Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2016-08-13 18:29:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/kernel-debug.changes 2016-07-30 00:25:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/kernel-debug.changes 2016-08-13 18:29:33.000000000 +0200 @@ -1,0 +2,60 @@ +Thu Aug 4 13:26:54 CEST 2016 - [email protected] + +- aacraid: prevent out-of-bounds access due to changing fip + header sizes (bsc#991608, CVE-2016-6480). +- commit 162f969 + +------------------------------------------------------------------- +Thu Aug 4 01:48:42 CEST 2016 - [email protected] + +- Revert "SUNRPC: xs_sock_mark_closed() does not need to trigger + socket autoclose" (bsc#990356). +- commit fd538ca + +------------------------------------------------------------------- +Wed Aug 3 14:23:00 CEST 2016 - [email protected] + +- vfs: ioctl: prevent double-fetch in dedupe ioctl + (CVE-2016-6516,bsc#991604). +- commit 4008557 + +------------------------------------------------------------------- +Wed Aug 3 11:43:29 CEST 2016 - [email protected] + +- Update + patches.fixes/netfilter-x_tables-speed-up-jump-target-validation.patch + references (CVE-2016-4998 bsc#986365). +- commit 10e550e + +------------------------------------------------------------------- +Tue Aug 2 10:53:22 CEST 2016 - [email protected] + +- Make pinctrl-amd driver modular + The pinctrl-amd driver can now be built as a module. +- commit 52eb238 + +------------------------------------------------------------------- +Tue Aug 2 10:53:18 CEST 2016 - [email protected] + +- config: Enable missing BayTrail and LynxPoint drivers + We support the Intel BayTrail and LynxPoint systems so I believe we + should enable all related drivers. +- commit 69e57d4 + +------------------------------------------------------------------- +Mon Aug 1 09:50:41 CEST 2016 - [email protected] + +- rpm/constraints.in: inscrease binary size req to 25G + Currently, the build of master's -default kernel consumes exactly 20G. + So increase the limit from 20G to 25G to stop build failures in the + BS. +- commit c8360d6 + +------------------------------------------------------------------- +Mon Jul 25 11:51:10 CEST 2016 - [email protected] + +- apparmor: fix arg_size computation for when setprocattr is + null terminated (CVE-2016-6187,bsc#988307). +- commit d1fa560 + +------------------------------------------------------------------- @@ -40,0 +101,8 @@ +Mon Jul 18 10:14:34 CEST 2016 - [email protected] + +- rpm/kernel-spec-macros: Add kver_cmp macro + This allows to use %if statements based on the version of the kernel to + be built. +- commit ea700be + +------------------------------------------------------------------- @@ -52,0 +121,6 @@ +Fri Jul 15 17:32:23 CEST 2016 - [email protected] + +- rpm/kernel-source.spec.in: recommends openssl-devel (bsc#987384) +- commit 2c51311 + +------------------------------------------------------------------- @@ -58,0 +133,7 @@ +Wed Jul 13 12:17:38 CEST 2016 - [email protected] + +- rpm/constraints.in: Increase to 8GB for kernel-source + 4GB seems still too tight for some archs like ppc64le... +- commit d82b2bf + +------------------------------------------------------------------- @@ -309,0 +391,18 @@ + +------------------------------------------------------------------- +Wed Jun 15 17:06:07 CEST 2016 - [email protected] + +- rpm/constraints.in: Really require 4GB for kernel-source, add -rt (bsc#984845) +- commit a0dec36 + +------------------------------------------------------------------- +Wed Jun 15 15:17:11 CEST 2016 - [email protected] + +- rpm/constraints.in: Require 4GB of disk space for kernel-source (bsc#984845) +- commit 1b20111 + +------------------------------------------------------------------- +Tue Jun 14 16:56:52 CEST 2016 - [email protected] + +- rpm/kernel-binary.spec.in: Use the default value for CONFIG_MODULE_SIG_KEY (bsc#983634) +- commit 6eb6cd2 kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-vanilla.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kernel-debug.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -63,7 +63,7 @@ Group: System/Kernel Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif @@ -505,20 +505,16 @@ %_sourcedir/modversions --unpack . < $_ fi -# copy module signing certificate(s) +# copy module signing certificate(s). We use the default path and trick +# certs/Makefile to not regenerate the certificate. It is done this way so +# that the kernel-source package can be rebuilt even without the certificate +mkdir -p certs for f in %_sourcedir/*.crt; do if ! test -e "$f"; then continue fi - case "${f##*/}" in - SLES-UEFI*.crt) - ../scripts/config --set-str CONFIG_MODULE_SIG_KEY "${f##*/}" - cp "$f" . - ;; - *) - cat "$f" >>keyring.crt - ../scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS "keyring.crt" - esac + touch certs/x509.genkey + cat "$f" >>certs/signing_key.pem done MAKE_ARGS="$MAKE_ARGS %{?_smp_mflags}" kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -29,7 +29,7 @@ Group: Documentation/Man Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -63,7 +63,7 @@ Group: System/Kernel Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif @@ -499,20 +499,16 @@ %_sourcedir/modversions --unpack . < $_ fi -# copy module signing certificate(s) +# copy module signing certificate(s). We use the default path and trick +# certs/Makefile to not regenerate the certificate. It is done this way so +# that the kernel-source package can be rebuilt even without the certificate +mkdir -p certs for f in %_sourcedir/*.crt; do if ! test -e "$f"; then continue fi - case "${f##*/}" in - SLES-UEFI*.crt) - ../scripts/config --set-str CONFIG_MODULE_SIG_KEY "${f##*/}" - cp "$f" . - ;; - *) - cat "$f" >>keyring.crt - ../scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS "keyring.crt" - esac + touch certs/x509.genkey + cat "$f" >>certs/signing_key.pem done MAKE_ARGS="$MAKE_ARGS %{?_smp_mflags}" ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -53,7 +53,7 @@ Group: SLES Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif kernel-obs-qa.spec: same change ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -63,7 +63,7 @@ Group: System/Kernel Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif @@ -525,20 +525,16 @@ %_sourcedir/modversions --unpack . < $_ fi -# copy module signing certificate(s) +# copy module signing certificate(s). We use the default path and trick +# certs/Makefile to not regenerate the certificate. It is done this way so +# that the kernel-source package can be rebuilt even without the certificate +mkdir -p certs for f in %_sourcedir/*.crt; do if ! test -e "$f"; then continue fi - case "${f##*/}" in - SLES-UEFI*.crt) - ../scripts/config --set-str CONFIG_MODULE_SIG_KEY "${f##*/}" - cp "$f" . - ;; - *) - cat "$f" >>keyring.crt - ../scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS "keyring.crt" - esac + touch certs/x509.genkey + cat "$f" >>certs/signing_key.pem done MAKE_ARGS="$MAKE_ARGS %{?_smp_mflags}" ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -32,7 +32,7 @@ Group: Development/Sources Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif @@ -114,6 +114,7 @@ Prefix: /usr/src # Source is only complete with devel files. Requires: kernel-devel%variant = %version-%release +Recommends: openssl-devel %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,find-provides,find-requires,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh}) ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -27,7 +27,7 @@ Version: 4.7.0 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif ++++++ kernel-vanilla.spec ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -63,7 +63,7 @@ Group: System/Kernel Version: 4.7.0 %if 0%{?is_kotd} -Release: <RELEASE>.g89a2ada +Release: <RELEASE>.gdf207c0 %else Release: 0 %endif @@ -498,20 +498,16 @@ %_sourcedir/modversions --unpack . < $_ fi -# copy module signing certificate(s) +# copy module signing certificate(s). We use the default path and trick +# certs/Makefile to not regenerate the certificate. It is done this way so +# that the kernel-source package can be rebuilt even without the certificate +mkdir -p certs for f in %_sourcedir/*.crt; do if ! test -e "$f"; then continue fi - case "${f##*/}" in - SLES-UEFI*.crt) - ../scripts/config --set-str CONFIG_MODULE_SIG_KEY "${f##*/}" - cp "$f" . - ;; - *) - cat "$f" >>keyring.crt - ../scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS "keyring.crt" - esac + touch certs/x509.genkey + cat "$f" >>certs/signing_key.pem done MAKE_ARGS="$MAKE_ARGS %{?_smp_mflags}" ++++++ _constraints ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:39.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:39.000000000 +0200 @@ -1,5 +1,5 @@ <constraints> - <!-- Require 20GB everywhere except for s390x --> + <!-- Default 20GB for binary packages --> <overwrite> <conditions> <package>kernel-debug</package> @@ -10,11 +10,25 @@ </conditions> <hardware> <disk> - <size unit="G">20</size> + <size unit="G">25</size> </disk> </hardware> </overwrite> + <!-- 8GB for kernel-source --> + <overwrite> + <conditions> + <package>kernel-source</package> + <package>kernel-source-rt</package> + </conditions> + <hardware> + <disk> + <size unit="G">8</size> + </disk> + </hardware> + </overwrite> + + <!-- 10GB for binary package on s390x --> <overwrite> <conditions> <arch>s390x</arch> @@ -31,6 +45,7 @@ </hardware> </overwrite> + <!-- 8 CPUs for binary packages on x86 --> <overwrite> <conditions> <arch>i586</arch> @@ -46,6 +61,7 @@ </hardware> </overwrite> + <!-- 4 CPUs for binary packages on POWER --> <overwrite> <conditions> <arch>ppc</arch> ++++++ config.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/arm64/default new/config/arm64/default --- old/config/arm64/default 2016-07-25 09:30:54.000000000 +0200 +++ new/config/arm64/default 2016-08-03 14:17:46.000000000 +0200 @@ -3684,7 +3684,7 @@ CONFIG_PINCONF=y CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set -CONFIG_PINCTRL_AMD=y +CONFIG_PINCTRL_AMD=m CONFIG_PINCTRL_ROCKCHIP=y CONFIG_PINCTRL_SINGLE=m CONFIG_PINCTRL_IPROC_GPIO=y diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/armv7hl/default new/config/armv7hl/default --- old/config/armv7hl/default 2016-07-25 09:30:54.000000000 +0200 +++ new/config/armv7hl/default 2016-08-03 14:17:46.000000000 +0200 @@ -3937,7 +3937,7 @@ CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set CONFIG_PINCTRL_AS3722=y -CONFIG_PINCTRL_AMD=y +CONFIG_PINCTRL_AMD=m CONFIG_PINCTRL_MESON=y CONFIG_PINCTRL_ROCKCHIP=y CONFIG_PINCTRL_SINGLE=y diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/armv7hl/lpae new/config/armv7hl/lpae --- old/config/armv7hl/lpae 2016-07-25 09:30:54.000000000 +0200 +++ new/config/armv7hl/lpae 2016-08-03 14:17:46.000000000 +0200 @@ -3822,7 +3822,7 @@ CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set CONFIG_PINCTRL_AS3722=y -CONFIG_PINCTRL_AMD=y +CONFIG_PINCTRL_AMD=m CONFIG_PINCTRL_MESON=y CONFIG_PINCTRL_ROCKCHIP=y CONFIG_PINCTRL_SINGLE=y diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/i386/debug new/config/i386/debug --- old/config/i386/debug 2016-07-25 09:30:54.000000000 +0200 +++ new/config/i386/debug 2016-08-03 14:17:46.000000000 +0200 @@ -4016,8 +4016,8 @@ CONFIG_PINCONF=y CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set -CONFIG_PINCTRL_AMD=y -# CONFIG_PINCTRL_BAYTRAIL is not set +CONFIG_PINCTRL_AMD=m +CONFIG_PINCTRL_BAYTRAIL=y CONFIG_PINCTRL_CHERRYVIEW=m CONFIG_PINCTRL_INTEL=m CONFIG_PINCTRL_BROXTON=m @@ -4039,7 +4039,7 @@ # CONFIG_GPIO_DWAPB is not set CONFIG_GPIO_GENERIC_PLATFORM=m CONFIG_GPIO_ICH=m -# CONFIG_GPIO_LYNXPOINT is not set +CONFIG_GPIO_LYNXPOINT=m CONFIG_GPIO_VX855=m # CONFIG_GPIO_ZX is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/i386/default new/config/i386/default --- old/config/i386/default 2016-07-25 09:30:54.000000000 +0200 +++ new/config/i386/default 2016-08-03 14:17:46.000000000 +0200 @@ -4023,9 +4023,9 @@ CONFIG_PINCONF=y CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set -CONFIG_PINCTRL_AMD=y +CONFIG_PINCTRL_AMD=m # CONFIG_PINCTRL_SINGLE is not set -# CONFIG_PINCTRL_BAYTRAIL is not set +CONFIG_PINCTRL_BAYTRAIL=y CONFIG_PINCTRL_CHERRYVIEW=m CONFIG_PINCTRL_INTEL=m CONFIG_PINCTRL_BROXTON=m @@ -4051,7 +4051,7 @@ CONFIG_GPIO_GENERIC_PLATFORM=m # CONFIG_GPIO_GRGPIO is not set CONFIG_GPIO_ICH=m -# CONFIG_GPIO_LYNXPOINT is not set +CONFIG_GPIO_LYNXPOINT=m CONFIG_GPIO_VX855=m # CONFIG_GPIO_XILINX is not set # CONFIG_GPIO_ZX is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/i386/pae new/config/i386/pae --- old/config/i386/pae 2016-07-25 09:30:54.000000000 +0200 +++ new/config/i386/pae 2016-08-03 14:17:46.000000000 +0200 @@ -3933,8 +3933,8 @@ CONFIG_PINCONF=y CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set -CONFIG_PINCTRL_AMD=y -# CONFIG_PINCTRL_BAYTRAIL is not set +CONFIG_PINCTRL_AMD=m +CONFIG_PINCTRL_BAYTRAIL=y CONFIG_PINCTRL_CHERRYVIEW=m CONFIG_PINCTRL_INTEL=m CONFIG_PINCTRL_BROXTON=m @@ -3956,7 +3956,7 @@ # CONFIG_GPIO_DWAPB is not set CONFIG_GPIO_GENERIC_PLATFORM=m CONFIG_GPIO_ICH=m -# CONFIG_GPIO_LYNXPOINT is not set +CONFIG_GPIO_LYNXPOINT=m CONFIG_GPIO_VX855=m # CONFIG_GPIO_ZX is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/x86_64/debug new/config/x86_64/debug --- old/config/x86_64/debug 2016-07-25 09:30:54.000000000 +0200 +++ new/config/x86_64/debug 2016-08-03 14:17:46.000000000 +0200 @@ -3931,8 +3931,8 @@ CONFIG_PINCONF=y CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set -CONFIG_PINCTRL_AMD=y -# CONFIG_PINCTRL_BAYTRAIL is not set +CONFIG_PINCTRL_AMD=m +CONFIG_PINCTRL_BAYTRAIL=y CONFIG_PINCTRL_CHERRYVIEW=m CONFIG_PINCTRL_INTEL=m CONFIG_PINCTRL_BROXTON=m @@ -3954,7 +3954,7 @@ # CONFIG_GPIO_DWAPB is not set CONFIG_GPIO_GENERIC_PLATFORM=m CONFIG_GPIO_ICH=m -# CONFIG_GPIO_LYNXPOINT is not set +CONFIG_GPIO_LYNXPOINT=m CONFIG_GPIO_VX855=m # CONFIG_GPIO_ZX is not set diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/x86_64/default new/config/x86_64/default --- old/config/x86_64/default 2016-07-25 09:30:54.000000000 +0200 +++ new/config/x86_64/default 2016-08-03 14:17:46.000000000 +0200 @@ -3917,8 +3917,8 @@ CONFIG_PINCONF=y CONFIG_GENERIC_PINCONF=y # CONFIG_DEBUG_PINCTRL is not set -CONFIG_PINCTRL_AMD=y -# CONFIG_PINCTRL_BAYTRAIL is not set +CONFIG_PINCTRL_AMD=m +CONFIG_PINCTRL_BAYTRAIL=y CONFIG_PINCTRL_CHERRYVIEW=m CONFIG_PINCTRL_INTEL=m CONFIG_PINCTRL_BROXTON=m @@ -3940,7 +3940,7 @@ # CONFIG_GPIO_DWAPB is not set CONFIG_GPIO_GENERIC_PLATFORM=m CONFIG_GPIO_ICH=m -# CONFIG_GPIO_LYNXPOINT is not set +CONFIG_GPIO_LYNXPOINT=m CONFIG_GPIO_VX855=m # CONFIG_GPIO_ZX is not set ++++++ constraints.in ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:40.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:40.000000000 +0200 @@ -1,16 +1,30 @@ <constraints> - <!-- Require 20GB everywhere except for s390x --> + <!-- Default 20GB for binary packages --> <overwrite> <conditions> @BINARY_PACKAGES_XML@ </conditions> <hardware> <disk> - <size unit="G">20</size> + <size unit="G">25</size> </disk> </hardware> </overwrite> + <!-- 8GB for kernel-source --> + <overwrite> + <conditions> + <package>kernel-source</package> + <package>kernel-source-rt</package> + </conditions> + <hardware> + <disk> + <size unit="G">8</size> + </disk> + </hardware> + </overwrite> + + <!-- 10GB for binary package on s390x --> <overwrite> <conditions> <arch>s390x</arch> @@ -23,6 +37,7 @@ </hardware> </overwrite> + <!-- 8 CPUs for binary packages on x86 --> <overwrite> <conditions> <arch>i586</arch> @@ -34,6 +49,7 @@ </hardware> </overwrite> + <!-- 4 CPUs for binary packages on POWER --> <overwrite> <conditions> <arch>ppc</arch> ++++++ kernel-binary.spec.in ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:40.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:40.000000000 +0200 @@ -372,20 +372,16 @@ %_sourcedir/modversions --unpack . < $_ fi -# copy module signing certificate(s) +# copy module signing certificate(s). We use the default path and trick +# certs/Makefile to not regenerate the certificate. It is done this way so +# that the kernel-source package can be rebuilt even without the certificate +mkdir -p certs for f in %_sourcedir/*.crt; do if ! test -e "$f"; then continue fi - case "${f##*/}" in - SLES-UEFI*.crt) - ../scripts/config --set-str CONFIG_MODULE_SIG_KEY "${f##*/}" - cp "$f" . - ;; - *) - cat "$f" >>keyring.crt - ../scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS "keyring.crt" - esac + touch certs/x509.genkey + cat "$f" >>certs/signing_key.pem done MAKE_ARGS="$MAKE_ARGS %{?_smp_mflags}" ++++++ kernel-source.spec.in ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:40.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:40.000000000 +0200 @@ -114,6 +114,7 @@ Prefix: /usr/src # Source is only complete with devel files. Requires: kernel-devel%variant = %version-%release +Recommends: openssl-devel %(chmod +x %_sourcedir/{@SCRIPTS@}) ++++++ kernel-spec-macros ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:40.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:40.000000000 +0200 @@ -26,6 +26,10 @@ # how the kernel release string (uname -r) should look like %define kernelrelease %patchversion-%source_rel +# Compare the kernel version to the given argument, return value semantics +# same as strcmp(3). Example: %%if %%{kver_cmp 4.8} > 0 ... %%endif +%define kver_cmp() %{lua: print(rpm.vercmp(rpm.expand("%patchversion"), rpm.expand("%1")))} + %define my_builddir %_builddir/%{name}-%{version} # macro to add the source timestamp to package descriptions ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch new/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch --- old/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch 2016-08-04 13:26:54.000000000 +0200 @@ -0,0 +1,43 @@ +From 91a99cf6b049d5c7cae8f0fab479c2147b5d951d Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn <[email protected]> +Date: Thu, 4 Aug 2016 09:38:44 +0200 +Subject: [PATCH] aacraid: prevent out-of-bounds access due to changing fip header sizes +References: bsc#991608, CVE-2016-6480 +Patch-mainline: Submitted to [email protected] at 04-08-2016 + +In aacraid's ioctl_send_fib() we do two fetches from userspace, one the +get the fib header's size and one for the fib itself. Later we use the +size field from the second fetch to further process the fib. If for some +reason the size from the second fetch is different than from the first +fix, we may encounter an out-of-bounds access in aac_fib_send(). This was +reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was +assigned CVE-2016-6480. + +Reported-by: Pengfei Wang <[email protected]> +Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)' +Cc: [email protected] +Signed-off-by: Johannes Thumshirn <[email protected]> +--- + drivers/scsi/aacraid/commctrl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c +index 4b3bb52..2d4acd1 100644 +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -118,6 +118,12 @@ static int ioctl_send_fib(struct aac_dev * dev, void __user *arg) + goto cleanup; + } + ++ if (size != le16_to_cpu(kfib->header.Size) ++ + sizeof(struct aac_fibhdr)) { ++ retval = -EINVAL; ++ goto cleanup; ++ } ++ + if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) { + aac_adapter_interrupt(dev); + /* +-- +1.8.5.6 + ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/0001-Revert-SUNRPC-xs_sock_mark_closed-does-not-need-to-t.patch new/patches.fixes/0001-Revert-SUNRPC-xs_sock_mark_closed-does-not-need-to-t.patch --- old/patches.fixes/0001-Revert-SUNRPC-xs_sock_mark_closed-does-not-need-to-t.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/0001-Revert-SUNRPC-xs_sock_mark_closed-does-not-need-to-t.patch 2016-08-04 14:36:10.000000000 +0200 @@ -0,0 +1,35 @@ +From: NeilBrown <[email protected]> +Date: Thu, 4 Aug 2016 09:12:28 +1000 +Subject: [PATCH] Revert "SUNRPC: xs_sock_mark_closed() does not need to + trigger socket autoclose" +Patch-mainline: Submitted, 04 Aug 2016 09:33:15 +1000 - [email protected] +References: bsc#990356 + +This reverts commit 4b0ab51db32eba0f48b7618254742f143364a28d. + +This change causes 'rpc.nfsd' to hang for long time if rpcbind is not +available. +If + --no-nfs-version 2 --no-nfs-version 3 +is given, the delay is about 6.5 minutes. When trying to register +all versions, the delay is over half an hour. +Before this commit, and after reverting it, nfsd fails (when v3 is +requested) or succeeds (when only v4 is requested) immediately. + +Signed-off-by: NeilBrown <[email protected]> +Acked-by: NeilBrown <[email protected]> + +--- + net/sunrpc/xprtsock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -768,6 +768,7 @@ static void xs_sock_mark_closed(struct r + xs_sock_reset_connection_flags(xprt); + /* Mark transport as closed and wake up all pending tasks */ + xprt_disconnect_done(xprt); ++ xprt_force_disconnect(xprt); + } + + /** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/apparmor-fix-arg_size-computation-for-when-setprocat new/patches.fixes/apparmor-fix-arg_size-computation-for-when-setprocat --- old/patches.fixes/apparmor-fix-arg_size-computation-for-when-setprocat 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/apparmor-fix-arg_size-computation-for-when-setprocat 2016-08-04 14:36:10.000000000 +0200 @@ -0,0 +1,27 @@ +From d4d03f74a73f3b8b2801d4d02011b6b69778cbcc Mon Sep 17 00:00:00 2001 +From: John Johansen <[email protected]> +Date: Sat, 9 Jul 2016 23:46:33 -0700 +Subject: [PATCH] apparmor: fix arg_size computation for when setprocattr is null terminated +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: d4d03f74a73f3b8b2801d4d02011b6b69778cbcc +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git +References: CVE-2016-6187,bsc#988307 + +Signed-off-by: John Johansen <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + security/apparmor/lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -530,7 +530,7 @@ static int apparmor_setprocattr(struct t + if (!*args) + goto out; + +- arg_size = size - (args - (char *) value); ++ arg_size = size - (args - (largs ? largs : (char *) value)); + if (strcmp(name, "current") == 0) { + if (strcmp(command, "changehat") == 0) { + error = aa_setprocattr_changehat(args, arg_size, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/netfilter-x_tables-speed-up-jump-target-validation.patch new/patches.fixes/netfilter-x_tables-speed-up-jump-target-validation.patch --- old/patches.fixes/netfilter-x_tables-speed-up-jump-target-validation.patch 2016-07-25 09:22:34.000000000 +0200 +++ new/patches.fixes/netfilter-x_tables-speed-up-jump-target-validation.patch 2016-08-04 14:36:10.000000000 +0200 @@ -4,7 +4,7 @@ Patch-mainline: Queued in subsystem maintainer repository (target: v4.8-rc1) Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Git-commit: f4dc77713f8016d2e8a3295e1c9c53a21f296def -References: CVE-2016-4997 bsc#986362 +References: CVE-2016-4997 CVE-2016-4998 bsc#986362 bsc#986365 The dummy ruleset I used to test the original validation change was broken, most rules were unreachable and were not tested by mark_source_chains(). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl new/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl --- old/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl 2016-08-04 14:36:10.000000000 +0200 @@ -0,0 +1,30 @@ +From 10eec60ce79187686e052092e5383c99b4420a20 Mon Sep 17 00:00:00 2001 +From: Scott Bauer <[email protected]> +Date: Wed, 27 Jul 2016 19:11:29 -0600 +Subject: [PATCH] vfs: ioctl: prevent double-fetch in dedupe ioctl +Patch-mainline: 4.8-rc1 +Git-commit: 10eec60ce79187686e052092e5383c99b4420a20 +References: CVE-2016-6516,bsc#991604 + +This prevents a double-fetch from user space that can lead to to an +undersized allocation and heap overflow. + +Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs") +Signed-off-by: Scott Bauer <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +Acked-by: Takashi Iwai <[email protected]> + +--- + fs/ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ioctl.c ++++ b/fs/ioctl.c +@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(stru + goto out; + } + ++ same->dest_count = count; + ret = vfs_dedupe_file_range(file, same); + if (ret) + goto out; ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:40.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:40.000000000 +0200 @@ -169,6 +169,7 @@ ######################################################## # VM/FS patches ######################################################## + patches.fixes/vfs-ioctl-prevent-double-fetch-in-dedupe-ioctl # Patches to export btrfs anonymous devices (VFS portion) patches.suse/vfs-add-super_operations-get_inode_dev @@ -230,6 +231,8 @@ # NFS ######################################################## + patches.fixes/0001-Revert-SUNRPC-xs_sock_mark_closed-does-not-need-to-t.patch + ######################################################## # lockd + statd ######################################################## @@ -315,6 +318,9 @@ patches.fixes/scsi-ibmvscsi-module_alias.patch + # boo#991608 CVE-2016-6480 + patches.drivers/0001-aacraid-prevent-out-of-bounds-access-due-to-changing.patch + ######################################################## # DRM/Video ######################################################## @@ -418,6 +424,7 @@ # patches.apparmor/apparmor-profiles-seq_file patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi patches.apparmor/apparmor-allow-sys_cap_resource-to-be-sufficient-to-prlimit-another-task + patches.fixes/apparmor-fix-arg_size-computation-for-when-setprocat ######################################################## # Address space layout randomization ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.DmH5oh/_old 2016-08-13 18:29:40.000000000 +0200 +++ /var/tmp/diff_new_pack.DmH5oh/_new 2016-08-13 18:29:40.000000000 +0200 @@ -1,3 +1,3 @@ -2016-07-25 10:42:47 +0200 -GIT Revision: 89a2adaa0f1e861c150bad2fb3589fd2f72800cd +2016-08-04 14:44:37 +0200 +GIT Revision: df207c00a9afabbe17c41deb04f870c3d7873c2e GIT Branch: stable
