Bug#737183: pu: package kfreebsd-8/8.3-6+deb7u1

To: submit@bugs.debian.org
Subject: Bug#737183: pu: package kfreebsd-8/8.3-6+deb7u1
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Fri, 31 Jan 2014 03:57:40 +0000
Message-id: <[🔎] 52EB1F34.1000400@pyro.eu.org>
Reply-to: Steven Chamberlain <steven@pyro.eu.org>, 737183@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: wheezy
X-Debbugs-Cc: debian-bsd@lists.debian.org

Hi,

Please could we also update kfreebsd-8 in wheezy?  This has the same
backported patch to disable hardware RNGs, as well as a backlog of
security fixes, that are already applied to kfreebsd-9 in wheezy.

kfreebsd-8 is removed already from jessie/sid.  It was not the default
kernel for wheezy, so issues are handled at a lower priority, and the
security bugs are marked non-DSA.

The debdiff is attached.  Thanks!

> kfreebsd-8 (8.3-6+deb7u1) wheezy; urgency=medium
> 
>   [ Robert Millan ]
>   * Apply upstream SA-13_08.nfsserver patch (CVE-2013-4851).
>     (Closes: #717959)
> 
>   [ Steven Chamberlain ]
>   * Apply upstream SA-13_09.ip_multicast patch (CVE-2013-3077).
>     (Closes: #720470)
>   * Apply upstream SA-13_10.sctp patch (CVE-2013-5209).
>     (Closes: #720476)
>   * Apply upstream SA-13_12.ifioctl patch (CVE-2013-5691).
>     (Closes: #737181)
>   * Apply upstream SA-13_13.nullfs patch (CVE-2013-5710).
>     (Closes: #737182)
>   * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
>     sysctl to re-enable (but read about the security implications
>     first). (Closes: #735448)
> 
>  -- Steven Chamberlain <steven@pyro.eu.org>  Fri, 31 Jan 2014 02:58:14 +0000

diff -Nru kfreebsd-8-8.3/debian/changelog kfreebsd-8-8.3/debian/changelog
--- kfreebsd-8-8.3/debian/changelog	2012-11-23 22:13:01.000000000 +0000
+++ kfreebsd-8-8.3/debian/changelog	2014-01-31 03:35:00.000000000 +0000
@@ -1,3 +1,24 @@
+kfreebsd-8 (8.3-6+deb7u1) wheezy; urgency=medium
+
+  [ Robert Millan ]
+  * Apply upstream SA-13_08.nfsserver patch (CVE-2013-4851).
+    (Closes: #717959)
+
+  [ Steven Chamberlain ]
+  * Apply upstream SA-13_09.ip_multicast patch (CVE-2013-3077).
+    (Closes: #720470)
+  * Apply upstream SA-13_10.sctp patch (CVE-2013-5209).
+    (Closes: #720476)
+  * Apply upstream SA-13_12.ifioctl patch (CVE-2013-5691).
+    (Closes: #737181)
+  * Apply upstream SA-13_13.nullfs patch (CVE-2013-5710).
+    (Closes: #737182)
+  * Disable VIA hardware RNG by default. Use hw.nehemiah_rng_enable
+    sysctl to re-enable (but read about the security implications
+    first). (Closes: #735448)
+
+ -- Steven Chamberlain <steven@pyro.eu.org>  Fri, 31 Jan 2014 02:58:14 +0000
+
 kfreebsd-8 (8.3-6) unstable; urgency=medium
 
   * Apply patch for SA-12:08 / CVE-2012-4576:
diff -Nru kfreebsd-8-8.3/debian/patches/disable_via_rng.diff kfreebsd-8-8.3/debian/patches/disable_via_rng.diff
--- kfreebsd-8-8.3/debian/patches/disable_via_rng.diff	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/disable_via_rng.diff	2014-01-31 03:15:37.000000000 +0000
@@ -0,0 +1,34 @@
+Description:
+ Disable VIA hardware RNG by default due to unsafe usage.  Implement a
+ loader tunable allowing to turn it back on.
+ .
+ Minimal patch based on upstream SVN r240950 and r260644
+Origin: backport, commit:240950, commit:260644
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/735448
+
+--- kfreebsd-8-8.3.orig/sys/dev/random/probe.c
++++ kfreebsd-8-8.3/sys/dev/random/probe.c
+@@ -30,6 +30,8 @@
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
++#include <sys/systm.h>
++#include <sys/kernel.h>
+ #include <sys/malloc.h>
+ #include <sys/random.h>
+ #include <sys/selinfo.h>
+@@ -57,7 +59,12 @@
+ 	/* Then go looking for hardware */
+ #if defined(__i386__) && !defined(PC98)
+ 	if (via_feature_rng & VIA_HAS_RNG) {
+-		*systat = random_nehemiah;
++		int enable;
++
++		enable = 0;
++		TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
++		if (enable)
++			*systat = random_nehemiah;
+ 	}
+ #endif
+ }
diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff
--- kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/SA-13_08.nfsserver.diff	2014-01-31 02:26:03.000000000 +0000
@@ -0,0 +1,21 @@
+Description:
+ Fix a bug that allows remote client bypass the normal
+ access checks when when -network or -host restrictions
+ are used at the same time with -mapall. [13:08]
+ (CVE-2013-4851)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:08.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/717959
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=253694
+
+--- a/sys/kern/vfs_export.c
++++ b/sys/kern/vfs_export.c
+@@ -208,7 +208,7 @@
+ 	np->netc_anon = crget();
+ 	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
+ 	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
+-	    np->netc_anon->cr_groups);
++	    argp->ex_anon.cr_groups);
+ 	np->netc_anon->cr_prison = &prison0;
+ 	prison_hold(np->netc_anon->cr_prison);
+ 	np->netc_numsecflavors = argp->ex_numsecflavors;
diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff
--- kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/SA-13_09.ip_multicast.diff	2014-01-31 03:34:13.000000000 +0000
@@ -0,0 +1,31 @@
+Description:
+ Fix an integer overflow in computing the size of a temporary buffer
+ can result in a buffer which is too small for the requested
+ operation. [13:09] (CVE-2013-3077)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:09.ip_multicast.asc
+Bug-Debian: http://bugs.debian.org/720470
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254629
+
+--- kfreebsd-8-8.3.orig/sys/netinet/in_mcast.c
++++ kfreebsd-8-8.3/sys/netinet/in_mcast.c
+@@ -1613,6 +1613,8 @@
+ 	 * has asked for, but we always tell userland how big the
+ 	 * buffer really needs to be.
+ 	 */
++	if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
++		msfr.msfr_nsrcs = in_mcast_maxsocksrc;
+ 	tss = NULL;
+ 	if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+ 		tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
+--- kfreebsd-8-8.3.orig/sys/netinet6/in6_mcast.c
++++ kfreebsd-8-8.3/sys/netinet6/in6_mcast.c
+@@ -1624,6 +1624,8 @@
+ 	 * has asked for, but we always tell userland how big the
+ 	 * buffer really needs to be.
+ 	 */
++	if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
++		msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
+ 	tss = NULL;
+ 	if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+ 		tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff
--- kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/SA-13_10.sctp.diff	2014-01-31 03:35:14.000000000 +0000
@@ -0,0 +1,25 @@
+Description:
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10] (CVE-2013-5209)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:10/sctp.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:10.sctp.asc
+Bug-Debian: http://bugs.debian.org/720476
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254632
+
+--- kfreebsd-8-8.3.orig/sys/netinet/sctp_output.c
++++ kfreebsd-8-8.3/sys/netinet/sctp_output.c
+@@ -5456,6 +5456,14 @@
+ 	}
+ 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+ 
++	/*
++	 * We might not overwrite the identification[] completely and on
++	 * some platforms time_entered will contain some padding. Therefore
++	 * zero out the cookie to avoid putting uninitialized memory on the
++	 * wire.
++	 */
++	memset(&stc, 0, sizeof(struct sctp_state_cookie));
++
+ 	/* the time I built cookie */
+ 	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
+ 
diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff
--- kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/SA-13_12.ifioctl.diff	2014-01-31 02:53:04.000000000 +0000
@@ -0,0 +1,93 @@
+Description:
+ In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
+ and SIOCSIFNETMASK at the socket layer rather than pass them on to the
+ link layer without validation or credential checks. [13:12]
+ (CVE-2013-5691)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc
+Bug-Debian: http://bugs.debian.org/737181
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255445
+
+--- kfreebsd-8-8.3.orig/sys/net/if.c
++++ kfreebsd-8-8.3/sys/net/if.c
+@@ -2606,11 +2606,23 @@
+ 		CURVNET_RESTORE();
+ 		return (EOPNOTSUPP);
+ 	}
++
++	/*
++	 * Pass the request on to the socket control method, and if the
++	 * latter returns EOPNOTSUPP, directly to the interface.
++	 *
++	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
++	 * trust SIOCSIFADDR et al to come from an already privileged
++	 * layer, and do not perform any credentials checks or input
++	 * validation.
++	 */
+ #ifndef COMPAT_43
+ 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
+ 								 data,
+ 								 ifp, td));
+-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
++	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
++	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ 		error = (*ifp->if_ioctl)(ifp, cmd, data);
+ #else
+ 	{
+@@ -2654,7 +2666,9 @@
+ 								   data,
+ 								   ifp, td));
+ 		if (error == EOPNOTSUPP && ifp != NULL &&
+-		    ifp->if_ioctl != NULL)
++		    ifp->if_ioctl != NULL &&
++		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
++		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
+ 			error = (*ifp->if_ioctl)(ifp, cmd, data);
+ 		switch (ocmd) {
+ 
+--- kfreebsd-8-8.3.orig/sys/netinet6/in6.c
++++ kfreebsd-8-8.3/sys/netinet6/in6.c
+@@ -339,6 +339,18 @@
+ 	case SIOCGIFSTAT_ICMP6:
+ 		sa6 = &ifr->ifr_addr;
+ 		break;
++	case SIOCSIFADDR:
++	case SIOCSIFBRDADDR:
++	case SIOCSIFDSTADDR:
++	case SIOCSIFNETMASK:
++		/*
++		 * Although we should pass any non-INET6 ioctl requests
++		 * down to driver, we filter some legacy INET requests.
++		 * Drivers trust SIOCSIFADDR et al to come from an already
++		 * privileged layer, and do not perform any credentials
++		 * checks or input validation.
++		 */
++		return (EINVAL);
+ 	default:
+ 		sa6 = NULL;
+ 		break;
+--- kfreebsd-8-8.3.orig/sys/netnatm/natm.c
++++ kfreebsd-8-8.3/sys/netnatm/natm.c
+@@ -339,6 +339,21 @@
+ 	npcb = (struct natmpcb *)so->so_pcb;
+ 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
+ 
++	switch (cmd) {
++	case SIOCSIFADDR:
++	case SIOCSIFBRDADDR:
++	case SIOCSIFDSTADDR:
++	case SIOCSIFNETMASK:
++		/*
++		 * Although we should pass any non-ATM ioctl requests
++		 * down to driver, we filter some legacy INET requests.
++		 * Drivers trust SIOCSIFADDR et al to come from an already
++		 * privileged layer, and do not perform any credentials
++		 * checks or input validation.
++		 */
++		return (EINVAL);
++	}
++
+ 	if (ifp == NULL || ifp->if_ioctl == NULL)
+ 		return (EOPNOTSUPP);
+ 	return ((*ifp->if_ioctl)(ifp, cmd, arg));
diff -Nru kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff
--- kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff	1970-01-01 00:00:00.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/SA-13_13.nullfs.diff	2014-01-31 02:55:22.000000000 +0000
@@ -0,0 +1,34 @@
+Description:
+ Prevent cross-mount hardlinks between different nullfs mounts of the
+ same underlying filesystem. [13:13] (CVE-2013-5710)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:13.nullfs.asc
+Bug-Debian: http://bugs.debian.org/737182
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255445
+
+--- kfreebsd-8-8.3.orig/sys/fs/nullfs/null_vnops.c
++++ kfreebsd-8-8.3/sys/fs/nullfs/null_vnops.c
+@@ -817,6 +817,15 @@
+ 	return (error);
+ }
+ 
++static int
++null_link(struct vop_link_args *ap)
++{
++
++	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
++		return (EXDEV);
++	return (null_bypass((struct vop_generic_args *)ap));
++}
++
+ /*
+  * Global vfs data structures
+  */
+@@ -829,6 +838,7 @@
+ 	.vop_getwritemount =	null_getwritemount,
+ 	.vop_inactive =		null_inactive,
+ 	.vop_islocked =		vop_stdislocked,
++	.vop_link =		null_link,
+ 	.vop_lock1 =		null_lock,
+ 	.vop_lookup =		null_lookup,
+ 	.vop_open =		null_open,
diff -Nru kfreebsd-8-8.3/debian/patches/series kfreebsd-8-8.3/debian/patches/series
--- kfreebsd-8-8.3/debian/patches/series	2012-11-23 22:11:38.000000000 +0000
+++ kfreebsd-8-8.3/debian/patches/series	2014-01-31 03:36:09.000000000 +0000
@@ -13,6 +13,12 @@
 EN-12_02.ipv6refcount.patch
 SCTP_DOS_svn239447.diff
 SA-12_08.linux.patch
+SA-13_08.nfsserver.diff
+SA-13_09.ip_multicast.diff
+SA-13_10.sctp.diff
+SA-13_12.ifioctl.diff
+SA-13_13.nullfs.diff
+disable_via_rng.diff
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Reply to:

Follow-Ups:
- Processed: Re: Bug#737183: pu: package kfreebsd-8/8.3-6+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#737183: pu: package kfreebsd-8/8.3-6+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Processed: reopening 710176, block 710176 with 736086, notfound 737144 in 2.4.0, found 737144 in 2.4.0-1 ...
Next by thread: Processed: Re: Bug#737183: pu: package kfreebsd-8/8.3-6+deb7u1
Index(es):
- Date
- Thread