Pending wheezy-security upload

To: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Pending wheezy-security upload
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Tue, 10 Sep 2013 12:59:22 +0100
Message-id: <[🔎] 522F099A.8090203@pyro.eu.org>

tags 722338 + pending
tags 722337 + pending

branches/wheezy/kfreebsd-9/ r4939 is ready in SVN for anyone to test.
I'm building it for kfreebsd-amd64 currently.  Testing for working IPv6
and nullfs seems like a good idea.

Attached is a debdiff against unpacked source of 9.0-10+deb70.3

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog	2013-08-22 14:18:36.000000000 +0100
+++ kfreebsd-9-9.0/debian/changelog	2013-09-10 12:44:46.000000000 +0100
@@ -0,4 +0,14 @@
+kfreebsd-9 (9.0-10+deb70.4) UNRELEASED; urgency=high
+
+  * Team upload.
+  * Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:12 / CVE-2013-5691:
+    ifioctl credential checks missing (Closes: #722338)
+  * Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:13 / CVE-2013-5710:
+    nullfs hardlinks across mounts (Closes: #722337)
+
+ -- Steven Chamberlain <steven@pyro.eu.org>  Tue, 10 Sep 2013 11:57:14 +0100
+
 kfreebsd-9 (9.0-10+deb70.3) wheezy-security; urgency=high
 
   * Team upload.
   * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff
--- kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff	1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff	2013-09-10 12:42:48.000000000 +0100
@@ -0,0 +1,99 @@
+Description:
+ In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
+ and SIOCSIFNETMASK at the socket layer rather than pass them on to the
+ link layer without validation or credential checks.  [SA-13:12]
+ (CVE-2013-5691)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc
+Bug-Debian: http://bugs.debian.org/722338
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255443
+
+Index: kfreebsd-9-9.0/sys/netinet6/in6.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet6/in6.c	2013-09-10 12:00:48.187797771 +0100
++++ kfreebsd-9-9.0/sys/netinet6/in6.c	2013-09-10 12:00:48.821802804 +0100
+@@ -418,6 +418,18 @@
+ 	case SIOCGIFSTAT_ICMP6:
+ 		sa6 = &ifr->ifr_addr;
+ 		break;
++	case SIOCSIFADDR:
++	case SIOCSIFBRDADDR:
++	case SIOCSIFDSTADDR:
++	case SIOCSIFNETMASK:
++		/*
++		 * Although we should pass any non-INET6 ioctl requests
++		 * down to driver, we filter some legacy INET requests.
++		 * Drivers trust SIOCSIFADDR et al to come from an already
++		 * privileged layer, and do not perform any credentials
++		 * checks or input validation.
++		 */
++		return (EINVAL);
+ 	default:
+ 		sa6 = NULL;
+ 		break;
+Index: kfreebsd-9-9.0/sys/netnatm/natm.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netnatm/natm.c	2009-05-20 18:00:16.000000000 +0100
++++ kfreebsd-9-9.0/sys/netnatm/natm.c	2013-09-10 12:00:48.832906800 +0100
+@@ -339,6 +339,21 @@
+ 	npcb = (struct natmpcb *)so->so_pcb;
+ 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
+ 
++	switch (cmd) {
++	case SIOCSIFADDR:
++	case SIOCSIFBRDADDR:
++	case SIOCSIFDSTADDR:
++	case SIOCSIFNETMASK:
++		/*
++		 * Although we should pass any non-ATM ioctl requests
++		 * down to driver, we filter some legacy INET requests.
++		 * Drivers trust SIOCSIFADDR et al to come from an already
++		 * privileged layer, and do not perform any credentials
++		 * checks or input validation.
++		 */
++		return (EINVAL);
++	}
++
+ 	if (ifp == NULL || ifp->if_ioctl == NULL)
+ 		return (EOPNOTSUPP);
+ 	return ((*ifp->if_ioctl)(ifp, cmd, arg));
+Index: kfreebsd-9-9.0/sys/net/if.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/net/if.c	2011-07-03 13:22:02.000000000 +0100
++++ kfreebsd-9-9.0/sys/net/if.c	2013-09-10 12:00:48.906783323 +0100
+@@ -2546,11 +2546,23 @@
+ 		CURVNET_RESTORE();
+ 		return (EOPNOTSUPP);
+ 	}
++
++	/*
++	 * Pass the request on to the socket control method, and if the
++	 * latter returns EOPNOTSUPP, directly to the interface.
++	 *
++	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
++	 * trust SIOCSIFADDR et al to come from an already privileged
++	 * layer, and do not perform any credentials checks or input
++	 * validation.
++	 */
+ #ifndef COMPAT_43
+ 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
+ 								 data,
+ 								 ifp, td));
+-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
++	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
++	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ 		error = (*ifp->if_ioctl)(ifp, cmd, data);
+ #else
+ 	{
+@@ -2594,7 +2606,9 @@
+ 								   data,
+ 								   ifp, td));
+ 		if (error == EOPNOTSUPP && ifp != NULL &&
+-		    ifp->if_ioctl != NULL)
++		    ifp->if_ioctl != NULL &&
++		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ 			error = (*ifp->if_ioctl)(ifp, cmd, data);
+ 		switch (ocmd) {
+ 
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff
--- kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff	1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff	2013-09-10 12:43:16.000000000 +0100
@@ -0,0 +1,36 @@
+Description:
+ Prevent cross-mount hardlinks between different nullfs mounts of the
+ same underlying filesystem.  [SA-13:13] (CVE-2013-5710)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:13.nullfs.asc
+Bug-Debian: http://bugs.debian.org/722337
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255443
+
+Index: kfreebsd-9-9.0/sys/fs/nullfs/null_vnops.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/fs/nullfs/null_vnops.c	2013-09-10 12:00:48.309797010 +0100
++++ kfreebsd-9-9.0/sys/fs/nullfs/null_vnops.c	2013-09-10 12:00:58.269784374 +0100
+@@ -816,6 +816,15 @@
+ 	return (error);
+ }
+ 
++static int
++null_link(struct vop_link_args *ap)
++{
++
++	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
++		return (EXDEV);
++	return (null_bypass((struct vop_generic_args *)ap));
++}
++
+ /*
+  * Global vfs data structures
+  */
+@@ -829,6 +838,7 @@
+ 	.vop_getwritemount =	null_getwritemount,
+ 	.vop_inactive =		null_inactive,
+ 	.vop_islocked =		vop_stdislocked,
++	.vop_link =		null_link,
+ 	.vop_lock1 =		null_lock,
+ 	.vop_lookup =		null_lookup,
+ 	.vop_open =		null_open,
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series	2013-08-22 13:51:14.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/series	2013-09-10 11:58:53.000000000 +0100
@@ -13,6 +13,8 @@
 SA-13_08.nfsserver.patch
 SA-13_09.ip_multicast.patch
 SA-13_10.sctp.patch
+SA-13_12.ifioctl.diff
+SA-13_13.nullfs.diff
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Reply to:

Follow-Ups:
- Processed (with 5 errors): Pending wheezy-security upload
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: kfreebsd-9: CVE-2013-5691: ifioctl credential checks missing
Next by Date: Processed (with 5 errors): Pending wheezy-security upload
Previous by thread: Bug#722338: marked as done (kfreebsd-9: CVE-2013-5691: ifioctl credential checks missing)
Next by thread: Processed (with 5 errors): Pending wheezy-security upload
Index(es):
- Date
- Thread