From ec32f4081212dd6c91474801161a1cdd5dbad407 Mon Sep 17 00:00:00 2001 From: Robert Buchholz Date: Wed, 10 Oct 2007 10:04:04 +0000 Subject: Merge update two Debian patches svn path=/patches/; revision=48 --- trunk/2.6.18/00000_README | 15 ++++--- trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch | 22 ---------- .../30041_ipv6-disallow-RH0-by-default-2.patch | 30 +++++++++++++ .../30042_reset-pdeathsig-on-suid-upstream.patch | 51 ++++++++++++++++++++++ 4 files changed, 90 insertions(+), 28 deletions(-) delete mode 100644 trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch create mode 100644 trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch create mode 100644 trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README index 27868b4..7f99598 100644 --- a/trunk/2.6.18/00000_README +++ b/trunk/2.6.18/00000_README @@ -86,12 +86,6 @@ Patches This patch changes the kernel ABI. See CVE-2006-5753 -30013_reset-pdeathsig-on-suid.patch - [SECURITY] Fix potential privilege escalation caused by improper - clearing of the child process' pdeath signal. - Thanks to Marcel Holtmann for the patch. - See CVE-2007-3848 - 30014_bluetooth-l2cap-hci-info-leaks.patch [SECURITY] Fix information leaks in setsockopt() implementations See CVE-2007-1353 @@ -206,6 +200,15 @@ Patches wait for the device to close, blocking the USB subsystem. See CVE-2007-5093 +30041_ipv6-disallow-RH0-by-default-2.patch + Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the + fix for CVE-2007-2242. Thanks to Brian Haley for the patch. + (closes: Debian #440127) + +30042_reset-pdeathsig-on-suid-upstream.patch + Update fix for CVE-2007-3848 with the patch accepted upstream + (formerly 30013_reset-pdeathsig-on-suid.patch) + 50001_make-install.patch Handle make install in a semi-sane way that plays nice with split domU/dom0 kernels. diff --git a/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch b/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch deleted file mode 100644 index 1be66aa..0000000 --- a/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- linux-source-2.6.18/fs/exec.c.orig 2006-09-19 21:42:06.000000000 -0600 -+++ linux-source-2.6.18/fs/exec.c 2007-08-10 19:44:43.000000000 -0600 -@@ -887,6 +887,7 @@ - file_permission(bprm->file, MAY_READ) || - (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { - suid_keys(current); -+ current->pdeath_signal = 0; - current->mm->dumpable = suid_dumpable; - } - -@@ -977,8 +978,10 @@ - { - int unsafe; - -- if (bprm->e_uid != current->uid) -+ if (bprm->e_uid != current->uid) { - suid_keys(current); -+ current->pdeath_signal = 0; -+ } - exec_keys(current); - - task_lock(current); diff --git a/trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch b/trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch new file mode 100644 index 0000000..1923828 --- /dev/null +++ b/trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch @@ -0,0 +1,30 @@ +diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c +index 95a9eb5..6e9822d 100644 +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -249,12 +249,6 @@ static int ipv6_rthdr_rcv(struct sk_buff **skbp) + + hdr = (struct ipv6_rt_hdr *) skb->h.raw; + +- if (hdr->type != IPV6_SRCRT_TYPE_0) { +- IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); +- icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw); +- return -1; +- } +- + if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) || + skb->pkt_type != PACKET_HOST) { + IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS); +@@ -273,6 +267,12 @@ looped_back: + return 1; + } + ++ if (hdr->type != IPV6_SRCRT_TYPE_0) { ++ IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); ++ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw); ++ return -1; ++ } ++ + if (hdr->hdrlen & 0x01) { + IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS); + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw); diff --git a/trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch b/trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch new file mode 100644 index 0000000..3e092c0 --- /dev/null +++ b/trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch @@ -0,0 +1,51 @@ +From: Marcel Holtmann +Date: Fri, 17 Aug 2007 19:47:58 +0000 (+0200) +Subject: Reset current->pdeath_signal on SUID binary execution +X-Git-Tag: v2.6.23-rc4~134 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f + +Reset current->pdeath_signal on SUID binary execution + +This fixes a vulnerability in the "parent process death signal" +implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. +and iSEC Security Research. + +http://marc.info/?l=bugtraq&m=118711306802632&w=2 + +Signed-off-by: Marcel Holtmann +Signed-off-by: Linus Torvalds +--- + +Backported to Debian's 2.6.18 by dann frazier + +diff -urpN linux-source-2.6.18.orig/fs/exec.c linux-source-2.6.18/fs/exec.c +--- linux-source-2.6.18.orig/fs/exec.c 2007-09-05 14:11:16.000000000 -0600 ++++ linux-source-2.6.18/fs/exec.c 2007-09-05 14:17:02.000000000 -0600 +@@ -883,9 +883,12 @@ int flush_old_exec(struct linux_binprm * + */ + current->mm->task_size = TASK_SIZE; + +- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || +- file_permission(bprm->file, MAY_READ) || +- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { ++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) { ++ suid_keys(current); ++ current->mm->dumpable = suid_dumpable; ++ current->pdeath_signal = 0; ++ } else if (file_permission(bprm->file, MAY_READ) || ++ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { + suid_keys(current); + current->mm->dumpable = suid_dumpable; + } +@@ -977,8 +980,10 @@ void compute_creds(struct linux_binprm * + { + int unsafe; + +- if (bprm->e_uid != current->uid) ++ if (bprm->e_uid != current->uid) { + suid_keys(current); ++ current->pdeath_signal = 0; ++ } + exec_keys(current); + + task_lock(current); -- cgit v1.2.3-65-gdbad