Re: [rt.debian.org #4573] Re: Bug#717958: kfreebsd-9: CVE-2013-4851: nfsserver
- To: Robert Millan <rmh@debian.org>
- Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
- Subject: Re: [rt.debian.org #4573] Re: Bug#717958: kfreebsd-9: CVE-2013-4851: nfsserver
- From: Steven Chamberlain <steven@pyro.eu.org>
- Date: Fri, 23 Aug 2013 14:32:47 +0100
- Message-id: <[🔎] 5217647F.60104@pyro.eu.org>
- In-reply-to: <rt-4.0.7-1228-1377264369-1750.4573-6-0@debian.org>
- References: <RT-Ticket-4573@debian.org> <51F3A468.2030604@pyro.eu.org> <51F56DEC.6010006@pyro.eu.org> <rt-4.0.7-8582-1375038967-969.4573-4-0@debian.org> <rt-4.0.7-9829-1377176603-1604.4573-5-0@debian.org> <CAA7hUgF+BzwjReRrcbkr03obRrAn_WAfC6H_3q_Jyr9-xeHPMg@mail.gmail.com> <rt-4.0.7-9828-1377183008-516.4573-6-0@debian.org> <521627EA.4000506@pyro.eu.org> <rt-4.0.7-9829-1377183729-475.4573-5-0@debian.org> <20130823132603.GN22508@hall.aurel32.net> <rt-4.0.7-1228-1377264369-1750.4573-6-0@debian.org>
Hi Robert,
On 23/08/13 14:26, Aurelien Jarno via RT wrote:
> The debdiff looks fine to me. Could you please upload the resulting
> package for either ki or ka to security-master? I'll handle the
> remaining part of the DSA when possible.
Would you be able to upload to security-master with the attached debdiff
please? (Aurélien approved this on behalf of the security team).
This is also staged in SVN branches/wheezy/kfreebsd-9/ @r4901.
The other, unimportant issues can wait until the next s-p-u probably.
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2013-06-23 14:47:37.000000000 +0100
+++ kfreebsd-9-9.0/debian/changelog 2013-08-22 14:18:36.000000000 +0100
@@ -1,3 +1,15 @@
+kfreebsd-9 (9.0-10+deb70.3) wheezy-security; urgency=high
+
+ * Team upload.
+ * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
+ Incorrect privilege validation in the NFS server (Closes: #717958)
+ * Pick SVN 254629 from FreeBSD 9-STABLE to fix SA-13:09 / CVE-2013-3077:
+ integer overflow in IP_MSFILTER (Closes: #720468)
+ * Pick SVN 254352 from FreeBSD 9-STABLE to fix SA-13:10 / CVE-2013-5209:
+ Kernel memory disclosure in sctp(4) (Closes: #720475)
+
+ -- Steven Chamberlain <steven@pyro.eu.org> Thu, 22 Aug 2013 14:13:16 +0100
+
kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
* Team upload.
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch 2013-08-22 13:30:04.000000000 +0100
@@ -0,0 +1,23 @@
+Description:
+ Fix a bug that allows remote client bypass the normal
+ access checks when when -network or -host restrictions
+ are used at the same time with -mapall. [13:08]
+ (CVE-2013-4851)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:08.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/717958
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=253693
+
+Index: kfreebsd-9-9.0/sys/kern/vfs_export.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/kern/vfs_export.c 2009-09-28 19:07:16.000000000 +0100
++++ kfreebsd-9-9.0/sys/kern/vfs_export.c 2013-07-28 18:13:25.223547283 +0100
+@@ -208,7 +208,7 @@
+ np->netc_anon = crget();
+ np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
+ crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
+- np->netc_anon->cr_groups);
++ argp->ex_anon.cr_groups);
+ np->netc_anon->cr_prison = &prison0;
+ prison_hold(np->netc_anon->cr_prison);
+ np->netc_numsecflavors = argp->ex_numsecflavors;
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch 2013-08-22 13:31:10.000000000 +0100
@@ -0,0 +1,35 @@
+Description:
+ Fix an integer overflow in computing the size of a temporary buffer
+ can result in a buffer which is too small for the requested
+ operation. [13:09] (CVE-2013-3077)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc
+Bug-Debian: http://bugs.debian.org/720468
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254629
+
+Index: kfreebsd-9-9.0/sys/netinet/in_mcast.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet/in_mcast.c 2010-04-10 13:05:31.000000000 +0100
++++ kfreebsd-9-9.0/sys/netinet/in_mcast.c 2013-08-22 13:31:07.139830942 +0100
+@@ -1613,6 +1613,8 @@
+ * has asked for, but we always tell userland how big the
+ * buffer really needs to be.
+ */
++ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
++ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
+ tss = NULL;
+ if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+ tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
+Index: kfreebsd-9-9.0/sys/netinet6/in6_mcast.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet6/in6_mcast.c 2011-11-23 15:18:16.000000000 +0000
++++ kfreebsd-9-9.0/sys/netinet6/in6_mcast.c 2013-08-22 13:31:07.141767292 +0100
+@@ -1624,6 +1624,8 @@
+ * has asked for, but we always tell userland how big the
+ * buffer really needs to be.
+ */
++ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
++ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
+ tss = NULL;
+ if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+ tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch 2013-08-22 14:11:33.000000000 +0100
@@ -0,0 +1,27 @@
+Description:
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10] (CVE-2013-5209)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:10/sctp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc
+Bug-Debian: http://bugs.debian.org/720475
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254352
+
+Index: kfreebsd-9-9.0/sys/netinet/sctp_output.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet/sctp_output.c 2011-11-27 19:13:45.000000000 +0000
++++ kfreebsd-9-9.0/sys/netinet/sctp_output.c 2013-08-22 13:56:33.325837810 +0100
+@@ -5451,6 +5451,14 @@
+ }
+ SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+
++ /*
++ * We might not overwrite the identification[] completely and on
++ * some platforms time_entered will contain some padding. Therefore
++ * zero out the cookie to avoid putting uninitialized memory on the
++ * wire.
++ */
++ memset(&stc, 0, sizeof(struct sctp_state_cookie));
++
+ /* the time I built cookie */
+ (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
+
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series 2013-06-23 14:47:37.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/series 2013-08-22 13:51:14.000000000 +0100
@@ -10,6 +10,9 @@
SA-12_08.linux.patch
SA-13_05.nfsserver.patch
SA-13_06.mmap.patch
+SA-13_08.nfsserver.patch
+SA-13_09.ip_multicast.patch
+SA-13_10.sctp.patch
# Other patches that might or might not be mergeable
001_misc.diff
Reply to: