*pskb)->nfctinfo = reasm->nfctinfo;
+ 		return NF_ACCEPT;
+ 	}
+ 
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch
new file mode 100644
index 0000000..b86a409
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch
@@ -0,0 +1,37 @@
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Date: Sun, 4 Mar 2007 23:59:20 +0000 (-0800)
+Subject: [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
+X-Git-Tag: v2.6.21~469^2~10
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd16704eba171b32ef0cded3a4f562b33b911066
+
+[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
+
+Eliminate possible NULL pointer dereference in nfulnl_recv_config().
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index 1b94051..b669db5 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -858,6 +858,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
+ 			ret = -EINVAL;
+ 			break;
+ 		}
++
++		if (!inst)
++			goto out;
+ 	} else {
+ 		if (!inst) {
+ 			UDEBUG("no config command, and no instance for "
+@@ -911,6 +914,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
+ 
+ out_put:
+ 	instance_put(inst);
++out:
+ 	return ret;
+ }
+ 
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch
new file mode 100644
index 0000000..c0547fa
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch
@@ -0,0 +1,34 @@
+From: Sergey Vlasov <vsu@altlinux.ru>
+Date: Fri, 27 Apr 2007 09:18:35 +0000 (-0700)
+Subject: IPV4: Fix OOPS'er added to netlink fib.
+X-Git-Tag: v2.6.20.10~2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=6af3412cff50b9a7b12b7b9cf6f01b34fbae4624
+
+IPV4: Fix OOPS'er added to netlink fib.
+
+[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res)
+
+When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup()
+needs to initialize the res.r field before fib_res_put(&res) - unlike
+fib_lookup(), a direct call to ->tb_lookup does not set this field.
+
+Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index fa2cb8c..30aae76 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -773,6 +773,10 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb )
+ 							    .tos = frn->fl_tos,
+ 							    .scope = frn->fl_scope } } };
+ 
++#ifdef CONFIG_IP_MULTIPLE_TABLES
++	res.r = NULL;
++#endif
++
+ 	frn->err = -ENOENT;
+ 	if (tb) {
+ 		local_bh_disable();
diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch
new file mode 100644
index 0000000..788af81
--- /dev/null
+++ b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0952-linux-2.6-xen-x86_64-silence-up-apic-errors.patch
@@ -0,0 +1,13 @@
+diff -r 00cc4568f10f arch/x86_64/kernel/apic-xen.c
+--- a/arch/x86_64/kernel/apic-xen.c	Tue Jul 25 21:07:37 2006 +0200
++++ b/arch/x86_64/kernel/apic-xen.c	Tue Jul 25 21:17:54 2006 +0200
+@@ -174,7 +174,8 @@ asmlinkage void smp_error_interrupt(void
+ 	   6: Received illegal vector
+ 	   7: Illegal register address
+ 	*/
+-	printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n",
++	if (num_online_cpus() > 1)
++		printk (KERN_DEBUG "APIC error on CPU%d: %02x(%02x)\n",
+ 	        smp_processor_id(), v , v1);
+ 	irq_exit();
+ }
diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0956-linux-2.6-fix-x86_64-smp.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0956-linux-2.6-fix-x86_64-smp.patch
new file mode 100644
index 0000000..24796a5
--- /dev/null
+++ b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0956-linux-2.6-fix-x86_64-smp.patch
@@ -0,0 +1,19 @@
+--- linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c~orig	2007-04-26 02:05:31.000000000 -0700
++++ linux-2.6.20.noarch/arch/x86_64/kernel/time-xen.c	2007-04-26 02:02:27.000000000 -0700
+@@ -985,7 +985,7 @@ void time_resume(void)
+ #ifdef CONFIG_SMP
+ static char timer_name[NR_CPUS][15];
+ 
+-void local_setup_timer(unsigned int cpu)
++int local_setup_timer(unsigned int cpu)
+ {
+ 	int seq;
+ 
+@@ -1009,6 +1009,7 @@ void local_setup_timer(unsigned int cpu)
+ 			timer_name[cpu],
+ 			NULL);
+ 	BUG_ON(per_cpu(timer_irq, cpu) < 0);
++	return 0;
+ }
+ 
+ void local_teardown_timer(unsigned int cpu)
diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0957-linux-2.6-fix-x86_64-vgetcpu.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0957-linux-2.6-fix-x86_64-vgetcpu.patch
new file mode 100644
index 0000000..17e0247
--- /dev/null
+++ b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0957-linux-2.6-fix-x86_64-vgetcpu.patch
@@ -0,0 +1,65 @@
+--- linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c~orig	2007-04-26 02:05:31.000000000 -0700
++++ linux-2.6.20.noarch/arch/x86_64/kernel/vsyscall.c	2007-04-26 15:11:02.000000000 -0700
+@@ -40,6 +40,9 @@
+ #include <asm/segment.h>
+ #include <asm/desc.h>
+ #include <asm/topology.h>
++#ifdef CONFIG_XEN
++#include <asm/hypercall.h>
++#endif
+ 
+ #define __vsyscall(nr) __attribute__ ((unused,__section__(".vsyscall_" #nr)))
+ #define __syscall_clobber "r11","rcx","memory"
+@@ -246,12 +249,11 @@
+ 
+ #endif
+ 
+-#ifndef CONFIG_XEN
+ /* Assume __initcall executes before all user space. Hopefully kmod
+    doesn't violate that. We'll find out if it does. */
+ static void __cpuinit vsyscall_set_cpu(int cpu)
+ {
+-	unsigned long *d;
++	unsigned long *d, n;
+ 	unsigned long node = 0;
+ #ifdef CONFIG_NUMA
+ 	node = cpu_to_node[cpu];
+@@ -263,10 +265,15 @@
+ 	   in user space in vgetcpu.
+ 	   12 bits for the CPU and 8 bits for the node. */
+ 	d = (unsigned long *)(cpu_gdt(cpu) + GDT_ENTRY_PER_CPU);
+-	*d = 0x0f40000000000ULL;
+-	*d |= cpu;
+-	*d |= (node & 0xf) << 12;
+-	*d |= (node >> 4) << 48;
++	n = 0x0f40000000000ULL;
++	n |= cpu;
++	n |= (node & 0xf) << 12;
++	n |= (node >> 4) << 48;
++#ifndef CONFIG_XEN
++	*d = n;
++#else
++	HYPERVISOR_update_descriptor(virt_to_machine(d), n);
++#endif
+ }
+ 
+ static void __cpuinit cpu_vsyscall_init(void *arg)
+@@ -283,7 +290,6 @@
+ 		smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 0, 1);
+ 	return NOTIFY_DONE;
+ }
+-#endif
+ 
+ static void __init map_vsyscall(void)
+ {
+@@ -320,10 +326,8 @@
+ #ifdef CONFIG_SYSCTL
+ 	register_sysctl_table(kernel_root_table2, 0);
+ #endif
+-#ifndef CONFIG_XEN
+ 	on_each_cpu(cpu_vsyscall_init, NULL, 0, 1);
+ 	hotcpu_notifier(cpu_vsyscall_notifier, 0);
+-#endif
+ 	return 0;
+ }
+ 
diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch
new file mode 100644
index 0000000..e46e657
--- /dev/null
+++ b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0958-linux-2.6-xen-iscsi-x86_64-no_iommu_init.patch
@@ -0,0 +1,46 @@
+# HG changeset patch
+# User chrisw@sous-sol.org
+# Date Tue Oct 03 13:44:38 2006 -0400
+# Node ID e5a7f30e1db3f1084f6789d21ea2a6fdaafdb96d
+# parent: 6cd0fae5d84c4a4b15546ceaade74b7d7f044404
+Make sure no_iommu_init is called when needed on x86_64.  Thanks
+to Mark McLoughlin <markmc@redhat.com> for spotting the issue and
+proposing a fix.
+
+Index: linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c
+===================================================================
+--- linux-2.6.20.i386.orig/arch/i386/kernel/pci-dma-xen.c
++++ linux-2.6.20.i386/arch/i386/kernel/pci-dma-xen.c
+@@ -21,6 +21,9 @@
+ #include <asm/bug.h>
+ 
+ #ifdef __x86_64__
++#include <asm/proto.h>
++#include <asm/calgary.h>
++
+ int iommu_merge __read_mostly = 0;
+ EXPORT_SYMBOL(iommu_merge);
+ 
+@@ -69,6 +72,22 @@ void __init pci_iommu_alloc(void)
+ #endif
+ }
+ 
++static int __init pci_iommu_init(void)
++{
++#ifdef CONFIG_CALGARY_IOMMU
++	calgary_iommu_init();
++#endif
++
++#ifdef CONFIG_IOMMU
++	gart_iommu_init();
++#endif
++
++	no_iommu_init();
++	return 0;
++}
++
++/* Must execute after PCI subsystem */
++fs_initcall(pci_iommu_init);
+ #endif
+ 
+ struct dma_coherent_mem {
diff --git a/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0959-linux-2.6-xen-fix-nosegneg-detection.patch b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0959-linux-2.6-xen-fix-nosegneg-detection.patch
new file mode 100644
index 0000000..915b84a
--- /dev/null
+++ b/tags/2.6.20/fedora-xen-patches-2.6.20-2925.11/0959-linux-2.6-xen-fix-nosegneg-detection.patch
@@ -0,0 +1,29 @@
+From: Rik van Riel <riel@redhat.com>
+Subject: [PATCH][RHEL5] fix nosegneg detection
+Date: Wed, 03 Jan 2007 12:59:10 -0500
+Bugzilla: 220675
+Message-Id: <459BEEEE.2060006@redhat.com>
+Changelog: xen: fix nosegneg detection
+
+
+The attached patch fixes bug 220675, by placing the nosegneg flag
+exactly where glibc expects it to be.  I swear I fixed this bug
+before once or twice, but the fix must have gotten lost somewhere.
+
+Please apply.
+
+-- 
+Politics is the struggle between those who want to make their country
+the best in the world, and those who believe it already is.  Each group
+calls the other unpatriotic.
+
+--- linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S.220675	2007-01-03 12:56:38.000000000 -0500
++++ linux-2.6.18.x86_64/arch/i386/kernel/vsyscall-note-xen.S	2007-01-03 12:56:47.000000000 -0500
+@@ -28,5 +28,5 @@
+ #define NOTE_KERNELCAP_END ASM_ELF_NOTE_END
+ 
+ NOTE_KERNELCAP_BEGIN(1, 1)
+-NOTE_KERNELCAP(1, "nosegneg")  /* Change 1 back to 0 when glibc is fixed! */
++NOTE_KERNELCAP(0, "nosegneg")
+ NOTE_KERNELCAP_END
+