On 05/07/12 07:00, Yves-Alexis Perez wrote:
Can you show us a debdiff for the package you intend to upload to
stable-security?
Hi, Please find debdiff attached.
Thank you!
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
diff -u kfreebsd-8-8.1+dfsg/debian/changelog
kfreebsd-8-8.1+dfsg/debian/changelog
--- kfreebsd-8-8.1+dfsg/debian/changelog
+++ kfreebsd-8-8.1+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze3) stable-security; urgency=medium
+
+ [ Steven Chamberlain ]
+ * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
+- Include correction from upstream (r237241)
+ * Apply upstream EN-12:02.ipv6refcount patch (Closes: #677738)
+
+ -- GNU/kFreeBSD Maintainers debian-...@lists.debian.org Tue, 19 Jun 2012
13:18:39 +0100
+
kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
* Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
diff -u kfreebsd-8-8.1+dfsg/debian/patches/series
kfreebsd-8-8.1+dfsg/debian/patches/series
--- kfreebsd-8-8.1+dfsg/debian/patches/series
+++ kfreebsd-8-8.1+dfsg/debian/patches/series
@@ -1,3 +1,5 @@
+SA-12_04.sysret.patch
+EN-12_02.ipv6refcount.patch
000_adaptive_machine_arch.diff
000_ata.diff
000_coda.diff
only in patch2:
unchanged:
--- kfreebsd-8-8.1+dfsg.orig/debian/patches/SA-12_04.sysret.patch
+++ kfreebsd-8-8.1+dfsg/debian/patches/SA-12_04.sysret.patch
@@ -0,0 +1,37 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+ .
+ Includes a corrected patch from upstream, as the original commit to
+ RELENG_8_1 accidentally applied it to the wrong location.
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677297
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=237241
+
+Index: kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c
+===
+--- kfreebsd-8-8.1+dfsg.orig/sys/amd64/amd64/trap.c2012-06-17
13:55:31.0 +0100
kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c 2012-06-19 12:44:37.299956401
+0100
+@@ -1010,4 +1010,21 @@
+ STOPEVENT(p, S_SCX, sa.code);
+
+ PTRACESTOP_SC(p, td, S_PT_SCX);
++
++ /*
++ * If the user-supplied value of %rip is not a canonical
++ * address, then some CPUs will trigger a ring 0 #GP during
++ * the sysret instruction. However, the fault handler would
++ * execute with the user's %gs and %rsp in ring 0 which would
++ * not be safe. Instead, preemptively kill the thread with a
++ * SIGBUS.
++ */
++ if (td-td_frame-tf_rip = VM_MAXUSER_ADDRESS) {
++ ksiginfo_init_trap(ksi);
++ ksi.ksi_signo = SIGBUS;
++ ksi.ksi_code = BUS_OBJERR;
++ ksi.ksi_trapno = T_PROTFLT;
++ ksi.ksi_addr = (void *)td-td_frame-tf_rip;
++ trapsignal(td, ksi);
++ }
+ }
only in patch2:
unchanged:
--- kfreebsd-8-8.1+dfsg.orig/debian/patches/EN-12_02.ipv6refcount.patch
+++ kfreebsd-8-8.1+dfsg/debian/patches/EN-12_02.ipv6refcount.patch
@@ -0,0 +1,134 @@
+Description:
+ Fix reference count errors in IPv6 code. [EN-12:02]
+Origin: vendor, http://security.freebsd.org/patches/EN-12:02/ipv6refcount.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-EN-12:02.ipv6refcount.asc
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=236953
+
+Index: kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c
+===
+--- kfreebsd-8-8.1+dfsg.orig/sys/netinet6/in6.c2012-06-16
19:00:59.0 +0100
kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c 2012-06-16 19:03:42.829835350
+0100
+@@ -1370,6 +1370,8 @@
+ }
+
+ cleanup:
++ if (ifa0 != NULL)
++ ifa_free(ifa0);
+
+ plen = in6_mask2len(ia-ia_prefixmask.sin6_addr, NULL); /* XXX */
+ if ((ia-ia_flags IFA_ROUTE) plen == 128) {
+@@ -1394,8 +1396,6 @@
+ return;
+ ia-ia_flags = ~IFA_ROUTE;
+ }
+- if (ifa0 != NULL)
+- ifa_free(ifa0);
+
+ in6_unlink_ifa(ia, ifp);
+ }
+@@ -1549,14 +1549,19 @@
+ hostid = IFA_IN6(ifa);
+
+ /* prefixlen must be = 64. */
+- if (64 iflr-prefixlen)
++ if (64 iflr-prefixlen) {
++ if (ifa != NULL)
++ ifa_free(ifa);
+ return EINVAL;
++ }
+ prefixlen = iflr-prefixlen;
+
+ /* hostid part must be zero. */
+ sin6 = (struct sockaddr_in6 *)iflr-addr;
+ if (sin6-sin6_addr.s6_addr32[2] != 0 ||
+