r2067 - trunk/udev

Sun, 26 Apr 2009 17:44:54 -0700 

Author: ken
Date: 2009-04-26 18:43:41 -0600 (Sun, 26 Apr 2009)
New Revision: 2067

Added:
   trunk/udev/udev-113-security_fix-1.patch
Log:
udev fix for LFS-6.3

Added: trunk/udev/udev-113-security_fix-1.patch
===================================================================
--- trunk/udev/udev-113-security_fix-1.patch                            (rev 0)
+++ trunk/udev/udev-113-security_fix-1.patch    2009-04-27 00:43:41 UTC (rev 
2067)
@@ -0,0 +1,47 @@
+Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
+Date: 2009-04-26
+Initial Package Version: 085-114 or later
+Upstream Status: From upstream, commit 
e86a923d508c2aed371cdd958ce82489cf2ab615 backported by SUSE
+Origin: Scott James Remnant
+Description: This fixes CVE-2009-1185 (netlink messages can be received from
+local users, allowing privilege escalation).  From the heading, I assume this
+will apply to at least 085 to 114.  Note that CVE-2009-1186 appears not to be
+relevant to these old versions of udev - the code is not present.
+
+Index: udev-085/udevd.c
+================================================================================
+--- udev-114/udevd.c
++++ udev-114/udevd.c
+@@ -722,16 +722,31 @@
+       struct udevd_uevent_msg *msg;
+       int bufpos;
+       ssize_t size;
++      struct sockaddr_nl snl;
++      struct msghdr smsg;
++      struct iovec iov;
+       static char buffer[UEVENT_BUFFER_SIZE+512];
+       char *pos;
+ 
+-      size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0);
++      iov.iov_base = buffer;
++      iov.iov_len = sizeof(buffer);
++      smsg.msg_name = &snl;
++      smsg.msg_namelen = sizeof(struct sockaddr_nl);
++      smsg.msg_iov = &iov;
++      smsg.msg_iovlen = 1;
++      size = recvmsg(uevent_netlink_sock, &smsg, 0);
+       if (size <  0) {
+               if (errno != EINTR)
+                       err("unable to receive kernel netlink message: %s", 
strerror(errno));
+               return NULL;
+       }
+ 
++      if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
++              info("ignored netlink message from invalid group/sender 
%d/%d\n",
++                   snl.nl_groups, snl.nl_pid);
++              return NULL;
++      }
++
+       if ((size_t)size > sizeof(buffer)-1)
+               size = sizeof(buffer)-1;
+       buffer[size] = '\0';

-- 
http://linuxfromscratch.org/mailman/listinfo/patches
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Reply via email to