Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.0.git;a=commitdiff;h=8f78cb97034668cfdf9f55460fd5c6d362582a03

commit 8f78cb97034668cfdf9f55460fd5c6d362582a03
Author: Miklos Vajna <vmik...@frugalware.org>
Date:   Fri Jul 31 13:45:36 2009 +0200

kernel-2.6.28-6anacreon2-i686

- add CVE-2009-1895.patch, CVE-2009-2406.patch and CVE-2009-2407.patch

diff --git a/source/base/kernel/CVE-2009-1895.patch 
b/source/base/kernel/CVE-2009-1895.patch
new file mode 100644
index 0000000..196c80a
--- /dev/null
+++ b/source/base/kernel/CVE-2009-1895.patch
@@ -0,0 +1,57 @@
+From f9fabcb58a6d26d6efde842d1703ac7cfa9427b6 Mon Sep 17 00:00:00 2001
+From: Julien Tinnes <j...@cr0.org>
+Date: Fri, 26 Jun 2009 20:27:40 +0200
+Subject: [PATCH] personality: fix PER_CLEAR_ON_SETID
+
+We have found that the current PER_CLEAR_ON_SETID mask on Linux doesn't
+include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
+
+The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
+
+We believe it is important to add MMAP_PAGE_ZERO, because by using this
+personality it is possible to have the first page mapped inside a
+process running as setuid root.  This could be used in those scenarios:
+
+ - Exploiting a NULL pointer dereference issue in a setuid root binary
+ - Bypassing the mmap_min_addr restrictions of the Linux kernel: by
+   running a setuid binary that would drop privileges before giving us
+   control back (for instance by loading a user-supplied library), we
+   could get the first page mapped in a process we control.  By further
+   using mremap and mprotect on this mapping, we can then completely
+   bypass the mmap_min_addr restrictions.
+
+Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
+since on x86 32bits it will in practice disable most of the address
+space layout randomization (only the stack will remain randomized).
+
+Signed-off-by: Julien Tinnes <j...@cr0.org>
+Signed-off-by: Tavis Ormandy <tav...@sdf.lonestar.org>
+Cc: sta...@kernel.org
+Acked-by: Christoph Hellwig <h...@infradead.org>
+Acked-by: Kees Cook <k...@ubuntu.com>
+Acked-by: Eugene Teo <eug...@redhat.com>
+[ Shortened lines and fixed whitespace as per Christophs' suggestion ]
+Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
+---
+ include/linux/personality.h |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/include/linux/personality.h b/include/linux/personality.h
+index a84e9ff..1261208 100644
+--- a/include/linux/personality.h
++++ b/include/linux/personality.h
+@@ -40,7 +40,10 @@ enum {
+  * Security-relevant compatibility flags that must be
+  * cleared upon setuid or setgid exec:
+  */
+-#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE)
++#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC  | \
++                          ADDR_NO_RANDOMIZE  | \
++                          ADDR_COMPAT_LAYOUT | \
++                          MMAP_PAGE_ZERO)
+
+ /*
+  * Personality types.
+--
+1.6.4
+
diff --git a/source/base/kernel/CVE-2009-2406.patch 
b/source/base/kernel/CVE-2009-2406.patch
new file mode 100644
index 0000000..d0e5f19
--- /dev/null
+++ b/source/base/kernel/CVE-2009-2406.patch
@@ -0,0 +1,40 @@
+From 6352a29305373ae6196491e6d4669f301e26492e Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhi...@linux.vnet.ibm.com>
+Date: Tue, 28 Jul 2009 13:57:01 -0500
+Subject: [PATCH] eCryptfs: Check Tag 11 literal data buffer size
+
+Tag 11 packets are stored in the metadata section of an eCryptfs file to
+store the key signature(s) used to encrypt the file encryption key.
+After extracting the packet length field to determine the key signature
+length, a check is not performed to see if the length would exceed the
+key signature buffer size that was passed into parse_tag_11_packet().
+
+Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
+
+Signed-off-by: Tyler Hicks <tyhi...@linux.vnet.ibm.com>
+Cc: sta...@kernel.org (2.6.27 and 30)
+Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
+---
+ fs/ecryptfs/keystore.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
+index af737bb..5414253 100644
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char 
*contents,
+               rc = -EINVAL;
+               goto out;
+       }
++      if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
++              printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
++                     "expected size\n");
++              rc = -EINVAL;
++              goto out;
++      }
+       if (data[(*packet_size)++] != 0x62) {
+               printk(KERN_WARNING "Unrecognizable packet\n");
+               rc = -EINVAL;
+--
+1.6.4
+
diff --git a/source/base/kernel/CVE-2009-2407.patch 
b/source/base/kernel/CVE-2009-2407.patch
new file mode 100644
index 0000000..bceff66
--- /dev/null
+++ b/source/base/kernel/CVE-2009-2407.patch
@@ -0,0 +1,38 @@
+From f151cd2c54ddc7714e2f740681350476cda03a28 Mon Sep 17 00:00:00 2001
+From: Ramon de Carvalho Valle <ra...@risesecurity.org>
+Date: Tue, 28 Jul 2009 13:58:22 -0500
+Subject: [PATCH] eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key 
size
+
+The parse_tag_3_packet function does not check if the tag 3 packet contains a
+encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
+
+Signed-off-by: Ramon de Carvalho Valle <ra...@risesecurity.org>
+[tyhi...@linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
+Signed-off-by: Tyler Hicks <tyhi...@linux.vnet.ibm.com>
+Cc: sta...@kernel.org (2.6.27 and 30)
+Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
+---
+ fs/ecryptfs/keystore.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
+index 5414253..259525c 100644
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat 
*crypt_stat,
+       }
+       (*new_auth_tok)->session_key.encrypted_key_size =
+               (body_size - (ECRYPTFS_SALT_SIZE + 5));
++      if ((*new_auth_tok)->session_key.encrypted_key_size
++          > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
++              printk(KERN_WARNING "Tag 3 packet contains key larger "
++                     "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
++              rc = -EINVAL;
++              goto out_free;
++      }
+       if (unlikely(data[(*packet_size)++] != 0x04)) {
+               printk(KERN_WARNING "Unknown version number [%d]\n",
+                      data[(*packet_size) - 1]);
+--
+1.6.4
+
diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild
index 0ed6635..3d0a30b 100644
--- a/source/base/kernel/FrugalBuild
+++ b/source/base/kernel/FrugalBuild
@@ -2,9 +2,9 @@
# Maintainer: Miklos Vajna <vmik...@frugalware.org>

_F_kernel_patches=(kernel-2.6.28-KVM-gfxboot.patch 
intel_iommu_default_to_off.patch \
-       jbd2.patch)
+       jbd2.patch CVE-2009-1895.patch CVE-2009-2406.patch CVE-2009-2407.patch)
## NOTE: gfxboot.patch will 'probably' never go upstream , however without
## it one is unable to install FW with KVM. The patch only affects KVM mode and
## nothing else..
Finclude kernel
-pkgrel=6anacreon1
+pkgrel=6anacreon2
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to