Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-21 Thread Yves-Alexis Perez 
On sam., 2012-07-14 at 11:59 +, r...@debian.org via RT wrote:
 URL: https://rt.debian.org/Ticket/Display.html?id=3892 
 
 2012/7/12 Steven Chamberlain via RT r...@rt.debian.org:
  Robert, would you be able to upload this for me please?
 
 I'm on it.
 
Any news?
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-21 Thread Robert Millan 
2012/7/21 Yves-Alexis Perez cor...@debian.org:
 On sam., 2012-07-14 at 11:59 +, r...@debian.org via RT wrote:
 URL: https://rt.debian.org/Ticket/Display.html?id=3892 

 2012/7/12 Steven Chamberlain via RT r...@rt.debian.org:
  Robert, would you be able to upload this for me please?

 I'm on it.

 Any news?

There was a separate thread discussing this. I just put you on CC.

-- 
Robert Millan


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-12 Thread Yves-Alexis Perez 
On sam., 2012-07-07 at 13:02 +0200, Yves-Alexis Perez wrote:
 On jeu., 2012-07-05 at 13:13 +0100, Steven Chamberlain wrote:
  On 05/07/12 07:00, Yves-Alexis Perez wrote:
   Can you show us a debdiff for the package you intend to upload to
   stable-security?
  
  Hi,  Please find debdiff attached.
 
 Sorry for the delay. Please go ahead and upload, I'll try to find the
 time to write a DSA mail.

Ping? Any news on the upload?

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-12 Thread Steven Chamberlain 
On 12/07/12 13:55, Yves-Alexis Perez wrote:
 On sam., 2012-07-07 at 13:02 +0200, Yves-Alexis Perez wrote:
 On jeu., 2012-07-05 at 13:13 +0100, Steven Chamberlain wrote:
 On 05/07/12 07:00, Yves-Alexis Perez wrote:
 Can you show us a debdiff for the package you intend to upload to
 stable-security?

 Hi,  Please find debdiff attached.

 Sorry for the delay. Please go ahead and upload, I'll try to find the
 time to write a DSA mail.

Thanks Yves-Alexis,

 Ping? Any news on the upload?

Robert, would you be able to upload this for me please?

The approved debdiff corresponds with r4341 from
svn.debian.org/glibc-bsd/branches/squeeze/kfreebsd-8

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-07 Thread Yves-Alexis Perez 
On jeu., 2012-07-05 at 13:13 +0100, Steven Chamberlain wrote:
 On 05/07/12 07:00, Yves-Alexis Perez wrote:
  Can you show us a debdiff for the package you intend to upload to
  stable-security?
 
 Hi,  Please find debdiff attached.

Sorry for the delay. Please go ahead and upload, I'll try to find the
time to write a DSA mail.

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-05 Thread Yves-Alexis Perez 
On mer., 2012-07-04 at 21:33 +0100, Steven Chamberlain wrote:
 Hi Security Team,
 
 Someone replied on RT ticket #3892 (on which I am Cc'd, but can't view
 it and don't know the author) the following:
 
  Careful, patch in SVN repository can't be used as-is. See:
  http://lists.debian.org/debian-bsd/2012/06/msg00214.html
 
 But that is not true.  By then I had already committed to SVN (r4320) a
 corrected fix supplied by upstream, and followed up on that message with:
 
 http://lists.debian.org/debian-bsd/2012/06/msg00246.html
 
 Please let me or debian-bsd@ know if anything more is needed for a
 stable-security upload.

Can you show us a debdiff for the package you intend to upload to
stable-security?

Regards,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#677297: [rt.debian.org #3892] Re: Bug#677297: kfreebsd-8: cve-2012-0217

2012-07-05 Thread Steven Chamberlain 
On 05/07/12 07:00, Yves-Alexis Perez wrote:
 Can you show us a debdiff for the package you intend to upload to
 stable-security?

Hi,  Please find debdiff attached.

Thank you!
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org
diff -u kfreebsd-8-8.1+dfsg/debian/changelog 
kfreebsd-8-8.1+dfsg/debian/changelog
--- kfreebsd-8-8.1+dfsg/debian/changelog
+++ kfreebsd-8-8.1+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+kfreebsd-8 (8.1+dfsg-8+squeeze3) stable-security; urgency=medium
+
+  [ Steven Chamberlain ]
+  * Apply upstream SA-12:04.sysret patch (CVE-2012-0217) (Closes: #677297)
+- Include correction from upstream (r237241)
+  * Apply upstream EN-12:02.ipv6refcount patch (Closes: #677738)
+
+ -- GNU/kFreeBSD Maintainers debian-...@lists.debian.org  Tue, 19 Jun 2012 
13:18:39 +0100
+
 kfreebsd-8 (8.1+dfsg-8+squeeze2) stable-security; urgency=low
 
   * Add 000_unix_socket_overflow.diff and 918_unix_socket_overflow.diff:
diff -u kfreebsd-8-8.1+dfsg/debian/patches/series 
kfreebsd-8-8.1+dfsg/debian/patches/series
--- kfreebsd-8-8.1+dfsg/debian/patches/series
+++ kfreebsd-8-8.1+dfsg/debian/patches/series
@@ -1,3 +1,5 @@
+SA-12_04.sysret.patch
+EN-12_02.ipv6refcount.patch
 000_adaptive_machine_arch.diff 
 000_ata.diff
 000_coda.diff
only in patch2:
unchanged:
--- kfreebsd-8-8.1+dfsg.orig/debian/patches/SA-12_04.sysret.patch
+++ kfreebsd-8-8.1+dfsg/debian/patches/SA-12_04.sysret.patch
@@ -0,0 +1,37 @@
+Description:
+ Correct a privilege escalation when returning from kernel if
+ running FreeBSD/amd64 on non-AMD processors. [12:04]
+ .
+ Includes a corrected patch from upstream, as the original commit to
+ RELENG_8_1 accidentally applied it to the wrong location.
+Origin: vendor, http://security.freebsd.org/patches/SA-12:04/sysret.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
+Bug-Debian: http://bugs.debian.org/677297
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=237241
+
+Index: kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c
+===
+--- kfreebsd-8-8.1+dfsg.orig/sys/amd64/amd64/trap.c2012-06-17 
13:55:31.0 +0100
 kfreebsd-8-8.1+dfsg/sys/amd64/amd64/trap.c 2012-06-19 12:44:37.299956401 
+0100
+@@ -1010,4 +1010,21 @@
+   STOPEVENT(p, S_SCX, sa.code);
+ 
+   PTRACESTOP_SC(p, td, S_PT_SCX);
++
++  /*
++   * If the user-supplied value of %rip is not a canonical
++   * address, then some CPUs will trigger a ring 0 #GP during
++   * the sysret instruction.  However, the fault handler would
++   * execute with the user's %gs and %rsp in ring 0 which would
++   * not be safe.  Instead, preemptively kill the thread with a
++   * SIGBUS.
++   */
++  if (td-td_frame-tf_rip = VM_MAXUSER_ADDRESS) {
++  ksiginfo_init_trap(ksi);
++  ksi.ksi_signo = SIGBUS;
++  ksi.ksi_code = BUS_OBJERR;
++  ksi.ksi_trapno = T_PROTFLT;
++  ksi.ksi_addr = (void *)td-td_frame-tf_rip;
++  trapsignal(td, ksi);
++  }
+ }
only in patch2:
unchanged:
--- kfreebsd-8-8.1+dfsg.orig/debian/patches/EN-12_02.ipv6refcount.patch
+++ kfreebsd-8-8.1+dfsg/debian/patches/EN-12_02.ipv6refcount.patch
@@ -0,0 +1,134 @@
+Description:
+ Fix reference count errors in IPv6 code. [EN-12:02]
+Origin: vendor, http://security.freebsd.org/patches/EN-12:02/ipv6refcount.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-EN-12:02.ipv6refcount.asc
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revisionrevision=236953
+
+Index: kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c
+===
+--- kfreebsd-8-8.1+dfsg.orig/sys/netinet6/in6.c2012-06-16 
19:00:59.0 +0100
 kfreebsd-8-8.1+dfsg/sys/netinet6/in6.c 2012-06-16 19:03:42.829835350 
+0100
+@@ -1370,6 +1370,8 @@
+   }
+ 
+ cleanup:
++  if (ifa0 != NULL)
++  ifa_free(ifa0);
+ 
+   plen = in6_mask2len(ia-ia_prefixmask.sin6_addr, NULL); /* XXX */
+   if ((ia-ia_flags  IFA_ROUTE)  plen == 128) {
+@@ -1394,8 +1396,6 @@
+   return;
+   ia-ia_flags = ~IFA_ROUTE;
+   }
+-  if (ifa0 != NULL)
+-  ifa_free(ifa0);
+ 
+   in6_unlink_ifa(ia, ifp);
+ }
+@@ -1549,14 +1549,19 @@
+   hostid = IFA_IN6(ifa);
+ 
+   /* prefixlen must be = 64. */
+-  if (64  iflr-prefixlen)
++  if (64  iflr-prefixlen) {
++  if (ifa != NULL)
++  ifa_free(ifa);
+   return EINVAL;
++  }
+   prefixlen = iflr-prefixlen;
+ 
+   /* hostid part must be zero. */
+   sin6 = (struct sockaddr_in6 *)iflr-addr;
+   if (sin6-sin6_addr.s6_addr32[2] != 0 ||
+