Hi stable release managers, The security team asked for an upload of kfreebsd-7 to stable with a fix for CVE-2009-1041 [1]. I have prepared a package which also includes a few security related bugs. Please find a diff attached.
Is it ok to upload it? Thanks, Aurelien [1] http://lists.debian.org/debian-bsd/2009/04/msg00098.html diff -u kfreebsd-7-7.0/debian/changelog kfreebsd-7-7.0/debian/changelog --- kfreebsd-7-7.0/debian/changelog +++ kfreebsd-7-7.0/debian/changelog @@ -1,3 +1,16 @@ +kfreebsd-7 (7.0-7lenny1) stable; urgency=low + + * 000_ktimer.diff: fix local privilege escalation (CVE-2009-1041 / + FreeBSD-SA-09:06.ktimer). + * 000_kenv.diff: fix kernel panic when dumping environment + (FreeBSD-EN-09:01.kenv). + * 000_arc4random.patch: fix arc4random(9) predictable sequence + vulnerability (FreeBSD-SA-08.11.arc4random / CVE-2008-5162). + * 000_protosw.patch: fix netgraph / bluetooth privilege escalation + (FreeBSD-SA-08:13.protosw). + + -- Aurelien Jarno <[email protected]> Sat, 02 May 2009 12:52:15 +0200 + kfreebsd-7 (7.0-7) unstable; urgency=low [ Petr Salinger ] diff -u kfreebsd-7-7.0/debian/patches/series kfreebsd-7-7.0/debian/patches/series --- kfreebsd-7-7.0/debian/patches/series +++ kfreebsd-7-7.0/debian/patches/series @@ -3,6 +3,10 @@ 000_icmp6.diff -p1 000_nmount.diff -p1 000_nd6.patch -p1 +000_kenv.diff -p1 +000_ktimer.diff -p1 +000_arc4random.patch -p1 +000_protosw.patch -p1 001_misc.diff -p0 003_glibc_dev_aicasm.diff -p0 004_xargs.diff -p0 only in patch2: unchanged: --- kfreebsd-7-7.0.orig/debian/patches/000_arc4random.patch +++ kfreebsd-7-7.0/debian/patches/000_arc4random.patch @@ -0,0 +1,81 @@ +Index: head/sys/dev/random/randomdev.c +=================================================================== +--- head/sys/dev/random/randomdev.c (revision 185214) ++++ head/sys/dev/random/randomdev.c (working copy) +@@ -90,6 +90,7 @@ + && (securelevel_gt(td->td_ucred, 0) == 0)) { + (*random_systat.reseed)(); + random_systat.seeded = 1; ++ arc4rand(NULL, 0, 1); /* Reseed arc4random as well. */ + } + + return (0); +Index: head/sys/dev/random/randomdev_soft.c +=================================================================== +--- head/sys/dev/random/randomdev_soft.c (revision 185214) ++++ head/sys/dev/random/randomdev_soft.c (working copy) +@@ -61,6 +61,7 @@ + u_int, u_int, enum esource); + static int random_yarrow_poll(int event,struct thread *td); + static int random_yarrow_block(int flag); ++static void random_yarrow_flush_reseed(void); + + struct random_systat random_yarrow = { + .ident = "Software, Yarrow", +@@ -70,7 +71,7 @@ + .read = random_yarrow_read, + .write = random_yarrow_write, + .poll = random_yarrow_poll, +- .reseed = random_yarrow_reseed, ++ .reseed = random_yarrow_flush_reseed, + .seeded = 1, + }; + +@@ -96,7 +97,7 @@ + /* Harvested entropy */ + static struct entropyfifo harvestfifo[ENTROPYSOURCE]; + +-/* <0 to end the kthread, 0 to let it run */ ++/* <0 to end the kthread, 0 to let it run, 1 to flush the harvest queues */ + static int random_kthread_control = 0; + + static struct proc *random_kthread_proc; +@@ -241,7 +242,7 @@ + local_count = 0; + + /* Process until told to stop */ +- for (; random_kthread_control == 0;) { ++ for (; random_kthread_control >= 0;) { + + active = 0; + +@@ -276,6 +277,13 @@ + KASSERT(local_count == 0, ("random_kthread: local_count %d", + local_count)); + ++ /* ++ * If a queue flush was commanded, it has now happened, ++ * and we can mark this by resetting the command. ++ */ ++ if (random_kthread_control == 1) ++ random_kthread_control = 0; ++ + /* Found nothing, so don't belabour the issue */ + if (!active) + pause("-", hz / 10); +@@ -400,3 +408,15 @@ + + return error; + } ++ ++/* Helper routine to perform explicit reseeds */ ++static void ++random_yarrow_flush_reseed(void) ++{ ++ /* Command a entropy queue flush and wait for it to finish */ ++ random_kthread_control = 1; ++ while (random_kthread_control) ++ pause("-", hz / 10); ++ ++ random_yarrow_reseed(); ++} only in patch2: unchanged: --- kfreebsd-7-7.0.orig/debian/patches/000_kenv.diff +++ kfreebsd-7-7.0/debian/patches/000_kenv.diff @@ -0,0 +1,33 @@ +Index: head/sys/kern/kern_environment.c +=================================================================== +--- head/sys/kern/kern_environment.c (revision 190221) ++++ head/sys/kern/kern_environment.c (working copy) +@@ -87,7 +87,7 @@ + } */ *uap; + { + char *name, *value, *buffer = NULL; +- size_t len, done, needed; ++ size_t len, done, needed, buflen; + int error, i; + + KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0")); +@@ -100,13 +100,17 @@ + return (error); + #endif + done = needed = 0; ++ buflen = uap->len; ++ if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2)) ++ buflen = KENV_SIZE * (KENV_MNAMELEN + ++ KENV_MVALLEN + 2); + if (uap->len > 0 && uap->value != NULL) +- buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO); ++ buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO); + mtx_lock(&kenv_lock); + for (i = 0; kenvp[i] != NULL; i++) { + len = strlen(kenvp[i]) + 1; + needed += len; +- len = min(len, uap->len - done); ++ len = min(len, buflen - done); + /* + * If called with a NULL or insufficiently large + * buffer, just keep computing the required size. only in patch2: unchanged: --- kfreebsd-7-7.0.orig/debian/patches/000_protosw.patch +++ kfreebsd-7-7.0/debian/patches/000_protosw.patch @@ -0,0 +1,23 @@ +Index: head/sys/kern/uipc_domain.c +=================================================================== +--- head/sys/kern/uipc_domain.c (revision 186366) ++++ head/sys/kern/uipc_domain.c (working copy) +@@ -112,13 +112,18 @@ + + #define DEFAULT(foo, bar) if ((foo) == NULL) (foo) = (bar) + DEFAULT(pu->pru_accept, pru_accept_notsupp); ++ DEFAULT(pu->pru_bind, pru_bind_notsupp); + DEFAULT(pu->pru_connect, pru_connect_notsupp); + DEFAULT(pu->pru_connect2, pru_connect2_notsupp); + DEFAULT(pu->pru_control, pru_control_notsupp); ++ DEFAULT(pu->pru_disconnect, pru_disconnect_notsupp); + DEFAULT(pu->pru_listen, pru_listen_notsupp); ++ DEFAULT(pu->pru_peeraddr, pru_peeraddr_notsupp); + DEFAULT(pu->pru_rcvd, pru_rcvd_notsupp); + DEFAULT(pu->pru_rcvoob, pru_rcvoob_notsupp); + DEFAULT(pu->pru_sense, pru_sense_null); ++ DEFAULT(pu->pru_shutdown, pru_shutdown_notsupp); ++ DEFAULT(pu->pru_sockaddr, pru_sockaddr_notsupp); + DEFAULT(pu->pru_sosend, sosend_generic); + DEFAULT(pu->pru_soreceive, soreceive_generic); + DEFAULT(pu->pru_sopoll, sopoll_generic); only in patch2: unchanged: --- kfreebsd-7-7.0.orig/debian/patches/000_ktimer.diff +++ kfreebsd-7-7.0/debian/patches/000_ktimer.diff @@ -0,0 +1,14 @@ +Index: head/sys/kern/kern_time.c +=================================================================== +--- head/sys/kern/kern_time.c (revision 190192) ++++ head/sys/kern/kern_time.c (working copy) +@@ -1085,7 +1085,8 @@ + struct itimer *it; + + PROC_LOCK_ASSERT(p, MA_OWNED); +- if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) || ++ if ((p->p_itimers == NULL) || ++ (timerid < 0) || (timerid >= TIMER_MAX) || + (it = p->p_itimers->its_timers[timerid]) == NULL) { + return (NULL); + } -- Aurelien Jarno GPG: 1024D/F1BCDB73 [email protected] http://www.aurel32.net -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
