Bug#736846: pu: package kfreebsd-9/9.0-10+deb70.6
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Severity: normal
Hi,
Please can we have your permission to update kfreebsd-9 in wheezy?
-10+deb70.6 fixes a security problem and two other grave bugs:
kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low
* Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
sysctl to re-enable (but read about the security implications
first). (Closes: #735448)
* Apply upstream EN-14_02.mmap patch.
* Fix lseek ENXIO error condition with ZFS. (Closes: #736198)
-- Robert Millan <rmh@debian.org> Mon, 27 Jan 2014 16:16:28 +0100
debdiff is attached.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)
Foreign Architectures: kfreebsd-i386
Kernel: kFreeBSD 9.0-2-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2013-10-10 00:14:43.000000000 +0200
+++ kfreebsd-9-9.0/debian/changelog 2014-01-27 16:16:29.000000000 +0100
@@ -1,3 +1,13 @@
+kfreebsd-9 (9.0-10+deb70.6) stable; urgency=low
+
+ * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
+ sysctl to re-enable (but read about the security implications
+ first). (Closes: #735448)
+ * Apply upstream EN-14_02.mmap patch.
+ * Fix lseek ENXIO error condition with ZFS. (Closes: #736198)
+
+ -- Robert Millan <rmh@debian.org> Mon, 27 Jan 2014 16:16:28 +0100
+
kfreebsd-9 (9.0-10+deb70.5) stable; urgency=low
* Disable 101_nullfs_vsock.diff. (Closes: #718888)
diff -Nru kfreebsd-9-9.0/debian/patches/disable_via_rng.diff kfreebsd-9-9.0/debian/patches/disable_via_rng.diff
--- kfreebsd-9-9.0/debian/patches/disable_via_rng.diff 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/disable_via_rng.diff 2014-01-27 16:15:56.000000000 +0100
@@ -0,0 +1,36 @@
+Description:
+ Disable VIA hardware RNG by default due to unsafe usage. Implement a
+ loader tunable allowing to turn it back on.
+ .
+ Minimal patch based on upstream SVN r240950 and r260644
+Origin: backports, commit:240950, commit:260644
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/735448
+
+Index: kfreebsd-9-9.0/sys/dev/random/probe.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/dev/random/probe.c 2006-07-13 11:47:36.000000000 +0000
++++ kfreebsd-9-9.0/sys/dev/random/probe.c 2014-01-26 16:41:27.538080382 +0000
+@@ -30,6 +30,8 @@
+
+ #include <sys/types.h>
+ #include <sys/param.h>
++#include <sys/systm.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/random.h>
+ #include <sys/selinfo.h>
+@@ -57,7 +59,12 @@
+ /* Then go looking for hardware */
+ #if defined(__i386__) && !defined(PC98)
+ if (via_feature_rng & VIA_HAS_RNG) {
+- *systat = random_nehemiah;
++ int enable;
++
++ enable = 0;
++ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
++ if (enable)
++ *systat = random_nehemiah;
+ }
+ #endif
+ }
diff -Nru kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch
--- kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/EN-14_02.mmap.patch 2014-01-22 22:58:39.000000000 +0100
@@ -0,0 +1,21 @@
+
+From http://security.freebsd.org/patches/EN-14:02/mmap.patch
+
+--- a/sys/vm/vm_map.c
++++ b/sys/vm/vm_map.c
+@@ -1232,6 +1232,7 @@
+ }
+ else if ((prev_entry != &map->header) &&
+ (prev_entry->eflags == protoeflags) &&
++ (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
+ (prev_entry->end == start) &&
+ (prev_entry->wired_count == 0) &&
+ (prev_entry->cred == cred ||
+@@ -3199,7 +3200,6 @@
+ * NOTE: We explicitly allow bi-directional stacks.
+ */
+ orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
+- cow &= ~orient;
+ KASSERT(orient != 0, ("No stack grow direction"));
+
+ if (addrbos < vm_map_min(map) ||
diff -Nru kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff
--- kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff 1970-01-01 01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/fix_lseek_zfs.diff 2014-01-22 23:18:27.000000000 +0100
@@ -0,0 +1,34 @@
+
+http://www.freebsd.org/cgi/query-pr.cgi?pr=164445
+
+http://svn.freebsd.org/changeset/base/233918
+
+--- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
++++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
+@@ -293,9 +293,12 @@
+
+ case _FIO_SEEK_DATA:
+ case _FIO_SEEK_HOLE:
++#ifdef sun
+ if (ddi_copyin((void *)data, &off, sizeof (off), flag))
+ return (EFAULT);
+-
++#else
++ off = *(offset_t *)data;
++#endif
+ zp = VTOZ(vp);
+ zfsvfs = zp->z_zfsvfs;
+ ZFS_ENTER(zfsvfs);
+@@ -306,8 +309,12 @@
+ ZFS_EXIT(zfsvfs);
+ if (error)
+ return (error);
++#ifdef sun
+ if (ddi_copyout(&off, (void *)data, sizeof (off), flag))
+ return (EFAULT);
++#else
++ *(offset_t *)data = off;
++#endif
+ return (0);
+ }
+ return (ENOTTY);
diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series 2013-09-15 18:42:44.000000000 +0200
+++ kfreebsd-9-9.0/debian/patches/series 2014-01-22 23:15:54.000000000 +0100
@@ -15,6 +15,9 @@
SA-13_10.sctp.patch
SA-13_12.ifioctl.diff
SA-13_13.nullfs.diff
+disable_via_rng.diff
+EN-14_02.mmap.patch
+fix_lseek_zfs.diff
# Other patches that might or might not be mergeable
001_misc.diff
Reply to: