Re: Bug#778366: unblock: kfreebsd-10/10.1~svn274115-2
Hi,
Michael Gilbert wrote:
> Please consider unblocking kfreebsd-10. It fixes 2 security issues:
> https://security-tracker.debian.org/kfreebsd-10
A debdiff is attached.
The other change is to limit the arch-dep packages to kfreebsd-any
(which was forgotten in the previous upload).
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
diff -Nru kfreebsd-10-10.1~svn274115/debian/changelog kfreebsd-10-10.1~svn274115/debian/changelog
--- kfreebsd-10-10.1~svn274115/debian/changelog 2014-12-28 11:41:23.000000000 +0000
+++ kfreebsd-10-10.1~svn274115/debian/changelog 2015-01-28 01:18:06.000000000 +0000
@@ -1,3 +1,16 @@
+kfreebsd-10 (10.1~svn274115-2) unstable; urgency=high
+
+ * Pick SVN r277808 from FreeBSD 10.1-RELEASE to fix:
+ - SA-15:02: SCTP SCTP_SS_VALUE kernel memory corruption and
+ disclosure vulnerability (CVE-2014-8612) (Closes: #776415)
+ - SA-15:03: SCTP stream reset vulnerability (CVE-2014-8613)
+ (Closes: #776416)
+ * Build kernel images only on kfreebsd-any arches, so that any
+ security or other RC-severity kernel bugs will not affect the
+ official jessie release
+
+ -- Steven Chamberlain <steven@pyro.eu.org> Tue, 27 Jan 2015 20:02:52 +0000
+
kfreebsd-10 (10.1~svn274115-1) unstable; urgency=medium
[ Steven Chamberlain ]
@@ -6,9 +19,6 @@
(CVE-2014-8476) (Closes: #768108)
* Replace non-DFSG-free ar9300_devid.h with a 3-clause BSD substitute
derived from Linux ath9k driver (Closes: #767583)
- * Build kernel images only on kfreebsd-any arches, so that any
- security or other RC-severity kernel bugs will not affect the
- official jessie release
[ Christoph Egger ]
* Upload to unstable
diff -Nru kfreebsd-10-10.1~svn274115/debian/control kfreebsd-10-10.1~svn274115/debian/control
--- kfreebsd-10-10.1~svn274115/debian/control 2014-10-20 22:19:28.000000000 +0100
+++ kfreebsd-10-10.1~svn274115/debian/control 2015-01-27 20:40:49.000000000 +0000
@@ -51,7 +51,7 @@
Package: kfreebsd-image-10.1-0-amd64
-Architecture: any-amd64
+Architecture: kfreebsd-amd64
Depends: ${misc:Depends},
freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any],
devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any],
@@ -79,7 +79,7 @@
This package is compiled for a amd64-class machine.
Package: kfreebsd-image-10-amd64
-Architecture: any-amd64
+Architecture: kfreebsd-amd64
Depends: kfreebsd-image-10.1-0-amd64, ${misc:Depends}
Description: kernel of FreeBSD 10 image (meta-package)
This package depends on the latest binary image for kernel of FreeBSD 10 on
@@ -496,7 +496,7 @@
This package contains zlib modules.
Package: kfreebsd-image-10.1-0-486
-Architecture: any-i386
+Architecture: kfreebsd-i386
Depends: ${misc:Depends},
freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any],
devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any],
@@ -524,7 +524,7 @@
This package is compiled for a 486-class machine.
Package: kfreebsd-image-10-486
-Architecture: any-i386
+Architecture: kfreebsd-i386
Depends: kfreebsd-image-10.1-0-486, ${misc:Depends}
Description: kernel of FreeBSD 10 image (meta-package)
This package depends on the latest binary image for kernel of FreeBSD 10 on
@@ -549,7 +549,7 @@
486-class machines.
Package: kfreebsd-image-10.1-0-686
-Architecture: any-i386
+Architecture: kfreebsd-i386
Depends: ${misc:Depends},
freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any],
devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any],
@@ -577,7 +577,7 @@
This package is compiled for a 686-class machine.
Package: kfreebsd-image-10-686
-Architecture: any-i386
+Architecture: kfreebsd-i386
Depends: kfreebsd-image-10.1-0-686, ${misc:Depends}
Description: kernel of FreeBSD 10 image (meta-package)
This package depends on the latest binary image for kernel of FreeBSD 10 on
@@ -602,7 +602,7 @@
686-class machines.
Package: kfreebsd-image-10.1-0-xen
-Architecture: any-i386
+Architecture: kfreebsd-i386
Depends: ${misc:Depends},
freebsd-utils (>= 8.1-5) [kfreebsd-any], kldutils (>= 7.1) [kfreebsd-any],
devd [kfreebsd-any] | freebsd-utils (<< 8.2+ds2-9) [kfreebsd-any],
@@ -630,7 +630,7 @@
This package is compiled for a xen-class machine.
Package: kfreebsd-image-10-xen
-Architecture: any-i386
+Architecture: kfreebsd-i386
Depends: kfreebsd-image-10.1-0-xen, ${misc:Depends}
Description: kernel of FreeBSD 10 image (meta-package)
This package depends on the latest binary image for kernel of FreeBSD 10 on
diff -Nru kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch
--- kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-10-10.1~svn274115/debian/patches/SA-15_02.kmem.patch 2015-01-27 20:37:34.000000000 +0000
@@ -0,0 +1,51 @@
+Description:
+ Fix SCTP SCTP_SS_VALUE kernel memory corruption and
+ disclosure vulnerability [SA-15:02] (CVE-2014-8612)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:02/sctp.patch
+Bug: https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc
+Bug-Debian: https://bugs.debian.org/776415
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=277808
+
+--- a/sys/netinet/sctp_usrreq.c
++++ b/sys/netinet/sctp_usrreq.c
+@@ -1854,8 +1854,9 @@
+ SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
+ SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ if (stcb) {
+- if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+- &av->stream_value) < 0) {
++ if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++ (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++ &av->stream_value) < 0)) {
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ error = EINVAL;
+ } else {
+@@ -3915,8 +3916,9 @@
+ SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
+ SCTP_FIND_STCB(inp, stcb, av->assoc_id);
+ if (stcb) {
+- if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
+- av->stream_value) < 0) {
++ if ((av->stream_id >= stcb->asoc.streamoutcnt) ||
++ (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
++ av->stream_value) < 0)) {
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ error = EINVAL;
+ }
+@@ -3926,10 +3928,12 @@
+ SCTP_INP_RLOCK(inp);
+ LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
+ SCTP_TCB_LOCK(stcb);
+- stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
+- &stcb->asoc,
+- &stcb->asoc.strmout[av->stream_id],
+- av->stream_value);
++ if (av->stream_id < stcb->asoc.streamoutcnt) {
++ stcb->asoc.ss_functions.sctp_ss_set_value(stcb,
++ &stcb->asoc,
++ &stcb->asoc.strmout[av->stream_id],
++ av->stream_value);
++ }
+ SCTP_TCB_UNLOCK(stcb);
+ }
+ SCTP_INP_RUNLOCK(inp);
diff -Nru kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch
--- kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-10-10.1~svn274115/debian/patches/SA-15_03.sctp.patch 2015-01-27 20:39:37.000000000 +0000
@@ -0,0 +1,123 @@
+Description:
+ Fix SCTP stream reset vulnerability [SA-15:03] (CVE-2014-8613)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:03/sctp.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc
+Bug-Debian: https://bugs.debian.org/776416
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=277808
+
+--- a/sys/netinet/sctp_input.c 2015/01/27 19:36:08 277807
++++ b/sys/netinet/sctp_input.c 2015/01/27 19:37:02 277808
+@@ -3664,6 +3664,9 @@
+ /* huh ? */
+ return (0);
+ }
++ if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
++ return (0);
++ }
+ if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
+ resp = (struct sctp_stream_reset_response_tsn *)respin;
+ asoc->stream_reset_outstanding--;
+@@ -4052,7 +4055,7 @@
+ sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
+ struct sctp_chunkhdr *ch_req)
+ {
+- int chk_length, param_len, ptype;
++ uint16_t remaining_length, param_len, ptype;
+ struct sctp_paramhdr pstore;
+ uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
+ uint32_t seq = 0;
+@@ -4065,7 +4068,7 @@
+ int num_param = 0;
+
+ /* now it may be a reset or a reset-response */
+- chk_length = ntohs(ch_req->chunk_length);
++ remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);
+
+ /* setup for adding the response */
+ sctp_alloc_a_chunk(stcb, chk);
+@@ -4103,20 +4106,27 @@
+ ch->chunk_length = htons(chk->send_size);
+ SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
+ offset += sizeof(struct sctp_chunkhdr);
+- while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
++ while (remaining_length >= sizeof(struct sctp_paramhdr)) {
+ ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
+- if (ph == NULL)
++ if (ph == NULL) {
++ /* TSNH */
+ break;
++ }
+ param_len = ntohs(ph->param_length);
+- if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
+- /* bad param */
++ if ((param_len > remaining_length) ||
++ (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
++ /* bad parameter length */
+ break;
+ }
+- ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
++ ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
+ (uint8_t *) & cstore);
++ if (ph == NULL) {
++ /* TSNH */
++ break;
++ }
+ ptype = ntohs(ph->param_type);
+ num_param++;
+- if (param_len > (int)sizeof(cstore)) {
++ if (param_len > sizeof(cstore)) {
+ trunc = 1;
+ } else {
+ trunc = 0;
+@@ -4128,6 +4138,9 @@
+ if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
+ struct sctp_stream_reset_out_request *req_out;
+
++ if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
++ break;
++ }
+ req_out = (struct sctp_stream_reset_out_request *)ph;
+ num_req++;
+ if (stcb->asoc.stream_reset_outstanding) {
+@@ -4141,12 +4154,18 @@
+ } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
+ struct sctp_stream_reset_add_strm *str_add;
+
++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++ break;
++ }
+ str_add = (struct sctp_stream_reset_add_strm *)ph;
+ num_req++;
+ sctp_handle_str_reset_add_strm(stcb, chk, str_add);
+ } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
+ struct sctp_stream_reset_add_strm *str_add;
+
++ if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
++ break;
++ }
+ str_add = (struct sctp_stream_reset_add_strm *)ph;
+ num_req++;
+ sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
+@@ -4171,6 +4190,9 @@
+ struct sctp_stream_reset_response *resp;
+ uint32_t result;
+
++ if (param_len < sizeof(struct sctp_stream_reset_response)) {
++ break;
++ }
+ resp = (struct sctp_stream_reset_response *)ph;
+ seq = ntohl(resp->response_seq);
+ result = ntohl(resp->result);
+@@ -4182,7 +4204,11 @@
+ break;
+ }
+ offset += SCTP_SIZE32(param_len);
+- chk_length -= SCTP_SIZE32(param_len);
++ if (remaining_length >= SCTP_SIZE32(param_len)) {
++ remaining_length -= SCTP_SIZE32(param_len);
++ } else {
++ remaining_length = 0;
++ }
+ }
+ if (num_req == 0) {
+ /* we have no response free the stuff */
diff -Nru kfreebsd-10-10.1~svn274115/debian/patches/series kfreebsd-10-10.1~svn274115/debian/patches/series
--- kfreebsd-10-10.1~svn274115/debian/patches/series 2014-12-28 01:31:07.000000000 +0000
+++ kfreebsd-10-10.1~svn274115/debian/patches/series 2015-01-27 20:37:58.000000000 +0000
@@ -36,3 +36,7 @@
999_config.diff
aicasm-parallel-build-dependencies.diff
ath9k-linux.diff
+
+# Security patches
+SA-15_02.kmem.patch
+SA-15_03.sctp.patch
Reply to: