[SRM] Proposed kfreebsd-7 update for Lenny
Hi stable release managers,
The security team asked for an upload of kfreebsd-7 to stable with a fix
for CVE-2009-1041 [1]. I have prepared a package which also includes a
few security related bugs. Please find a diff attached.
Is it ok to upload it?
Thanks,
Aurelien
[1] http://lists.debian.org/debian-bsd/2009/04/msg00098.html
diff -u kfreebsd-7-7.0/debian/changelog kfreebsd-7-7.0/debian/changelog
--- kfreebsd-7-7.0/debian/changelog
+++ kfreebsd-7-7.0/debian/changelog
@@ -1,3 +1,16 @@
+kfreebsd-7 (7.0-7lenny1) stable; urgency=low
+
+ * 000_ktimer.diff: fix local privilege escalation (CVE-2009-1041 /
+ FreeBSD-SA-09:06.ktimer).
+ * 000_kenv.diff: fix kernel panic when dumping environment
+ (FreeBSD-EN-09:01.kenv).
+ * 000_arc4random.patch: fix arc4random(9) predictable sequence
+ vulnerability (FreeBSD-SA-08.11.arc4random / CVE-2008-5162).
+ * 000_protosw.patch: fix netgraph / bluetooth privilege escalation
+ (FreeBSD-SA-08:13.protosw).
+
+ -- Aurelien Jarno <aurel32@debian.org> Sat, 02 May 2009 12:52:15 +0200
+
kfreebsd-7 (7.0-7) unstable; urgency=low
[ Petr Salinger ]
diff -u kfreebsd-7-7.0/debian/patches/series kfreebsd-7-7.0/debian/patches/series
--- kfreebsd-7-7.0/debian/patches/series
+++ kfreebsd-7-7.0/debian/patches/series
@@ -3,6 +3,10 @@
000_icmp6.diff -p1
000_nmount.diff -p1
000_nd6.patch -p1
+000_kenv.diff -p1
+000_ktimer.diff -p1
+000_arc4random.patch -p1
+000_protosw.patch -p1
001_misc.diff -p0
003_glibc_dev_aicasm.diff -p0
004_xargs.diff -p0
only in patch2:
unchanged:
--- kfreebsd-7-7.0.orig/debian/patches/000_arc4random.patch
+++ kfreebsd-7-7.0/debian/patches/000_arc4random.patch
@@ -0,0 +1,81 @@
+Index: head/sys/dev/random/randomdev.c
+===================================================================
+--- head/sys/dev/random/randomdev.c (revision 185214)
++++ head/sys/dev/random/randomdev.c (working copy)
+@@ -90,6 +90,7 @@
+ && (securelevel_gt(td->td_ucred, 0) == 0)) {
+ (*random_systat.reseed)();
+ random_systat.seeded = 1;
++ arc4rand(NULL, 0, 1); /* Reseed arc4random as well. */
+ }
+
+ return (0);
+Index: head/sys/dev/random/randomdev_soft.c
+===================================================================
+--- head/sys/dev/random/randomdev_soft.c (revision 185214)
++++ head/sys/dev/random/randomdev_soft.c (working copy)
+@@ -61,6 +61,7 @@
+ u_int, u_int, enum esource);
+ static int random_yarrow_poll(int event,struct thread *td);
+ static int random_yarrow_block(int flag);
++static void random_yarrow_flush_reseed(void);
+
+ struct random_systat random_yarrow = {
+ .ident = "Software, Yarrow",
+@@ -70,7 +71,7 @@
+ .read = random_yarrow_read,
+ .write = random_yarrow_write,
+ .poll = random_yarrow_poll,
+- .reseed = random_yarrow_reseed,
++ .reseed = random_yarrow_flush_reseed,
+ .seeded = 1,
+ };
+
+@@ -96,7 +97,7 @@
+ /* Harvested entropy */
+ static struct entropyfifo harvestfifo[ENTROPYSOURCE];
+
+-/* <0 to end the kthread, 0 to let it run */
++/* <0 to end the kthread, 0 to let it run, 1 to flush the harvest queues */
+ static int random_kthread_control = 0;
+
+ static struct proc *random_kthread_proc;
+@@ -241,7 +242,7 @@
+ local_count = 0;
+
+ /* Process until told to stop */
+- for (; random_kthread_control == 0;) {
++ for (; random_kthread_control >= 0;) {
+
+ active = 0;
+
+@@ -276,6 +277,13 @@
+ KASSERT(local_count == 0, ("random_kthread: local_count %d",
+ local_count));
+
++ /*
++ * If a queue flush was commanded, it has now happened,
++ * and we can mark this by resetting the command.
++ */
++ if (random_kthread_control == 1)
++ random_kthread_control = 0;
++
+ /* Found nothing, so don't belabour the issue */
+ if (!active)
+ pause("-", hz / 10);
+@@ -400,3 +408,15 @@
+
+ return error;
+ }
++
++/* Helper routine to perform explicit reseeds */
++static void
++random_yarrow_flush_reseed(void)
++{
++ /* Command a entropy queue flush and wait for it to finish */
++ random_kthread_control = 1;
++ while (random_kthread_control)
++ pause("-", hz / 10);
++
++ random_yarrow_reseed();
++}
only in patch2:
unchanged:
--- kfreebsd-7-7.0.orig/debian/patches/000_kenv.diff
+++ kfreebsd-7-7.0/debian/patches/000_kenv.diff
@@ -0,0 +1,33 @@
+Index: head/sys/kern/kern_environment.c
+===================================================================
+--- head/sys/kern/kern_environment.c (revision 190221)
++++ head/sys/kern/kern_environment.c (working copy)
+@@ -87,7 +87,7 @@
+ } */ *uap;
+ {
+ char *name, *value, *buffer = NULL;
+- size_t len, done, needed;
++ size_t len, done, needed, buflen;
+ int error, i;
+
+ KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0"));
+@@ -100,13 +100,17 @@
+ return (error);
+ #endif
+ done = needed = 0;
++ buflen = uap->len;
++ if (buflen > KENV_SIZE * (KENV_MNAMELEN + KENV_MVALLEN + 2))
++ buflen = KENV_SIZE * (KENV_MNAMELEN +
++ KENV_MVALLEN + 2);
+ if (uap->len > 0 && uap->value != NULL)
+- buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO);
++ buffer = malloc(buflen, M_TEMP, M_WAITOK|M_ZERO);
+ mtx_lock(&kenv_lock);
+ for (i = 0; kenvp[i] != NULL; i++) {
+ len = strlen(kenvp[i]) + 1;
+ needed += len;
+- len = min(len, uap->len - done);
++ len = min(len, buflen - done);
+ /*
+ * If called with a NULL or insufficiently large
+ * buffer, just keep computing the required size.
only in patch2:
unchanged:
--- kfreebsd-7-7.0.orig/debian/patches/000_protosw.patch
+++ kfreebsd-7-7.0/debian/patches/000_protosw.patch
@@ -0,0 +1,23 @@
+Index: head/sys/kern/uipc_domain.c
+===================================================================
+--- head/sys/kern/uipc_domain.c (revision 186366)
++++ head/sys/kern/uipc_domain.c (working copy)
+@@ -112,13 +112,18 @@
+
+ #define DEFAULT(foo, bar) if ((foo) == NULL) (foo) = (bar)
+ DEFAULT(pu->pru_accept, pru_accept_notsupp);
++ DEFAULT(pu->pru_bind, pru_bind_notsupp);
+ DEFAULT(pu->pru_connect, pru_connect_notsupp);
+ DEFAULT(pu->pru_connect2, pru_connect2_notsupp);
+ DEFAULT(pu->pru_control, pru_control_notsupp);
++ DEFAULT(pu->pru_disconnect, pru_disconnect_notsupp);
+ DEFAULT(pu->pru_listen, pru_listen_notsupp);
++ DEFAULT(pu->pru_peeraddr, pru_peeraddr_notsupp);
+ DEFAULT(pu->pru_rcvd, pru_rcvd_notsupp);
+ DEFAULT(pu->pru_rcvoob, pru_rcvoob_notsupp);
+ DEFAULT(pu->pru_sense, pru_sense_null);
++ DEFAULT(pu->pru_shutdown, pru_shutdown_notsupp);
++ DEFAULT(pu->pru_sockaddr, pru_sockaddr_notsupp);
+ DEFAULT(pu->pru_sosend, sosend_generic);
+ DEFAULT(pu->pru_soreceive, soreceive_generic);
+ DEFAULT(pu->pru_sopoll, sopoll_generic);
only in patch2:
unchanged:
--- kfreebsd-7-7.0.orig/debian/patches/000_ktimer.diff
+++ kfreebsd-7-7.0/debian/patches/000_ktimer.diff
@@ -0,0 +1,14 @@
+Index: head/sys/kern/kern_time.c
+===================================================================
+--- head/sys/kern/kern_time.c (revision 190192)
++++ head/sys/kern/kern_time.c (working copy)
+@@ -1085,7 +1085,8 @@
+ struct itimer *it;
+
+ PROC_LOCK_ASSERT(p, MA_OWNED);
+- if ((p->p_itimers == NULL) || (timerid >= TIMER_MAX) ||
++ if ((p->p_itimers == NULL) ||
++ (timerid < 0) || (timerid >= TIMER_MAX) ||
+ (it = p->p_itimers->its_timers[timerid]) == NULL) {
+ return (NULL);
+ }
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
Reply to: