Re: Preparing the first security update for kernel-source-2.6.8
On Wed, Jun 29, 2005 at 11:14:20AM +0900, Horms wrote:
> On Tue, Jun 28, 2005 at 10:36:15PM +0200, Frederik Schueler wrote:
> > Hello,
> >
> > I would like to start preparing a seurity update for kernel-source-2.6.8
> > in sarge, wich released with version 2.6.8-16.
> >
> > In sarge-security we have an old 2.6.15sarge1 wich never got released.
> >
> > Does anyone object if I update those sources to the revision in sarge,
> > and we start building 2.6.8-16sarge1 from it?
> >
> > I already got some patches from the ubuntu 2.6.8 kernel package addressing
> > the following 5 issues:
> >
> > CAN-2005-0756
> > CAN-2005-1265
> > CAN-2005-1762
> > CAN-2005-1763
> > CAN-2005-1765
> >
> > and these 3 still need to be addressed:
> >
> > CAN-2005-1764
> > CAN-2005-0449 #295949
> > CAN-2005-0356 #310804
> >
> >
> > if nobody objects, I would like to commit my changes.
>
> Hi,
>
> I have been thinking of making some updates too.
> So far I have just been trolling the 2.6.11.X and 2.6.12.X patch sets.
> This is primarily intented as a base for rc1 rather than a security
> update, as almost none of the fixes are security related.
>
> I think the best thing to do would be for you to go ahead and
> start a 2.6.8-16sarge1 in cvs. I will then grab those patches
> and put them into what I am working on for 2.6.8-17.
>
> We also need to think about 2.4.27, but I was planning to do that
> after 2.6.8 is in the bag.
First up, appologies to Frederik for duplicting his work to some extent.
I really was working on this before I got his message. I hope what
I have done is useful to the security update, and in turn I hope his
patches can be used in the r1 update.
I have gone ahead and put all of my changes in SVN, the changelog below.
The one outstanding problem is that the fix from 2.6.11.X that fixes
CAN-2005-1265 breaks the build and seems to require an ABI fix
to make it build. I haven't been through the Ubuntu tree yet,
and I have to head out now, but I am interested to see what solution
they have. In any case, I am running a build of what is in SVN now
and will take a look at what wheels have fallen off in the morning.
Finally, as per my anotation of #310804, I don't believe that
Linux is vulnerable to CAN-2005-0356.
--
Horms
* [SECURITY] arch-x86_64-kernel-ptrace-boundary-check.dpatch
Don't allow accesses below register frame in ptrace
See CAN-2005-0756.
(Simon Horman)
* arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch,
arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
(Simon Horman)
* [SECURITY] arch-x86_64-kernel-smp-boot-race.dpatch
Keep interrupts disabled during smp bootup
This avoids a race that breaks SMP bootup on some machines.
(Simon Horman)
* [SECURITY] arch-x86_64-mm-ioremap-page-lookup.dpatch
Don't look up struct page pointer of physical address in iounmap as it may
be in a memory hole not mapped in mem_map and that causes the hash lookup
to go off to nirvana.
(Simon Horman)
* drivers-media-vidio-bttv-vc100xp-detect.dpatch
Allow Leadtek WinFast VC100 XP cards to work.
(Simon Horman)
* [SECURITY] fs-exec-ptrace-core-exec-race.dpatch
Fix race between core dumping and exec with shared mm
(Simon Horman)
* [SECURITY] fs-exec-ptrace-deadlock.dpatch
Fix coredump_wait deadlock with ptracer & tracee on shared mm
(Simon Horman)
* [SECURITY] fs-exec-posix-timers-leak-1.dpatch,
fs-exec-posix-timers-leak-2.dpatch
Make exec clean up posix timers.
(Simon Horman)
* [SECURITY] fs-exec-reparent-timers.dpatch
Make sure we re-parent itimers. If subthread exec's with timer pending,
signal is delivered to old group-leader and can panic kernel.
See CAN-2005-1913.
(Simon Horman)
* fs-hfs-oops-and-leak.dpatch
Fix a leak in HFS and HFS
Fix an oops that occurs when an attempt is made to
mount a non-hfs filesystem as HFS.
(Simon Horman)
* fs-jbd-checkpoint-assertion.dpatch
Fix possible false assertion failure in log_do_checkpoint(). We might fail
to detect that we actually made a progress when cleaning up the checkpoint
lists if we don't retry after writing something to disk.
(Simon Horman)
# Ommitted as it seems to require an update to struct_mm, which
# would be an ABI change. As it stands it breaks the build.
# Looking for a better solution, according to Frederik Schueler
# he has one from Ubuntu. More anon
#* [SECURITY] mm-mmap-range-test.dpatch
# Make sure get_unmapped_area sanity tests are done regardless of
# wheater MAP_FIXED is set or not.
# See CAN-2005-1265
# (Simon Horman)
* mm-rmap-out-of-bounds-pte.dpatch
Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
(Simon Horman)
* [SECURITY] net-bridge-netfilter-etables-smp-race.dpatch
The patch below fixes an smp race that happens on such systems under
heavy load.
(Simon Horman)
* net-bridge-mangle-oops.dpatch
Fix oops when mangling and brouting and tcpdumping packets
Needed for net-bridge-forwarding-poison.dpatch
(Simon Horman)
* [SECURITY] net-bridge-forwarding-poison.dpatch
Avoid poisoning of the bridge forwarding table by frames that have been
dropped by filtering. This prevents spoofed source addresses on hostile
side of bridge from causing packet leakage, a small but possible security
risk.
(Simon Horman)
* net-ipv4-netfilter-ip_queue-deadlock.dpatch
Fix deadlock with ip_queue and tcp local input path.
(Simon Horman)
* [SECURITY] net-rose-ndigis-verify.dpatch
Verify ndigis argument of a new route.
(Simon Horman)
* sound-usb-usbaudio-unplug-oops.dpatch
Prevent oops & dead keyboard on usb unplugging while the device is being
used.
(Simon Horman)
* net-ipv4-ipvs-conn_tab-race.dpatch
Fix race condition on p_vs_conn_tab list modification
Reply to: