Package: release.debian.org User: [email protected] Usertags: pu Tags: wheezy X-Debbugs-Cc: [email protected]
Hi, Please could we also update kfreebsd-8 in wheezy? This has the same backported patch to disable hardware RNGs, as well as a backlog of security fixes, that are already applied to kfreebsd-9 in wheezy. kfreebsd-8 is removed already from jessie/sid. It was not the default kernel for wheezy, so issues are handled at a lower priority, and the security bugs are marked non-DSA. The debdiff is attached. Thanks! > kfreebsd-8 (8.3-6+deb7u1) wheezy; urgency=medium > > [ Robert Millan ] > * Apply upstream SA-13_08.nfsserver patch (CVE-2013-4851). > (Closes: #717959) > > [ Steven Chamberlain ] > * Apply upstream SA-13_09.ip_multicast patch (CVE-2013-3077). > (Closes: #720470) > * Apply upstream SA-13_10.sctp patch (CVE-2013-5209). > (Closes: #720476) > * Apply upstream SA-13_12.ifioctl patch (CVE-2013-5691). > (Closes: #737181) > * Apply upstream SA-13_13.nullfs patch (CVE-2013-5710). > (Closes: #737182) > * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable > sysctl to re-enable (but read about the security implications > first). (Closes: #735448) > > -- Steven Chamberlain <[email protected]> Fri, 31 Jan 2014 02:58:14 +0000
diff -Nru kfreebsd-8-8.3/debian/changelog kfreebsd-8-8.3/debian/changelog --- kfreebsd-8-8.3/debian/changelog 2012-11-23 22:13:01.000000000 +0000 +++ kfreebsd-8-8.3/debian/changelog 2014-01-31 03:35:00.000000000 +0000 @@ -1,3 +1,24 @@ +kfreebsd-8 (8.3-6+deb7u1) wheezy; urgency=medium + + [ Robert Millan ] + * Apply upstream SA-13_08.nfsserver patch (CVE-2013-4851). + (Closes: #717959) + + [ Steven Chamberlain ] + * Apply upstream SA-13_09.ip_multicast patch (CVE-2013-3077). + (Closes: #720470) + * Apply upstream SA-13_10.sctp patch (CVE-2013-5209). + (Closes: #720476) + * Apply upstream SA-13_12.ifioctl patch (CVE-2013-5691). + (Closes: #737181) + * Apply upstream SA-13_13.nullfs patch (CVE-2013-5710). + (Closes: #737182) + * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable + sysctl to re-enable (but read about the security implications + first). (Closes: #735448) + + -- Steven Chamberlain <[email protected]> Fri, 31 Jan 2014 02:58:14 +0000 + kfreebsd-8 (8.3-6) unstable; urgency=medium * Apply patch for SA-12:08 / CVE-2012-4576: diff -Nru kfreebsd-8-8.3/debian/patches/disable_via_rng.diff kfreebsd-8-8.3/debian/patches/disable_via_rng.diff --- kfreebsd-8-8.3/debian/patches/disable_via_rng.diff 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/disable_via_rng.diff 2014-01-31 03:15:37.000000000 +0000 @@ -0,0 +1,34 @@ +Description: + Disable VIA hardware RNG by default due to unsafe usage. Implement a + loader tunable allowing to turn it back on. + . + Minimal patch based on upstream SVN r240950 and r260644 +Origin: backport, commit:240950, commit:260644 +Forwarded: not-needed +Bug-Debian: http://bugs.debian.org/735448 + +--- kfreebsd-8-8.3.orig/sys/dev/random/probe.c ++++ kfreebsd-8-8.3/sys/dev/random/probe.c +@@ -30,6 +30,8 @@ + + #include <sys/types.h> + #include <sys/param.h> ++#include <sys/systm.h> ++#include <sys/kernel.h> + #include <sys/malloc.h> + #include <sys/random.h> + #include <sys/selinfo.h> +@@ -57,7 +59,12 @@ + /* Then go looking for hardware */ + #if defined(__i386__) && !defined(PC98) + if (via_feature_rng & VIA_HAS_RNG) { +- *systat = random_nehemiah; ++ int enable; ++ ++ enable = 0; ++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); ++ if (enable) ++ *systat = random_nehemiah; + } + #endif + } diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff --- kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff 2014-01-31 02:26:03.000000000 +0000 @@ -0,0 +1,21 @@ +Description: + Fix a bug that allows remote client bypass the normal + access checks when when -network or -host restrictions + are used at the same time with -mapall. [13:08] + (CVE-2013-4851) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch +Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:08.nfsserver.asc +Bug-Debian: http://bugs.debian.org/717959 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=253694 + +--- a/sys/kern/vfs_export.c ++++ b/sys/kern/vfs_export.c +@@ -208,7 +208,7 @@ + np->netc_anon = crget(); + np->netc_anon->cr_uid = argp->ex_anon.cr_uid; + crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups, +- np->netc_anon->cr_groups); ++ argp->ex_anon.cr_groups); + np->netc_anon->cr_prison = &prison0; + prison_hold(np->netc_anon->cr_prison); + np->netc_numsecflavors = argp->ex_numsecflavors; diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff --- kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff 2014-01-31 03:34:13.000000000 +0000 @@ -0,0 +1,31 @@ +Description: + Fix an integer overflow in computing the size of a temporary buffer + can result in a buffer which is too small for the requested + operation. [13:09] (CVE-2013-3077) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch +Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc +Bug-Debian: http://bugs.debian.org/720470 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254629 + +--- kfreebsd-8-8.3.orig/sys/netinet/in_mcast.c ++++ kfreebsd-8-8.3/sys/netinet/in_mcast.c +@@ -1613,6 +1613,8 @@ + * has asked for, but we always tell userland how big the + * buffer really needs to be. + */ ++ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) ++ msfr.msfr_nsrcs = in_mcast_maxsocksrc; + tss = NULL; + if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { + tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, +--- kfreebsd-8-8.3.orig/sys/netinet6/in6_mcast.c ++++ kfreebsd-8-8.3/sys/netinet6/in6_mcast.c +@@ -1624,6 +1624,8 @@ + * has asked for, but we always tell userland how big the + * buffer really needs to be. + */ ++ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) ++ msfr.msfr_nsrcs = in6_mcast_maxsocksrc; + tss = NULL; + if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { + tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff --- kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff 2014-01-31 03:35:14.000000000 +0000 @@ -0,0 +1,25 @@ +Description: + Fix a bug that could lead to kernel memory disclosure with + SCTP state cookie. [13:10] (CVE-2013-5209) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:10/sctp.patch +Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:10.sctp.asc +Bug-Debian: http://bugs.debian.org/720476 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254632 + +--- kfreebsd-8-8.3.orig/sys/netinet/sctp_output.c ++++ kfreebsd-8-8.3/sys/netinet/sctp_output.c +@@ -5456,6 +5456,14 @@ + } + SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk); + ++ /* ++ * We might not overwrite the identification[] completely and on ++ * some platforms time_entered will contain some padding. Therefore ++ * zero out the cookie to avoid putting uninitialized memory on the ++ * wire. ++ */ ++ memset(&stc, 0, sizeof(struct sctp_state_cookie)); ++ + /* the time I built cookie */ + (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered); + diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff --- kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff 2014-01-31 02:53:04.000000000 +0000 @@ -0,0 +1,93 @@ +Description: + In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR + and SIOCSIFNETMASK at the socket layer rather than pass them on to the + link layer without validation or credential checks. [13:12] + (CVE-2013-5691) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch +Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc +Bug-Debian: http://bugs.debian.org/737181 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255445 + +--- kfreebsd-8-8.3.orig/sys/net/if.c ++++ kfreebsd-8-8.3/sys/net/if.c +@@ -2606,11 +2606,23 @@ + CURVNET_RESTORE(); + return (EOPNOTSUPP); + } ++ ++ /* ++ * Pass the request on to the socket control method, and if the ++ * latter returns EOPNOTSUPP, directly to the interface. ++ * ++ * Make an exception for the legacy SIOCSIF* requests. Drivers ++ * trust SIOCSIFADDR et al to come from an already privileged ++ * layer, and do not perform any credentials checks or input ++ * validation. ++ */ + #ifndef COMPAT_43 + error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd, + data, + ifp, td)); +- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL) ++ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL && ++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && ++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) + error = (*ifp->if_ioctl)(ifp, cmd, data); + #else + { +@@ -2654,7 +2666,9 @@ + data, + ifp, td)); + if (error == EOPNOTSUPP && ifp != NULL && +- ifp->if_ioctl != NULL) ++ ifp->if_ioctl != NULL && ++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && ++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) + error = (*ifp->if_ioctl)(ifp, cmd, data); + switch (ocmd) { + +--- kfreebsd-8-8.3.orig/sys/netinet6/in6.c ++++ kfreebsd-8-8.3/sys/netinet6/in6.c +@@ -339,6 +339,18 @@ + case SIOCGIFSTAT_ICMP6: + sa6 = &ifr->ifr_addr; + break; ++ case SIOCSIFADDR: ++ case SIOCSIFBRDADDR: ++ case SIOCSIFDSTADDR: ++ case SIOCSIFNETMASK: ++ /* ++ * Although we should pass any non-INET6 ioctl requests ++ * down to driver, we filter some legacy INET requests. ++ * Drivers trust SIOCSIFADDR et al to come from an already ++ * privileged layer, and do not perform any credentials ++ * checks or input validation. ++ */ ++ return (EINVAL); + default: + sa6 = NULL; + break; +--- kfreebsd-8-8.3.orig/sys/netnatm/natm.c ++++ kfreebsd-8-8.3/sys/netnatm/natm.c +@@ -339,6 +339,21 @@ + npcb = (struct natmpcb *)so->so_pcb; + KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL")); + ++ switch (cmd) { ++ case SIOCSIFADDR: ++ case SIOCSIFBRDADDR: ++ case SIOCSIFDSTADDR: ++ case SIOCSIFNETMASK: ++ /* ++ * Although we should pass any non-ATM ioctl requests ++ * down to driver, we filter some legacy INET requests. ++ * Drivers trust SIOCSIFADDR et al to come from an already ++ * privileged layer, and do not perform any credentials ++ * checks or input validation. ++ */ ++ return (EINVAL); ++ } ++ + if (ifp == NULL || ifp->if_ioctl == NULL) + return (EOPNOTSUPP); + return ((*ifp->if_ioctl)(ifp, cmd, arg)); diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff --- kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff 2014-01-31 02:55:22.000000000 +0000 @@ -0,0 +1,34 @@ +Description: + Prevent cross-mount hardlinks between different nullfs mounts of the + same underlying filesystem. [13:13] (CVE-2013-5710) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch +Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:13.nullfs.asc +Bug-Debian: http://bugs.debian.org/737182 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255445 + +--- kfreebsd-8-8.3.orig/sys/fs/nullfs/null_vnops.c ++++ kfreebsd-8-8.3/sys/fs/nullfs/null_vnops.c +@@ -817,6 +817,15 @@ + return (error); + } + ++static int ++null_link(struct vop_link_args *ap) ++{ ++ ++ if (ap->a_tdvp->v_mount != ap->a_vp->v_mount) ++ return (EXDEV); ++ return (null_bypass((struct vop_generic_args *)ap)); ++} ++ + /* + * Global vfs data structures + */ +@@ -829,6 +838,7 @@ + .vop_getwritemount = null_getwritemount, + .vop_inactive = null_inactive, + .vop_islocked = vop_stdislocked, ++ .vop_link = null_link, + .vop_lock1 = null_lock, + .vop_lookup = null_lookup, + .vop_open = null_open, diff -Nru kfreebsd-8-8.3/debian/patches/series kfreebsd-8-8.3/debian/patches/series --- kfreebsd-8-8.3/debian/patches/series 2012-11-23 22:11:38.000000000 +0000 +++ kfreebsd-8-8.3/debian/patches/series 2014-01-31 03:36:09.000000000 +0000 @@ -13,6 +13,12 @@ EN-12_02.ipv6refcount.patch SCTP_DOS_svn239447.diff SA-12_08.linux.patch +SA-13_08.nfsserver.diff +SA-13_09.ip_multicast.diff +SA-13_10.sctp.diff +SA-13_12.ifioctl.diff +SA-13_13.nullfs.diff +disable_via_rng.diff # Other patches that might or might not be mergeable 001_misc.diff
