Hi, Michael Gilbert wrote: > Please consider unblocking kfreebsd-10. It fixes 2 security issues: > https://security-tracker.debian.org/kfreebsd-10
A debdiff is attached. The other change is to limit the arch-dep packages to kfreebsd-any (which was forgotten in the previous upload). Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru kfreebsd-10-10.1~svn274115/debian/changelog kfreebsd-10-10.1~svn274115/debian/changelog --- kfreebsd-10-10.1~svn274115/debian/changelog 2014-12-28 11:41:23.000000000 +0000 +++ kfreebsd-10-10.1~svn274115/debian/changelog 2015-01-28 01:18:06.000000000 +0000 @@ -1,3 +1,16 @@ +kfreebsd-10 (10.1~svn274115-2) unstable; urgency=high + + * Pick SVN r277808 from FreeBSD 10.1-RELEASE to fix: + - SA-15:02: SCTP SCTP_SS_VALUE kernel memory corruption and + disclosure vulnerability (CVE-2014-8612) (Closes: #776415) + - SA-15:03: SCTP stream reset vulnerability (CVE-2014-8613) + (Closes: #776416) + * Build kernel images only on kfreebsd-any arches, so that any + security or other RC-severity kernel bugs will not affect the + official jessie release + + -- Steven Chamberlain <ste...@pyro.eu.org> Tue, 27 Jan 2015 20:02:52 +0000 + kfreebsd-10 (10.1~svn274115-1) unstable; urgency=medium [ Steven Chamberlain ] @@ -6,9 +19,6 @@ (CVE-2014-8476) (Closes: #768108) * Replace non-DFSG-free ar9300_devid.h with a 3-clause BSD substitute derived from Linux ath9k driver (Closes: #767583) - * Build kernel images only on kfreebsd-any arches, so that any - security or other RC-severity kernel bugs will not affect the - official jessie release [ Christoph Egger ] * Upload to unstable diff -Nru kfreebsd-10-10.1~svn274115/debian/control kfreebsd-10-10.1~svn274115/debian/control --- kfreebsd-10-10.1~svn274115/debian/control 2014-10-20 22:19:28.000000000 +0100 +++ kfreebsd-10-10.1~svn274115/debian/control 2015-01-27 20:40:49.000000000 +0000 @@ -51,7 +51,7 @@ Package: kfreebsd-image-10.1-0-amd64 -Architecture: any-amd64 +Architecture: kfreebsd-amd64 Depends: ${misc:Depends}, freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any], devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any], @@ -79,7 +79,7 @@ This package is compiled for a amd64-class machine. Package: kfreebsd-image-10-amd64 -Architecture: any-amd64 +Architecture: kfreebsd-amd64 Depends: kfreebsd-image-10.1-0-amd64, ${misc:Depends} Description: kernel of FreeBSD 10 image (meta-package) This package depends on the latest binary image for kernel of FreeBSD 10 on @@ -496,7 +496,7 @@ This package contains zlib modules. Package: kfreebsd-image-10.1-0-486 -Architecture: any-i386 +Architecture: kfreebsd-i386 Depends: ${misc:Depends}, freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any], devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any], @@ -524,7 +524,7 @@ This package is compiled for a 486-class machine. Package: kfreebsd-image-10-486 -Architecture: any-i386 +Architecture: kfreebsd-i386 Depends: kfreebsd-image-10.1-0-486, ${misc:Depends} Description: kernel of FreeBSD 10 image (meta-package) This package depends on the latest binary image for kernel of FreeBSD 10 on @@ -549,7 +549,7 @@ 486-class machines. Package: kfreebsd-image-10.1-0-686 -Architecture: any-i386 +Architecture: kfreebsd-i386 Depends: ${misc:Depends}, freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any], devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any], @@ -577,7 +577,7 @@ This package is compiled for a 686-class machine. Package: kfreebsd-image-10-686 -Architecture: any-i386 +Architecture: kfreebsd-i386 Depends: kfreebsd-image-10.1-0-686, ${misc:Depends} Description: kernel of FreeBSD 10 image (meta-package) This package depends on the latest binary image for kernel of FreeBSD 10 on @@ -602,7 +602,7 @@ 686-class machines. Package: kfreebsd-image-10.1-0-xen -Architecture: any-i386 +Architecture: kfreebsd-i386 Depends: ${misc:Depends}, freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any], devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any], @@ -630,7 +630,7 @@ This package is compiled for a xen-class machine. Package: kfreebsd-image-10-xen -Architecture: any-i386 +Architecture: kfreebsd-i386 Depends: kfreebsd-image-10.1-0-xen, ${misc:Depends} Description: kernel of FreeBSD 10 image (meta-package) This package depends on the latest binary image for kernel of FreeBSD 10 on diff -Nru kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch --- kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch 2015-01-27 20:37:34.000000000 +0000 @@ -0,0 +1,51 @@ +Description: + Fix SCTP SCTP_SS_VALUE kernel memory corruption and + disclosure vulnerability [SA-15:02] (CVE-2014-8612) +Origin: vendor, https://security.FreeBSD.org/patches/SA-15:02/sctp.patch +Bug: https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc +Bug-Debian: https://bugs.debian.org/776415 +Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=277808 + +--- a/sys/netinet/sctp_usrreq.c ++++ b/sys/netinet/sctp_usrreq.c +@@ -1854,8 +1854,9 @@ + SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize); + SCTP_FIND_STCB(inp, stcb, av->assoc_id); + if (stcb) { +- if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], +- &av->stream_value) < 0) { ++ if ((av->stream_id >= stcb->asoc.streamoutcnt) || ++ (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], ++ &av->stream_value) < 0)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + } else { +@@ -3915,8 +3916,9 @@ + SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize); + SCTP_FIND_STCB(inp, stcb, av->assoc_id); + if (stcb) { +- if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], +- av->stream_value) < 0) { ++ if ((av->stream_id >= stcb->asoc.streamoutcnt) || ++ (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], ++ av->stream_value) < 0)) { + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + error = EINVAL; + } +@@ -3926,10 +3928,12 @@ + SCTP_INP_RLOCK(inp); + LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) { + SCTP_TCB_LOCK(stcb); +- stcb->asoc.ss_functions.sctp_ss_set_value(stcb, +- &stcb->asoc, +- &stcb->asoc.strmout[av->stream_id], +- av->stream_value); ++ if (av->stream_id < stcb->asoc.streamoutcnt) { ++ stcb->asoc.ss_functions.sctp_ss_set_value(stcb, ++ &stcb->asoc, ++ &stcb->asoc.strmout[av->stream_id], ++ av->stream_value); ++ } + SCTP_TCB_UNLOCK(stcb); + } + SCTP_INP_RUNLOCK(inp); diff -Nru kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch --- kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch 2015-01-27 20:39:37.000000000 +0000 @@ -0,0 +1,123 @@ +Description: + Fix SCTP stream reset vulnerability [SA-15:03] (CVE-2014-8613) +Origin: vendor, https://security.FreeBSD.org/patches/SA-15:03/sctp.patch +Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc +Bug-Debian: https://bugs.debian.org/776416 +Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=277808 + +--- a/sys/netinet/sctp_input.c 2015/01/27 19:36:08 277807 ++++ b/sys/netinet/sctp_input.c 2015/01/27 19:37:02 277808 +@@ -3664,6 +3664,9 @@ + /* huh ? */ + return (0); + } ++ if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) { ++ return (0); ++ } + if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) { + resp = (struct sctp_stream_reset_response_tsn *)respin; + asoc->stream_reset_outstanding--; +@@ -4052,7 +4055,7 @@ + sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, + struct sctp_chunkhdr *ch_req) + { +- int chk_length, param_len, ptype; ++ uint16_t remaining_length, param_len, ptype; + struct sctp_paramhdr pstore; + uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; + uint32_t seq = 0; +@@ -4065,7 +4068,7 @@ + int num_param = 0; + + /* now it may be a reset or a reset-response */ +- chk_length = ntohs(ch_req->chunk_length); ++ remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr); + + /* setup for adding the response */ + sctp_alloc_a_chunk(stcb, chk); +@@ -4103,20 +4106,27 @@ + ch->chunk_length = htons(chk->send_size); + SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); + offset += sizeof(struct sctp_chunkhdr); +- while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { ++ while (remaining_length >= sizeof(struct sctp_paramhdr)) { + ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore); +- if (ph == NULL) ++ if (ph == NULL) { ++ /* TSNH */ + break; ++ } + param_len = ntohs(ph->param_length); +- if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { +- /* bad param */ ++ if ((param_len > remaining_length) || ++ (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) { ++ /* bad parameter length */ + break; + } +- ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)), ++ ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)), + (uint8_t *) & cstore); ++ if (ph == NULL) { ++ /* TSNH */ ++ break; ++ } + ptype = ntohs(ph->param_type); + num_param++; +- if (param_len > (int)sizeof(cstore)) { ++ if (param_len > sizeof(cstore)) { + trunc = 1; + } else { + trunc = 0; +@@ -4128,6 +4138,9 @@ + if (ptype == SCTP_STR_RESET_OUT_REQUEST) { + struct sctp_stream_reset_out_request *req_out; + ++ if (param_len < sizeof(struct sctp_stream_reset_out_request)) { ++ break; ++ } + req_out = (struct sctp_stream_reset_out_request *)ph; + num_req++; + if (stcb->asoc.stream_reset_outstanding) { +@@ -4141,12 +4154,18 @@ + } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) { + struct sctp_stream_reset_add_strm *str_add; + ++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) { ++ break; ++ } + str_add = (struct sctp_stream_reset_add_strm *)ph; + num_req++; + sctp_handle_str_reset_add_strm(stcb, chk, str_add); + } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) { + struct sctp_stream_reset_add_strm *str_add; + ++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) { ++ break; ++ } + str_add = (struct sctp_stream_reset_add_strm *)ph; + num_req++; + sctp_handle_str_reset_add_out_strm(stcb, chk, str_add); +@@ -4171,6 +4190,9 @@ + struct sctp_stream_reset_response *resp; + uint32_t result; + ++ if (param_len < sizeof(struct sctp_stream_reset_response)) { ++ break; ++ } + resp = (struct sctp_stream_reset_response *)ph; + seq = ntohl(resp->response_seq); + result = ntohl(resp->result); +@@ -4182,7 +4204,11 @@ + break; + } + offset += SCTP_SIZE32(param_len); +- chk_length -= SCTP_SIZE32(param_len); ++ if (remaining_length >= SCTP_SIZE32(param_len)) { ++ remaining_length -= SCTP_SIZE32(param_len); ++ } else { ++ remaining_length = 0; ++ } + } + if (num_req == 0) { + /* we have no response free the stuff */ diff -Nru kfreebsd-10-10.1~svn274115/debian/patches/series kfreebsd-10-10.1~svn274115/debian/patches/series --- kfreebsd-10-10.1~svn274115/debian/patches/series 2014-12-28 01:31:07.000000000 +0000 +++ kfreebsd-10-10.1~svn274115/debian/patches/series 2015-01-27 20:37:58.000000000 +0000 @@ -36,3 +36,7 @@ 999_config.diff aicasm-parallel-build-dependencies.diff ath9k-linux.diff + +# Security patches +SA-15_02.kmem.patch +SA-15_03.sctp.patch