Package: kernel-image-2.6.8-11-amd64-k8-smp; Maintainer for kernel-image-2.6.8-11-amd64-k8-smp is (unknown);
Reported by: Chad Walstrom <chewie@debian.org>
Date: Tue, 9 Aug 2005 21:48:03 UTC
Severity: important
Tags: patch, sarge, security
Fixed in version kernel-source-2.6.8/2.6.8-16sarge1
Done: Simon Horman <horms@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Chad Walstrom <chewie@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: kernel-image-2.6.8-11-amd64-k8-smp
Severity: important
While using the ipt_recent kernel module to stop SSH bruteforce attacks,
the kernel panics on a 32-bitism. This crash can occur at any time.
-------------------8<-----------------------
Unable to handle kernel paging request at ffffff00005e3000 RIP:
<ffffffff801c8a20>{__memset+32}
PML4 3e8063 PGD 1ff9067 PMD 365ae067 PTE 0
Oops: 0002 [1] SMP
CPU 0
Modules linked in: ipv6 ipt_REJECT ipt_LOG ipt_state ipt_pkttype ipt_recent ipt_iprange ipt
Pid: 0, comm: swapper Not tainted 2.6.8-11-amd64-k8-smp
RIP: 0010:[<ffffffff801c8a20>] <ffffffff801c8a20>{__memset+32}
RSP: 0018:ffffffff80392450 EFLAGS: 00010216
RAX: 0000000000000000 RBX: 00000000000007f8 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffff00005e3000
RBP: ffffff00005dd000 R08: 0000000000000000 R09: ffffff00005e2fe0
R10: ffffff00005e4000 R11: ffffff00005e6000 R12: 0000000000000059
R13: ffffff00005df000 R14: 000000008b905486 R15: 0000000000000059
FS: 0000002a958ab640(0000) GS:ffffffff803e2e40(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: ffffff00005e3000 CR3: 0000000000101000 CR4: 00000000000006e0
Process swapper (pid: 0, threadinfo ffffffff803e6000, task ffffffff802ef6c0)
Stack: ffffffffa01f38f0 ffffffffa01a4f1d ffffff00005e6000 ffffff00005e4000
0000000000000206 ffffffff7ec35980 40ffff0000000059 ffffff00005f2418
00000001005be582 00000000803925d0
Call Trace:<IRQ> <ffffffffa01f38f0>{:ipt_recent:match+1728} <ffffffffa01a4f1d>{:ip_conntra
<ffffffffa019c28d>{:ip_tables:ipt_do_table+605} <ffffffff8024e91a>{nf_iterate+90}
<ffffffff8025ed50>{ip_local_deliver_finish+0} <ffffffff8024ed87>{nf_hook_slow+135}
<ffffffff8025ed50>{ip_local_deliver_finish+0} <ffffffff8025f160>{ip_local_deliver+5
<ffffffff8025f3b3>{ip_rcv_finish+579} <ffffffff8025f170>{ip_rcv_finish+0}
<ffffffff8025f170>{ip_rcv_finish+0} <ffffffff8024edca>{nf_hook_slow+202}
<ffffffff8025f170>{ip_rcv_finish+0} <ffffffff8025f89d>{ip_rcv+1165}
<ffffffff80245f1d>{netif_receive_skb+461} <ffffffff8010fbd5>{ret_from_intr+0}
<ffffffffa00f73b9>{:tg3:tg3_poll+1705} <ffffffff80246114>{net_rx_action+132}
<ffffffff801391e3>{__do_softirq+83} <ffffffff80139275>{do_softirq+53}
<ffffffff801125a1>{do_IRQ+321} <ffffffff8010d980>{default_idle+0}
<ffffffff8010fbd5>{ret_from_intr+0} <EOI> <ffffffff802a5399>{thread_return+41}
<ffffffff8010d9a0>{default_idle+32} <ffffffff8010da2a>{cpu_idle+26}
<ffffffff803e96fb>{start_kernel+507} <ffffffff803e9203>{_sinittext+515}
Code: f3 48 ab 44 89 c1 f3 aa 4c 89 c8 c3 66 66 66 90 ff c9 48 89
RIP <ffffffff801c8a20>{__memset+32} RSP <ffffffff80392450>
CR2: ffffff00005e3000
<0>Kernel panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing
<0>Rebooting in 30 seconds..
-------------------8<-----------------------
The blog entry below details the bug and supplies the patch:
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
http://blog.blackdown.de/static/kernel/ipt_recent-fix.patch
Here is the patch for 2.6:
-------------------8<-----------------------
Fixing the ipt_recent Netfilter Module
(cf. http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/)
I've had some ipt_recent rules acting strangely after an uptime of
about 25 days. The problem is reproducible in the 5 minutes before
the first jiffies roll-over right after booting too.
The problem is caused by the jiffies comparision which doesn't work
like intended if one of the last hit was more than LONG_MAX seconds
again or if the table of last hits contains empty slots and jiffies
is > LONG_MAX.
This patch fixes the problem by using get_seconds() instead of
jiffies. It also fixes some 64-bit issues.
Signed-off-by: Juergen Kreileder <jk@blackdown.de>
diff --exclude=arch --exclude-from=Documentation/dontdiff -ur ../linux-2.6.12-rc3-mm3/include/linux/netfilter_ipv4/ipt_recent.h ./include/linux/netfilter_ipv4/ipt_recent.h
--- ../linux-2.6.12-rc3-mm3/include/linux/netfilter_ipv4/ipt_recent.h 2005-03-02 08:38:10.000000000 +0100
+++ ./include/linux/netfilter_ipv4/ipt_recent.h 2005-05-09 14:50:40.000000000 +0200
@@ -2,7 +2,7 @@
#define _IPT_RECENT_H
#define RECENT_NAME "ipt_recent"
-#define RECENT_VER "v0.3.1"
+#define RECENT_VER "v0.3.2"
#define IPT_RECENT_CHECK 1
#define IPT_RECENT_SET 2
diff --exclude=arch --exclude-from=Documentation/dontdiff -ur ../linux-2.6.12-rc3-mm3/net/ipv4/netfilter/ipt_recent.c ./net/ipv4/netfilter/ipt_recent.c
--- ../linux-2.6.12-rc3-mm3/net/ipv4/netfilter/ipt_recent.c 2005-03-02 08:37:48.000000000 +0100
+++ ./net/ipv4/netfilter/ipt_recent.c 2005-05-09 15:06:58.000000000 +0200
@@ -15,6 +15,7 @@
#include <linux/ctype.h>
#include <linux/ip.h>
#include <linux/vmalloc.h>
+#include <linux/time.h>
#include <linux/moduleparam.h>
#include <linux/netfilter_ipv4/ip_tables.h>
@@ -64,7 +65,7 @@
struct time_info_list {
u_int32_t position;
- u_int32_t time;
+ unsigned long time;
};
/* Structure of our linked list of tables of recent lists. */
@@ -223,7 +224,7 @@
curr_table->table[count].last_seen = 0;
curr_table->table[count].addr = 0;
curr_table->table[count].ttl = 0;
- memset(curr_table->table[count].last_pkts,0,ip_pkt_list_tot*sizeof(u_int32_t));
+ memset(curr_table->table[count].last_pkts,0,ip_pkt_list_tot*sizeof(unsigned long));
curr_table->table[count].oldest_pkt = 0;
curr_table->table[count].time_pos = 0;
curr_table->time_info[count].position = count;
@@ -418,8 +419,8 @@
if(debug) printk(KERN_INFO RECENT_NAME ": match(): checking table, addr: %u, ttl: %u, orig_ttl: %u\n",addr,ttl,skb->nh.iph->ttl);
#endif
- /* Get jiffies now in case they changed while we were waiting for a lock */
- now = jiffies;
+ /* Get time now in case it changed while we were waiting for a lock */
+ now = get_seconds();
hash_table = curr_table->hash_table;
time_info = curr_table->time_info;
@@ -502,7 +503,7 @@
location = time_info[curr_table->time_pos].position;
hash_table[r_list[location].hash_entry] = -1;
hash_table[hash_result] = location;
- memset(r_list[location].last_pkts,0,ip_pkt_list_tot*sizeof(u_int32_t));
+ memset(r_list[location].last_pkts,0,ip_pkt_list_tot*sizeof(unsigned long));
r_list[location].time_pos = curr_table->time_pos;
r_list[location].addr = addr;
r_list[location].ttl = ttl;
@@ -528,11 +529,11 @@
if(info->check_set & IPT_RECENT_CHECK || info->check_set & IPT_RECENT_UPDATE) {
if(!info->seconds && !info->hit_count) ans = !info->invert; else ans = info->invert;
if(info->seconds && !info->hit_count) {
- if(time_before_eq(now,r_list[location].last_seen+info->seconds*HZ)) ans = !info->invert; else ans = info->invert;
+ if(now <= r_list[location].last_seen+info->seconds) ans = !info->invert; else ans = info->invert;
}
if(info->seconds && info->hit_count) {
for(pkt_count = 0, hits_found = 0; pkt_count < ip_pkt_list_tot; pkt_count++) {
- if(time_before_eq(now,r_list[location].last_pkts[pkt_count]+info->seconds*HZ)) hits_found++;
+ if(now <= r_list[location].last_pkts[pkt_count]+info->seconds) hits_found++;
}
if(hits_found >= info->hit_count) ans = !info->invert; else ans = info->invert;
}
@@ -631,7 +632,7 @@
r_list[location].last_seen = 0;
r_list[location].addr = 0;
r_list[location].ttl = 0;
- memset(r_list[location].last_pkts,0,ip_pkt_list_tot*sizeof(u_int32_t));
+ memset(r_list[location].last_pkts,0,ip_pkt_list_tot*sizeof(unsigned long));
r_list[location].oldest_pkt = 0;
ans = !info->invert;
}
@@ -734,10 +735,10 @@
memset(curr_table->table,0,sizeof(struct recent_ip_list)*ip_list_tot);
#ifdef DEBUG
if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: Allocating %d for pkt_list.\n",
- sizeof(u_int32_t)*ip_pkt_list_tot*ip_list_tot);
+ sizeof(unsigned long)*ip_pkt_list_tot*ip_list_tot);
#endif
- hold = vmalloc(sizeof(u_int32_t)*ip_pkt_list_tot*ip_list_tot);
+ hold = vmalloc(sizeof(unsigned long)*ip_pkt_list_tot*ip_list_tot);
#ifdef DEBUG
if(debug) printk(KERN_INFO RECENT_NAME ": checkentry: After pkt_list allocation.\n");
#endif
=
-------------------8<-----------------------
-- System Information:
Debian Release: 3.1
Architecture: x86_64
Kernel: Linux 2.6.8-11-amd64-k8-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Frederik Schueler <fs@lowpingbastards.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello, On Tue, Aug 09, 2005 at 04:31:40PM -0500, Chad Walstrom wrote: > While using the ipt_recent kernel module to stop SSH bruteforce attacks, > the kernel panics on a 32-bitism. This crash can occur at any time. This is fixed in 2.6.12, the git commit entry is here: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2 this is a good candidate to be backported for sarge. Best regards Frederik Schueler -- ENOSIG
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Frederik Schueler <fs@lowpingbastards.de>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Horms <horms@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Message #20 received at 322237@bugs.debian.org (full text, mbox, reply):
On Wed, Aug 10, 2005 at 01:38:57PM +0200, Frederik Schueler wrote: > Hello, > > On Tue, Aug 09, 2005 at 04:31:40PM -0500, Chad Walstrom wrote: > > > While using the ipt_recent kernel module to stop SSH bruteforce attacks, > > the kernel panics on a 32-bitism. This crash can occur at any time. > > This is fixed in 2.6.12, the git commit entry is here: > > http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2 > > this is a good candidate to be backported for sarge. I will look into making that happen. -- Horms
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Horms <horms@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Message #25 received at 322237@bugs.debian.org (full text, mbox, reply):
tag 322237 +security tag 322237 +patch tag 322237 +pending tag 322237 +sarge thanks On Wed, Aug 10, 2005 at 01:38:57PM +0200, Frederik Schueler wrote: > Hello, > > On Tue, Aug 09, 2005 at 04:31:40PM -0500, Chad Walstrom wrote: > > > While using the ipt_recent kernel module to stop SSH bruteforce attacks, > > the kernel panics on a 32-bitism. This crash can occur at any time. By my reasoning that constitutes a remote DoS. > This is fixed in 2.6.12, the git commit entry is here: > > http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2 > > this is a good candidate to be backported for sarge. Thanks, applies cleanly to 2.6.8 and 2.4.27. Will be in SVN very shortly. -- Horms
Tags added: security
Request was from Horms <horms@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: patch
Request was from Horms <horms@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from Horms <horms@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sarge
Request was from Horms <horms@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Message #38 received at 322237@bugs.debian.org (full text, mbox, reply):
Just FYI, this has been assigned CAN-2005-2802. -- Geoff Crompton Debian System Administrator Strategic Data +61 3 9340 9000
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#322237; Package kernel-image-2.6.8-11-amd64-k8-smp.
(full text, mbox, link).
Acknowledgement sent to Geoff Crompton <geoff.crompton@strategicdata.com.au>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>.
(full text, mbox, link).
Message #43 received at 322237@bugs.debian.org (full text, mbox, reply):
Geoff Crompton wrote: > Just FYI, this has been assigned CAN-2005-2802. > Oops. Just noticed that this has actually been assigned CAN-2005-2872, which is the one that is actually referenced in all the debian kernel svn logs. Sorry! http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2802 -- Geoff Crompton Debian System Administrator Strategic Data +61 3 9340 9000
Reply sent to Simon Horman <horms@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Chad Walstrom <chewie@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #48 received at 322237-close@bugs.debian.org (full text, mbox, reply):
Source: kernel-source-2.6.8
Source-Version: 2.6.8-16sarge1
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
kernel-source-2.6.8_2.6.8-16sarge1.dsc
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1.dsc
kernel-source-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1_all.deb
kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 322237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.6.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 15 Aug 2005 18:51:34 +0900
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8 kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-16sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 309308 311357 317286 321401 322237 322339 323059
Changes:
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
.
[ Dann Frazier ]
* mckinley_icache.dpatch:
[Security] Fix a cache coherency bug unearthed by a new ia64 processor,
codenamed Montecito. This bug causes data corruption that has manifested
itself in kernel hangs and userspace crashes, and causes d-i to fail.
Reference: http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm
N.B: I have marked this as security as it seems that it would
be trivial to construct a user-space DoS - Simon Horman.
.
[ Simon Horman ]
# Excluded from security-only release
# * drivers-net-via-rhine-wol-oops.dpatch (removed):
# This patch breaks the via-rhine driver and 2.6.8 and is
# completely bogus for this version of the kernel
# (closes: #311357)
.
* arch-x86_64-kernel-ptrace-boundary-check.dpatch
[Security, x86_64] Don't allow accesses below register frame in ptrace
See CAN-2005-1763.
.
* arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
[Security, x86_64] This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
See CAN-2005-1762
.
* arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
[Security, x86_64] Fix canonical checking for segment registers in ptrace
See CAN-2005-0756
.
* arch-x86_64-kernel-smp-boot-race.dpatch
[Security, x86_64] Keep interrupts disabled during smp bootup
This avoids a race that breaks SMP bootup on some machines.
.
* arch-x86_64-mm-ioremap-page-lookup.dpatch
[Security, x86_64] Don't look up struct page pointer of physical address
in iounmap as it may be in a memory hole not mapped in mem_map and that
causes the hash lookup to go off to nirvana.
.
# Excluded from security-only release
# * drivers-media-vidio-bttv-vc100xp-detect.dpatch
# Allow Leadtek WinFast VC100 XP cards to work.
.
* fs-exec-ptrace-core-exec-race.dpatch
[Security] Fix race between core dumping and exec with shared mm
.
* fs-exec-ptrace-deadlock.dpatch
[Security] Fix coredump_wait deadlock with ptracer & tracee on shared mm
.
* fs-exec-posix-timers-leak-1.dpatch,
[Security] fs-exec-posix-timers-leak-2.dpatch
Make exec clean up posix timers.
.
* fs-hfs-oops-and-leak.dpatch
[Security] Fix a leak in HFS and HFS+
Fix an oops that occurs when an attempt is made to
mount a non-hfs filesystem as HFS+.
N.B: Marked as security as users may have mount privelages.
.
# Excluded from security-only release
# * fs-jbd-checkpoint-assertion.dpatch
# Fix possible false assertion failure in log_do_checkpoint(). We might fail
# to detect that we actually made a progress when cleaning up the checkpoint
# lists if we don't retry after writing something to disk.
.
* mm-mmap-range-test.dpatch
[Security] Make sure get_unmapped_area sanity tests are done regardless of
wheater MAP_FIXED is set or not.
See CAN-2005-1265
.
# Excluded from security-only release
# * mm-rmap-out-of-bounds-pte.dpatch
# Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
.
* net-bridge-netfilter-etables-smp-race.dpatch
[Security] The patch below fixes an smp race that happens on such
systems under heavy load.
.
Excluded from security-only release
* net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch
Fix oops when mangling and brouting and tcpdumping packets
Needed for net-bridge-forwarding-poison-1.dpatch
.
* net-bridge-forwarding-poison-2.dpatch,
net-bridge-forwarding-poison-2.dpatch:
[Security] Avoid poisoning of the bridge forwarding table by frames that
have been dropped by filtering. This prevents spoofed source addresses on
hostile side of bridge from causing packet leakage, a small but possible
security risk.
.
# Excluded from security-only release
# * net-ipv4-netfilter-ip_queue-deadlock.dpatch
# Fix deadlock with ip_queue and tcp local input path.
.
* [Security] net-rose-ndigis-verify.dpatch
Verify ndigis argument of a new route.
.
* sound-usb-usbaudio-unplug-oops.dpatch
[Security] Prevent oops & dead keyboard on usb unplugging while the device
is being used.
.
* net-ipv4-ipvs-conn_tab-race.dpatch
[Security] Fix race condition on ip_vs_conn_tab list modification
.
# Excluded from security-only release
# * asm-i386-mem-clobber.dpatch:
# Make sure gcc doesn't reorder memory accesses in strncmp and friends on
# i386.
.
# Excluded from security-only release
# * drivers-acpi-pci_irq-elcr.dpatch:
# Make sure we call acpi_register_gsi() even for default PCI interrupt
# assignment. That's the part that keeps track of the ELCR register, and we
# want to make sure that the PCI interrupts are properly marked level/low.
.
* asm-i386-mem-clobber.dpatch:
Make sure netlink_autobind() propagates the error return from
netlink_insert(). Otherwise, callers will not see the error as they
should and thus try to operate on a socket with a zero pid, which is very
bad.
.
* fs-ext3-64bit-offset.dpatch
[Security] Incorrect offset checks for ext3 xattr on 64 bit architectures
an lead to a local DoS.
See CAN-2005-0757. (see: #311164).
.
* arch-x86_64-mm-mmap.dpatch
[Security, x86_64] Compat mode program can hang kernel
See CAN-2005-1765.
.
* arch-ia64-ptrace-getregs-putregs.dpatch
[Security, ia64] Fix unchecked user-memory accesses in ptrage_getregs()
and ptrace_setregs.
.
* arch-ia64-ptrace-restore_sigcontext.dpatch
[Security, ia64] Fix to prevent users from using ptrace to set the pl field
of the ar.rsc reginster to any value, leading to the
ability to overwrite kernel memory.
Note, this patch requires the arch-ia64-ptrace-getregs-putregs.dpatch
patch to apply cleanly.
See CAN-2005-1761.
.
# Excluded from security-only release
# * Makefile-gcc-3.3.dpatch, control
# Build with gcc-3.3, as gcc-4.0, now the dedault in unstable,
# fails to build this source. As this tree is primarily
# intended for use with sarge, there seems little point
# in putting in gcc-4.0 fixes, but at the same time,
# there is some value in being able to use it with unstable.
# (Closes: #323059)
.
[ dann frazier ]
* Merge in applicable fixes from 2.6.12.3
- [Security] ppc32-time_offset-misuse.dpatch
# Excluded from security-only release - v4l-cx88-hue-offset-fix.dpatch
# Excluded from security-only release - tty_ldisc_ref-return-null-check.dpatch
.
* Merge in applicable fixes from 2.6.12.4
- [Security] netfilter-NAT-memory-corruption.dpatch
# Excluded from security-only release - netfilter-deadlock-ip6_queue.dpatch
- [Security] ipsec-array-overflow.dpatch See CAN-2005-2456
(See: #321401) (Closes: #321401)
- [Security] netfilter-ip_conntrack_untracked-refcount.dpatch
- [Security] sys_get_thread_area-leak.dpatch
# Excluded from security-only release - rocket_c-fix-ldisc-ref-count.dpatch
# Excluded from security-only release - early-vlan-fix.dpatch
.
[ Simon Horman ]
* fs_ext2_ext3_xattr-sharing.dpatch
[Security] Xattr sharing bug
See http://lists.debian.org/debian-kernel/2005/08/msg00238.html
.
* vlan-mii-ioctl.dpatch
[Security] MII ioctl pass through was passing the wrong device.
See http://lists.osdl.org/pipermail/bridge/2004-September/000638.html
See CAN-2005-2548 (Closes: #309308)
.
* fs-sysfs-read-write-race.dpatch
[Security] Fix race in sysfs_read_file() and sysfs_write_file()
that can lead to a user-space DoS.
See CAN-2004-2302 (Closes: #322339)
.
* net-ipv4-netfilter-ip_recent-last_pkts.dpatch
[Security] Fixes remote DoS when using ipt_recent on a 64 bit machine.
(Closes: #322237)
.
# Excluded from security-only release
# * drivers-sata-promise-sataii_tx2_tx4.dpatch
# Add SATAII TX2 and TX2/TX4 support to sata promise driver
# (Closes: #317286)
.
[ Frederik Schüler ]
* arch-x86_64-mm-ioremap-page-lookup-fix.dpatch
Add build fix for arch-x86_64-mm-ioremap-page-lookup.dpatch
.
[ Simon Horman ]
* arch-x86_64-kernel-stack-faults.dpatch
arch-x86_64-nmi.dpatch
arch-x86_64-private-tss.dpatch
[Security, x86_64] Disable exception stack for stack faults
See CAN-2005-1767
.
* linux-zlib-fixes.dpatch
[Security] Fix security bugs in the Linux zlib implementations.
See CAN-2005-2458, CAN-2005-2459
From 2.6.12.5
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi?id=94584
.
# Excluded from security-only release
# * zisofs.dpatch
# Check input buffer size in zisofs
# From 2.6.12.5
.
# Excluded from security-only release
# * module-per-cpu-alignment-fix.dpatch
# Module per-cpu alignment cannot always be met
# From 2.6.12.5
Files:
37a61dc966c032d1529e2c2a524c9cfa 1001 devel optional kernel-source-2.6.8_2.6.8-16sarge1.dsc
cd72f4d2eb2309a2d77d2ec7a3471c7c 961237 devel optional kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
309f32838373e76c9b61be0e6c191252 1007230 devel optional kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
65dca34768d7aa10074845d9b2f20431 34934446 devel optional kernel-source-2.6.8_2.6.8-16sarge1_all.deb
5b04fd03ede3ae235a03624dc53e2026 32120 devel optional kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
b7388d2256a4396d2da938a687b3ab9b 6179472 doc optional kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoOUqA8ACPgVBDpcRAswmAKCuyLvQggukJ2gYUkzc/zwzx8/jLwCgnuwK
tCrTzKYPUDtdLwcJpcDYHjg=
=cfl6
-----END PGP SIGNATURE-----
Reply sent to Simon Horman <horms@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Chad Walstrom <chewie@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #53 received at 322237-close@bugs.debian.org (full text, mbox, reply):
Source: kernel-source-2.6.8
Source-Version: 2.6.8-16sarge1
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
kernel-source-2.6.8_2.6.8-16sarge1.dsc
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1.dsc
kernel-source-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16sarge1_all.deb
kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 322237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.6.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 15 Aug 2005 18:51:34 +0900
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8 kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-16sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 309308 311357 317286 321401 322237 322339 323059
Changes:
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
.
[ Dann Frazier ]
* mckinley_icache.dpatch:
[Security] Fix a cache coherency bug unearthed by a new ia64 processor,
codenamed Montecito. This bug causes data corruption that has manifested
itself in kernel hangs and userspace crashes, and causes d-i to fail.
Reference: http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm
N.B: I have marked this as security as it seems that it would
be trivial to construct a user-space DoS - Simon Horman.
.
[ Simon Horman ]
# Excluded from security-only release
# * drivers-net-via-rhine-wol-oops.dpatch (removed):
# This patch breaks the via-rhine driver and 2.6.8 and is
# completely bogus for this version of the kernel
# (closes: #311357)
.
* arch-x86_64-kernel-ptrace-boundary-check.dpatch
[Security, x86_64] Don't allow accesses below register frame in ptrace
See CAN-2005-1763.
.
* arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
[Security, x86_64] This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
See CAN-2005-1762
.
* arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
[Security, x86_64] Fix canonical checking for segment registers in ptrace
See CAN-2005-0756
.
* arch-x86_64-kernel-smp-boot-race.dpatch
[Security, x86_64] Keep interrupts disabled during smp bootup
This avoids a race that breaks SMP bootup on some machines.
.
* arch-x86_64-mm-ioremap-page-lookup.dpatch
[Security, x86_64] Don't look up struct page pointer of physical address
in iounmap as it may be in a memory hole not mapped in mem_map and that
causes the hash lookup to go off to nirvana.
.
# Excluded from security-only release
# * drivers-media-vidio-bttv-vc100xp-detect.dpatch
# Allow Leadtek WinFast VC100 XP cards to work.
.
* fs-exec-ptrace-core-exec-race.dpatch
[Security] Fix race between core dumping and exec with shared mm
.
* fs-exec-ptrace-deadlock.dpatch
[Security] Fix coredump_wait deadlock with ptracer & tracee on shared mm
.
* fs-exec-posix-timers-leak-1.dpatch,
[Security] fs-exec-posix-timers-leak-2.dpatch
Make exec clean up posix timers.
.
* fs-hfs-oops-and-leak.dpatch
[Security] Fix a leak in HFS and HFS+
Fix an oops that occurs when an attempt is made to
mount a non-hfs filesystem as HFS+.
N.B: Marked as security as users may have mount privelages.
.
# Excluded from security-only release
# * fs-jbd-checkpoint-assertion.dpatch
# Fix possible false assertion failure in log_do_checkpoint(). We might fail
# to detect that we actually made a progress when cleaning up the checkpoint
# lists if we don't retry after writing something to disk.
.
* mm-mmap-range-test.dpatch
[Security] Make sure get_unmapped_area sanity tests are done regardless of
wheater MAP_FIXED is set or not.
See CAN-2005-1265
.
# Excluded from security-only release
# * mm-rmap-out-of-bounds-pte.dpatch
# Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
.
* net-bridge-netfilter-etables-smp-race.dpatch
[Security] The patch below fixes an smp race that happens on such
systems under heavy load.
.
Excluded from security-only release
* net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch
Fix oops when mangling and brouting and tcpdumping packets
Needed for net-bridge-forwarding-poison-1.dpatch
.
* net-bridge-forwarding-poison-2.dpatch,
net-bridge-forwarding-poison-2.dpatch:
[Security] Avoid poisoning of the bridge forwarding table by frames that
have been dropped by filtering. This prevents spoofed source addresses on
hostile side of bridge from causing packet leakage, a small but possible
security risk.
.
# Excluded from security-only release
# * net-ipv4-netfilter-ip_queue-deadlock.dpatch
# Fix deadlock with ip_queue and tcp local input path.
.
* [Security] net-rose-ndigis-verify.dpatch
Verify ndigis argument of a new route.
.
* sound-usb-usbaudio-unplug-oops.dpatch
[Security] Prevent oops & dead keyboard on usb unplugging while the device
is being used.
.
* net-ipv4-ipvs-conn_tab-race.dpatch
[Security] Fix race condition on ip_vs_conn_tab list modification
.
# Excluded from security-only release
# * asm-i386-mem-clobber.dpatch:
# Make sure gcc doesn't reorder memory accesses in strncmp and friends on
# i386.
.
# Excluded from security-only release
# * drivers-acpi-pci_irq-elcr.dpatch:
# Make sure we call acpi_register_gsi() even for default PCI interrupt
# assignment. That's the part that keeps track of the ELCR register, and we
# want to make sure that the PCI interrupts are properly marked level/low.
.
* asm-i386-mem-clobber.dpatch:
Make sure netlink_autobind() propagates the error return from
netlink_insert(). Otherwise, callers will not see the error as they
should and thus try to operate on a socket with a zero pid, which is very
bad.
.
* fs-ext3-64bit-offset.dpatch
[Security] Incorrect offset checks for ext3 xattr on 64 bit architectures
an lead to a local DoS.
See CAN-2005-0757. (see: #311164).
.
* arch-x86_64-mm-mmap.dpatch
[Security, x86_64] Compat mode program can hang kernel
See CAN-2005-1765.
.
* arch-ia64-ptrace-getregs-putregs.dpatch
[Security, ia64] Fix unchecked user-memory accesses in ptrage_getregs()
and ptrace_setregs.
.
* arch-ia64-ptrace-restore_sigcontext.dpatch
[Security, ia64] Fix to prevent users from using ptrace to set the pl field
of the ar.rsc reginster to any value, leading to the
ability to overwrite kernel memory.
Note, this patch requires the arch-ia64-ptrace-getregs-putregs.dpatch
patch to apply cleanly.
See CAN-2005-1761.
.
# Excluded from security-only release
# * Makefile-gcc-3.3.dpatch, control
# Build with gcc-3.3, as gcc-4.0, now the dedault in unstable,
# fails to build this source. As this tree is primarily
# intended for use with sarge, there seems little point
# in putting in gcc-4.0 fixes, but at the same time,
# there is some value in being able to use it with unstable.
# (Closes: #323059)
.
[ dann frazier ]
* Merge in applicable fixes from 2.6.12.3
- [Security] ppc32-time_offset-misuse.dpatch
# Excluded from security-only release - v4l-cx88-hue-offset-fix.dpatch
# Excluded from security-only release - tty_ldisc_ref-return-null-check.dpatch
.
* Merge in applicable fixes from 2.6.12.4
- [Security] netfilter-NAT-memory-corruption.dpatch
# Excluded from security-only release - netfilter-deadlock-ip6_queue.dpatch
- [Security] ipsec-array-overflow.dpatch See CAN-2005-2456
(See: #321401) (Closes: #321401)
- [Security] netfilter-ip_conntrack_untracked-refcount.dpatch
- [Security] sys_get_thread_area-leak.dpatch
# Excluded from security-only release - rocket_c-fix-ldisc-ref-count.dpatch
# Excluded from security-only release - early-vlan-fix.dpatch
.
[ Simon Horman ]
* fs_ext2_ext3_xattr-sharing.dpatch
[Security] Xattr sharing bug
See http://lists.debian.org/debian-kernel/2005/08/msg00238.html
.
* vlan-mii-ioctl.dpatch
[Security] MII ioctl pass through was passing the wrong device.
See http://lists.osdl.org/pipermail/bridge/2004-September/000638.html
See CAN-2005-2548 (Closes: #309308)
.
* fs-sysfs-read-write-race.dpatch
[Security] Fix race in sysfs_read_file() and sysfs_write_file()
that can lead to a user-space DoS.
See CAN-2004-2302 (Closes: #322339)
.
* net-ipv4-netfilter-ip_recent-last_pkts.dpatch
[Security] Fixes remote DoS when using ipt_recent on a 64 bit machine.
(Closes: #322237)
.
# Excluded from security-only release
# * drivers-sata-promise-sataii_tx2_tx4.dpatch
# Add SATAII TX2 and TX2/TX4 support to sata promise driver
# (Closes: #317286)
.
[ Frederik Schüler ]
* arch-x86_64-mm-ioremap-page-lookup-fix.dpatch
Add build fix for arch-x86_64-mm-ioremap-page-lookup.dpatch
.
[ Simon Horman ]
* arch-x86_64-kernel-stack-faults.dpatch
arch-x86_64-nmi.dpatch
arch-x86_64-private-tss.dpatch
[Security, x86_64] Disable exception stack for stack faults
See CAN-2005-1767
.
* linux-zlib-fixes.dpatch
[Security] Fix security bugs in the Linux zlib implementations.
See CAN-2005-2458, CAN-2005-2459
From 2.6.12.5
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi?id=94584
.
# Excluded from security-only release
# * zisofs.dpatch
# Check input buffer size in zisofs
# From 2.6.12.5
.
# Excluded from security-only release
# * module-per-cpu-alignment-fix.dpatch
# Module per-cpu alignment cannot always be met
# From 2.6.12.5
Files:
37a61dc966c032d1529e2c2a524c9cfa 1001 devel optional kernel-source-2.6.8_2.6.8-16sarge1.dsc
cd72f4d2eb2309a2d77d2ec7a3471c7c 961237 devel optional kernel-source-2.6.8_2.6.8-16sarge1.diff.gz
309f32838373e76c9b61be0e6c191252 1007230 devel optional kernel-patch-debian-2.6.8_2.6.8-16sarge1_all.deb
65dca34768d7aa10074845d9b2f20431 34934446 devel optional kernel-source-2.6.8_2.6.8-16sarge1_all.deb
5b04fd03ede3ae235a03624dc53e2026 32120 devel optional kernel-tree-2.6.8_2.6.8-16sarge1_all.deb
b7388d2256a4396d2da938a687b3ab9b 6179472 doc optional kernel-doc-2.6.8_2.6.8-16sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoOUqA8ACPgVBDpcRAswmAKCuyLvQggukJ2gYUkzc/zwzx8/jLwCgnuwK
tCrTzKYPUDtdLwcJpcDYHjg=
=cfl6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 01:28:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.