From 821db7599500dc5a960b400a76b29a6169302b71 Mon Sep 17 00:00:00 2001 From: Ned Ludd Date: Sun, 11 Jul 2004 12:29:06 +0000 Subject: added modified security patch from bug 56479 --- sys-kernel/grsec-sources/ChangeLog | 8 +- sys-kernel/grsec-sources/Manifest | 5 +- .../grsec-sources/files/2.4.26-fchown-attr.patch | 22 +++++ .../files/digest-grsec-sources-2.4.26.2.0-r6 | 2 + .../grsec-sources-2.4.26.2.0-r6.ebuild | 96 ++++++++++++++++++++++ 5 files changed, 131 insertions(+), 2 deletions(-) create mode 100644 sys-kernel/grsec-sources/files/2.4.26-fchown-attr.patch create mode 100644 sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.26.2.0-r6 create mode 100644 sys-kernel/grsec-sources/grsec-sources-2.4.26.2.0-r6.ebuild (limited to 'sys-kernel/grsec-sources') diff --git a/sys-kernel/grsec-sources/ChangeLog b/sys-kernel/grsec-sources/ChangeLog index 57c68489ed0a..47df3b7a6ed4 100644 --- a/sys-kernel/grsec-sources/ChangeLog +++ b/sys-kernel/grsec-sources/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for sys-kernel/grsec-sources # Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/ChangeLog,v 1.26 2004/06/26 04:45:18 solar Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/ChangeLog,v 1.27 2004/07/11 12:29:06 solar Exp $ + +*grsec-sources-2.4.26.2.0-r6 (11 Jul 2004) + + 11 Jul 2004; grsec-sources-2.4.26.2.0-r6.ebuild, + files/2.4.26-fchown-attr.patch: + added modified security patch from bug 56479 *grsec-sources-2.4.26.2.0-r5 (26 Jun 2004) diff --git a/sys-kernel/grsec-sources/Manifest b/sys-kernel/grsec-sources/Manifest index 20959da2e027..c0dc5bb360a9 100644 --- a/sys-kernel/grsec-sources/Manifest +++ b/sys-kernel/grsec-sources/Manifest @@ -1,6 +1,7 @@ MD5 b969d312ac4266769ab295c44748ffc4 grsec-sources-2.4.26.2.0-r4.ebuild 3065 +MD5 8eec4c810a4fb95efe9f6f3bbcf46f29 grsec-sources-2.4.26.2.0-r6.ebuild 3318 MD5 ea8807d44eed01d93f651bd7254e3a83 grsec-sources-2.4.26.2.0-r3.ebuild 2817 -MD5 77d698377396456d2b242077427db897 ChangeLog 5578 +MD5 c03bfde85623c329e8461cf093eb3568 ChangeLog 5774 MD5 140d8af1d66f9f6cd030e7d9902f38d9 metadata.xml 478 MD5 d1056a17aa337464259468e329785e46 grsec-sources-2.4.26.2.0-r5.ebuild 3181 MD5 c47b7075dd1e065b09bb08936c1901a1 files/2.4.26-signal-race.patch 365 @@ -13,3 +14,5 @@ MD5 dc18e982f8149588a291956481885a8c files/gentoo-sources-2.4.CAN-2004-0495.patc MD5 67eb43cb5340a7a671c2d375c0516888 files/digest-grsec-sources-2.4.26.2.0-r3 143 MD5 67eb43cb5340a7a671c2d375c0516888 files/digest-grsec-sources-2.4.26.2.0-r4 143 MD5 67eb43cb5340a7a671c2d375c0516888 files/digest-grsec-sources-2.4.26.2.0-r5 143 +MD5 67eb43cb5340a7a671c2d375c0516888 files/digest-grsec-sources-2.4.26.2.0-r6 143 +MD5 169359fc6f96d31d4b811b77b6326737 files/2.4.26-fchown-attr.patch 683 diff --git a/sys-kernel/grsec-sources/files/2.4.26-fchown-attr.patch b/sys-kernel/grsec-sources/files/2.4.26-fchown-attr.patch new file mode 100644 index 000000000000..6ccbf4f51e04 --- /dev/null +++ b/sys-kernel/grsec-sources/files/2.4.26-fchown-attr.patch @@ -0,0 +1,22 @@ +# This is a BitKeeper generated diff -Nru style patch. +# +# ChangeSet +# 2004/07/03 19:29:45-03:00 marcelo@logos.cnet +# Add missing bracket to inode_change_ok() fix +# TAG: v2.4.27-rc3 +# +# fs/attr.c +# 2004/07/03 19:28:29-03:00 marcelo@logos.cnet +1 -1 +# Add missing bracket to inode_change_ok() fix +# +--- fs/attr.c 2004-07-09 17:30:54.000000000 -0400 ++++ fs/attr.c 2004-07-09 16:17:05.000000000 -0400 +@@ -33,7 +33,7 @@ + + /* Make sure caller can chgrp. */ + if ((ia_valid & ATTR_GID) && +- (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid) && ++ (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid)) && + !capable(CAP_CHOWN)) + goto error; + diff --git a/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.26.2.0-r6 b/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.26.2.0-r6 new file mode 100644 index 000000000000..6952b0eafedc --- /dev/null +++ b/sys-kernel/grsec-sources/files/digest-grsec-sources-2.4.26.2.0-r6 @@ -0,0 +1,2 @@ +MD5 9a6adfd65720201d600bf05e884cd78a grsecurity-2.0-2.4.26.patch.bz2 104358 +MD5 88d7aefa03c92739cb70298a0b486e2c linux-2.4.26.tar.bz2 30772389 diff --git a/sys-kernel/grsec-sources/grsec-sources-2.4.26.2.0-r6.ebuild b/sys-kernel/grsec-sources/grsec-sources-2.4.26.2.0-r6.ebuild new file mode 100644 index 000000000000..b638e1b0827d --- /dev/null +++ b/sys-kernel/grsec-sources/grsec-sources-2.4.26.2.0-r6.ebuild @@ -0,0 +1,96 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-kernel/grsec-sources/grsec-sources-2.4.26.2.0-r6.ebuild,v 1.1 2004/07/11 12:29:06 solar Exp $ + +# We control what versions of what we download based on the KEYWORDS we +# are using for the various arches. Thus if we want grsec1 stable we run +# the with "arch" ACCEPT_KEYWORDS or ~arch and we will get the +# grsec-2.0-preX which has alot more features. + +# the only thing that should ever differ in one of these 1.9.x ebuilds +# and 2.x of the same kernel version is the KEYWORDS and header. +# shame cvs symlinks don't exist + +ETYPE="sources" +IUSE="" + +inherit eutils kernel + +[ "$OKV" == "" ] && OKV="2.4.26" + +PATCH_BASE="${PV/${OKV}./}" +PATCH_BASE="${PATCH_BASE/_/-}" +EXTRAVERSION="-grsec-${PATCH_BASE}" +KV="${OKV}${EXTRAVERSION}" + +PATCH_SRC_BASE="grsecurity-${PATCH_BASE}-${OKV}.patch.bz2" + +# hppa takes a special patch and usually has play catch up between +# versions of this package. +HPPA_SRC_URI="" +if [ "${ARCH}" == "hppa" ]; then + PARISC_KERNEL_VERSION="pa1" + KV="${OKV}-${PARISC_KERNEL_VERSION}${EXTRAVERSION}" + HPPA_PATCH_SRC_BASE="parisc-linux-${OKV}-${PARISC_KERNEL_VERSION}${EXTRAVERSION}.gz" + HPPA_SRC_URI="mirror://gentoo/${HPPA_PATCH_SRC_BASE} http://dev.gentoo.org/~pappy/gentoo-x86/sys-kernel/grsec-sources/${HPPA_PATCH_SRC_BASE}" + PATCH_SRC_BASE="${HPPA_PATCH_SRC_BASE}" +fi + +DESCRIPTION="Vanilla sources of the linux kernel with the grsecurity ${PATCH_BASE} patch" + +SRC_URI="mirror://gentoo/grsecurity-${PATCH_BASE}-${OKV}.patch.bz2 \ + http://www.kernel.org/pub/linux/kernel/v2.4/linux-${OKV}.tar.bz2" + +HOMEPAGE="http://www.kernel.org/ http://www.grsecurity.net" + +KEYWORDS="x86 sparc ppc alpha amd64 -hppa" + +SLOT="${KV}" +S="${WORKDIR}/linux-${KV}" + +src_unpack() { + unpack linux-"${OKV}".tar.bz2 || die "unable to unpack the kernel" + mv linux-"${OKV}" linux-"${KV}" || die "unable to move the kernel" + cd linux-"${KV}" || die "unable to cd into the kernel source tree" + + patch_grsec_kernel + + mkdir docs + touch docs/patches.txt + kernel_universal_unpack + +} + +patch_grsec_kernel() { + # users are often confused by what settings should be set. + # so we provide an example of what a P4 desktop would look like. + cp ${FILESDIR}/2.4.24-x86.config gentoo-grsec-custom-example-2.4.24-x86.config + + + [ -f "${DISTDIR}/${PATCH_SRC_BASE}" ] || die "File ${PATCH_SRC_BASE} does not exist?" + ebegin "Patching the kernel with ${PATCH_SRC_BASE}" + case "${ARCH}" in + hppa) zcat ${DISTDIR}/${PATCH_SRC_BASE} | patch -g0 -p1 --quiet ;; + *) bzcat ${DISTDIR}/${PATCH_SRC_BASE} | patch -g0 -p1 --quiet ;; + esac + [ $? == 0 ] || die "failed patching with ${PATCH_SRC_BASE}" + eend 0 + + # fix format string problem in panic() + epatch ${FILESDIR}/2.4.26-CAN-2004-0394.patch + # Fix local DoS bug #53804 + epatch ${FILESDIR}/2.4.26-signal-race.patch + + # i2c integer overflow vulnerability during the allocation of memory + #epatch ${FILESDIR}/2.4.26-i2cproc_bus_read.patch + + # patch to force randomization to always at least PAGE_SIZE big. + epatch ${FILESDIR}/2.4.26-pax-binfmt_elf-page-size.patch + + epatch ${FILESDIR}/gentoo-sources-2.4.CAN-2004-0495.patch + epatch ${FILESDIR}/gentoo-sources-2.4.CAN-2004-0535.patch + + # Bug 56479 - fchown-attr + epatch ${FILESDIR}/2.4.26-fchown-attr.patch +} + -- cgit v1.2.3-65-gdbad