kfreebsd-9: 9.0-10+deb70.8 wheezy-security upload
Dear Security Team,
Please could we upload to wheezy-security with the attached debdiff to
fix issues in kfreebsd-9 (kernel).
This disables support for SCTP as previously discussed:
https://lists.debian.org/debian-bsd/2014/08/msg00010.html
and applies 3 other security patches from upstream.
Thanks,
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2014-06-04 12:43:29.000000000 +0000
+++ kfreebsd-9-9.0/debian/changelog 2014-11-05 01:39:14.000000000 +0000
@@ -1,3 +1,17 @@
+kfreebsd-9 (9.0-10+deb70.8) wheezy-security; urgency=high
+
+ * Team upload.
+ * Disable SCTP due to CVE-2014-3953 and other potential issues; it
+ was anyway unsupported yet by userland tools.
+ * Pick SVN r268432 from FreeBSD 9-STABLE to fix SA-14:17 / CVE-2014-3952:
+ kernel memory disclosure in sockbuf control message (Closes: #754236)
+ * Pick SVN r273412 from FreeBSD 9-STABLE to fix SA-14:22 / CVE-2014-3711:
+ Memory leak in sandboxed namei lookup (Closes: #766275)
+ * Pick SVN r274112 from FreeBSD 9.1-RELEASE to fix SA-14:25 / CVE-2014-8476:
+ Kernel stack disclosure in setlogin(2) / getlogin(2) (Closes: #768104)
+
+ -- Steven Chamberlain <steven@pyro.eu.org> Wed, 05 Nov 2014 01:17:16 +0000
+
kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high
* Team upload.
diff -Nru kfreebsd-9-9.0/debian/patches/999_config.diff kfreebsd-9-9.0/debian/patches/999_config.diff
--- kfreebsd-9-9.0/debian/patches/999_config.diff 2014-06-04 12:39:31.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/999_config.diff 2014-10-15 10:44:36.000000000 +0000
@@ -1,6 +1,6 @@
--- a/sys/amd64/conf/GENERIC
+++ b/sys/amd64/conf/GENERIC
-@@ -18,10 +18,12 @@
+@@ -18,16 +18,18 @@
#
# $FreeBSD$
@@ -16,6 +16,13 @@
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
+ options INET # InterNETworking
+ options INET6 # IPv6 communications protocols
+-options SCTP # Stream Control Transmission Protocol
++#options SCTP # Stream Control Transmission Protocol
+ options FFS # Berkeley Fast Filesystem
+ options SOFTUPDATES # Enable FFS soft updates support
+ options UFS_ACL # Support for access control lists
@@ -49,7 +51,7 @@
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
@@ -162,7 +169,7 @@
+options ALTQ_PRIQ # Priority Queuing (PRIQ)
--- a/sys/i386/conf/GENERIC
+++ b/sys/i386/conf/GENERIC
-@@ -18,12 +18,14 @@
+@@ -18,18 +18,20 @@
#
# $FreeBSD$
@@ -182,6 +189,13 @@
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
+ options INET # InterNETworking
+ options INET6 # IPv6 communications protocols
+-options SCTP # Stream Control Transmission Protocol
++#options SCTP # Stream Control Transmission Protocol
+ options FFS # Berkeley Fast Filesystem
+ options SOFTUPDATES # Enable FFS soft updates support
+ options UFS_ACL # Support for access control lists
@@ -43,6 +45,8 @@
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch 1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch 2014-07-08 23:02:23.000000000 +0000
@@ -0,0 +1,21 @@
+Description:
+ Fix kernel memory disclosure in sockbuf control message (CVE-2014-3952)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:17/kmem.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc
+Bug-Debian: http://bugs.debian.org/754236
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=268432
+
+--- kfreebsd-9-9.0.orig/sys/kern/uipc_sockbuf.c
++++ kfreebsd-9-9.0/sys/kern/uipc_sockbuf.c
+@@ -1011,6 +1011,11 @@
+ m->m_len = 0;
+ KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m),
+ ("sbcreatecontrol: short mbuf"));
++ /*
++ * Don't leave the padding between the msg header and the
++ * cmsg data and the padding after the cmsg data un-initialized.
++ */
++ bzero(cp, CMSG_SPACE((u_int)size));
+ if (p != NULL)
+ (void)memcpy(CMSG_DATA(cp), p, size);
+ m->m_len = CMSG_SPACE(size);
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch 1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch 2014-10-21 21:41:34.000000000 +0000
@@ -0,0 +1,104 @@
+Description:
+ Fix memory leak in sandboxed namei lookup. [SA-14:22]
+ (CVE-2014-3711)
+Origin: vendor, http://security.freebsd.org/patches/SA-14:22/namei-9.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-14:22.namei.asc
+Bug-Debian: http://bugs.debian.org/766275
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=273412
+
+--- a/sys/kern/vfs_lookup.c
++++ b/sys/kern/vfs_lookup.c
+@@ -121,6 +121,16 @@
+ * if symbolic link, massage name in buffer and continue
+ * }
+ */
++static void
++namei_cleanup_cnp(struct componentname *cnp)
++{
++ uma_zfree(namei_zone, cnp->cn_pnbuf);
++#ifdef DIAGNOSTIC
++ cnp->cn_pnbuf = NULL;
++ cnp->cn_nameptr = NULL;
++#endif
++}
++
+ int
+ namei(struct nameidata *ndp)
+ {
+@@ -193,11 +203,7 @@
+ }
+ #endif
+ if (error) {
+- uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+- cnp->cn_pnbuf = NULL;
+- cnp->cn_nameptr = NULL;
+-#endif
++ namei_cleanup_cnp(cnp);
+ ndp->ni_vp = NULL;
+ return (error);
+ }
+@@ -251,11 +257,7 @@
+ }
+ }
+ if (error) {
+- uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+- cnp->cn_pnbuf = NULL;
+- cnp->cn_nameptr = NULL;
+-#endif
++ namei_cleanup_cnp(cnp);
+ return (error);
+ }
+ }
+@@ -281,8 +283,10 @@
+ if (*(cnp->cn_nameptr) == '/') {
+ vrele(dp);
+ VFS_UNLOCK_GIANT(vfslocked);
+- if (ndp->ni_strictrelative != 0)
++ if (ndp->ni_strictrelative != 0) {
++ namei_cleanup_cnp(cnp);
+ return (ENOTCAPABLE);
++ }
+ while (*(cnp->cn_nameptr) == '/') {
+ cnp->cn_nameptr++;
+ ndp->ni_pathlen--;
+@@ -296,11 +300,7 @@
+ ndp->ni_startdir = dp;
+ error = lookup(ndp);
+ if (error) {
+- uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+- cnp->cn_pnbuf = NULL;
+- cnp->cn_nameptr = NULL;
+-#endif
++ namei_cleanup_cnp(cnp);
+ SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0,
+ 0, 0);
+ return (error);
+@@ -312,11 +312,7 @@
+ */
+ if ((cnp->cn_flags & ISSYMLINK) == 0) {
+ if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) {
+- uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+- cnp->cn_pnbuf = NULL;
+- cnp->cn_nameptr = NULL;
+-#endif
++ namei_cleanup_cnp(cnp);
+ } else
+ cnp->cn_flags |= HASBUF;
+
+@@ -382,11 +378,7 @@
+ vput(ndp->ni_vp);
+ dp = ndp->ni_dvp;
+ }
+- uma_zfree(namei_zone, cnp->cn_pnbuf);
+-#ifdef DIAGNOSTIC
+- cnp->cn_pnbuf = NULL;
+- cnp->cn_nameptr = NULL;
+-#endif
++ namei_cleanup_cnp(cnp);
+ vput(ndp->ni_vp);
+ ndp->ni_vp = NULL;
+ vrele(ndp->ni_dvp);
diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch
--- kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch 1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch 2014-11-05 01:28:07.000000000 +0000
@@ -0,0 +1,69 @@
+Description:
+ Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:25]
+ (CVE-2014-8476)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch
+Bug: http://security.freebsd.org/advisories/FreeBSD-SA-14:25.setlogin.asc
+Bug-Debian: http://bugs.debian.org/768104
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=274112
+
+--- a/sys/kern/kern_prot.c
++++ b/sys/kern/kern_prot.c
+@@ -2073,19 +2073,20 @@
+ int
+ sys_getlogin(struct thread *td, struct getlogin_args *uap)
+ {
+- int error;
+ char login[MAXLOGNAME];
+ struct proc *p = td->td_proc;
++ size_t len;
+
+ if (uap->namelen > MAXLOGNAME)
+ uap->namelen = MAXLOGNAME;
+ PROC_LOCK(p);
+ SESS_LOCK(p->p_session);
+- bcopy(p->p_session->s_login, login, uap->namelen);
++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1;
+ SESS_UNLOCK(p->p_session);
+ PROC_UNLOCK(p);
+- error = copyout(login, uap->namebuf, uap->namelen);
+- return(error);
++ if (len > uap->namelen)
++ return (ERANGE);
++ return (copyout(login, uap->namebuf, len));
+ }
+
+ /*
+@@ -2104,21 +2105,23 @@
+ int error;
+ char logintmp[MAXLOGNAME];
+
++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp));
++
+ error = priv_check(td, PRIV_PROC_SETLOGIN);
+ if (error)
+ return (error);
+ error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL);
+- if (error == ENAMETOOLONG)
+- error = EINVAL;
+- else if (!error) {
+- PROC_LOCK(p);
+- SESS_LOCK(p->p_session);
+- (void) memcpy(p->p_session->s_login, logintmp,
+- sizeof(logintmp));
+- SESS_UNLOCK(p->p_session);
+- PROC_UNLOCK(p);
++ if (error != 0) {
++ if (error == ENAMETOOLONG)
++ error = EINVAL;
++ return (error);
+ }
+- return (error);
++ PROC_LOCK(p);
++ SESS_LOCK(p->p_session);
++ strcpy(p->p_session->s_login, logintmp);
++ SESS_UNLOCK(p->p_session);
++ PROC_UNLOCK(p);
++ return (0);
+ }
+
+ void
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series 2014-06-04 12:39:31.000000000 +0000
+++ kfreebsd-9-9.0/debian/patches/series 2014-11-05 01:40:34.000000000 +0000
@@ -21,6 +21,9 @@
SA-14_05.nfsserver.patch
SA-14_08.tcp.patch
EN-14_06.exec.patch
+SA-14_17.kern.patch
+SA-14_22.namei.patch
+SA-14_25.setlogin.patch
# Other patches that might or might not be mergeable
001_misc.diff
Reply to: