Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Severity: normal
Hi, Please can we have your permission to update kfreebsd-9 in wheezy? -10+deb70.6 fixes a security problem and two other grave bugs: kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable sysctl to re-enable (but read about the security implications first). (Closes: #735448) * Apply upstream EN-14_02.mmap patch. * Fix lseek ENXIO error condition with ZFS. (Closes: #736198) -- Robert Millan <r...@debian.org> Mon, 27 Jan 2014 16:16:28 +0100 debdiff is attached. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Foreign Architectures: kfreebsd-i386 Kernel: kFreeBSD 9.0-2-amd64 Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-10-10 00:14:43.000000000 +0200 +++ kfreebsd-9-9.0/debian/changelog 2014-01-27 16:16:29.000000000 +0100 @@ -1,3 +1,13 @@ +kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low + + * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable + sysctl to re-enable (but read about the security implications + first). (Closes: #735448) + * Apply upstream EN-14_02.mmap patch. + * Fix lseek ENXIO error condition with ZFS. (Closes: #736198) + + -- Robert Millan <r...@debian.org> Mon, 27 Jan 2014 16:16:28 +0100 + kfreebsd-9 (9.0-10+deb70.5) stable; urgency=low * Disable 101_nullfs_vsock.diff. (Closes: #718888) diff -Nru kfreebsd-9-9.0/debian/patches/disable_via_rng.diff kfreebsd-9-9.0/debian/patches/disable_via_rng.diff --- kfreebsd-9-9.0/debian/patches/disable_via_rng.diff 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/disable_via_rng.diff 2014-01-27 16:15:56.000000000 +0100 @@ -0,0 +1,36 @@ +Description: + Disable VIA hardware RNG by default due to unsafe usage. Implement a + loader tunable allowing to turn it back on. + . + Minimal patch based on upstream SVN r240950 and r260644 +Origin: backports, commit:240950, commit:260644 +Forwarded: not-needed +Bug-Debian: http://bugs.debian.org/735448 + +Index: kfreebsd-9-9.0/sys/dev/random/probe.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/dev/random/probe.c 2006-07-13 11:47:36.000000000 +0000 ++++ kfreebsd-9-9.0/sys/dev/random/probe.c 2014-01-26 16:41:27.538080382 +0000 +@@ -30,6 +30,8 @@ + + #include <sys/types.h> + #include <sys/param.h> ++#include <sys/systm.h> ++#include <sys/kernel.h> + #include <sys/malloc.h> + #include <sys/random.h> + #include <sys/selinfo.h> +@@ -57,7 +59,12 @@ + /* Then go looking for hardware */ + #if defined(__i386__) && !defined(PC98) + if (via_feature_rng & VIA_HAS_RNG) { +- *systat = random_nehemiah; ++ int enable; ++ ++ enable = 0; ++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable); ++ if (enable) ++ *systat = random_nehemiah; + } + #endif + } diff -Nru kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch --- kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch 2014-01-22 22:58:39.000000000 +0100 @@ -0,0 +1,21 @@ + +From http://security.freebsd.org/patches/EN-14:02/mmap.patch + +--- a/sys/vm/vm_map.c ++++ b/sys/vm/vm_map.c +@@ -1232,6 +1232,7 @@ + } + else if ((prev_entry != &map->header) && + (prev_entry->eflags == protoeflags) && ++ (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 && + (prev_entry->end == start) && + (prev_entry->wired_count == 0) && + (prev_entry->cred == cred || +@@ -3199,7 +3200,6 @@ + * NOTE: We explicitly allow bi-directional stacks. + */ + orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP); +- cow &= ~orient; + KASSERT(orient != 0, ("No stack grow direction")); + + if (addrbos < vm_map_min(map) || diff -Nru kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff --- kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff 2014-01-22 23:18:27.000000000 +0100 @@ -0,0 +1,34 @@ + +http://www.freebsd.org/cgi/query-pr.cgi?pr=164445 + +http://svn.freebsd.org/changeset/base/233918 + +--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c ++++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c +@@ -293,9 +293,12 @@ + + case _FIO_SEEK_DATA: + case _FIO_SEEK_HOLE: ++#ifdef sun + if (ddi_copyin((void *)data, &off, sizeof (off), flag)) + return (EFAULT); +- ++#else ++ off = *(offset_t *)data; ++#endif + zp = VTOZ(vp); + zfsvfs = zp->z_zfsvfs; + ZFS_ENTER(zfsvfs); +@@ -306,8 +309,12 @@ + ZFS_EXIT(zfsvfs); + if (error) + return (error); ++#ifdef sun + if (ddi_copyout(&off, (void *)data, sizeof (off), flag)) + return (EFAULT); ++#else ++ *(offset_t *)data = off; ++#endif + return (0); + } + return (ENOTTY); diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series 2013-09-15 18:42:44.000000000 +0200 +++ kfreebsd-9-9.0/debian/patches/series 2014-01-22 23:15:54.000000000 +0100 @@ -15,6 +15,9 @@ SA-13_10.sctp.patch SA-13_12.ifioctl.diff SA-13_13.nullfs.diff +disable_via_rng.diff +EN-14_02.mmap.patch +fix_lseek_zfs.diff # Other patches that might or might not be mergeable 001_misc.diff