summaryrefslogtreecommitdiff
blob: 6c84c6826ec320a5bbfd5bdd83e2d5ec6b0b19f2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
Xen Patches README
------------------

These patches are intended to be stacked on top of genpatches-base.

Many of the patches included here are swiped from various sources which
use their own four digit patch numbering scheme, so we are stuck with five
digits to indiciate the source for easier tracking and re-syncing.

Numbering
---------

0xxxx	Gentoo, not related to Xen. (in case we pull something from extras)
1xxxx	XenSource, upstream Xen patch for 2.6.18
2xxxx	Redhat, we use their Xen patch for >=2.6.20
3xxxx	Debian, we use their security fixes for 2.6.18
5xxxx	Gentoo, Xen and other fixes for Redhat and/or Debian patches.

Patches
-------

10001_xen-3.1.0.patch
    Upstream 3.1.0 patch

30001_nfnetlink_log-null-deref.patch
    [SECURITY] Fix remotely exploitable NULL pointer dereference in
    nfulnl_recv_config()
    See CVE-2007-1496

30002_nf_conntrack-set-nfctinfo.patch
    [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
    which allows remote attackers to bypass certain rulesets
    See CVE-2007-1497

30003_netlink-infinite-recursion.patch
    [SECURITY] Fix infinite recursion bug in netlink
    See CVE-2007-1861

30004_nl_fib_lookup-oops.patch
    Add fix for oops bug added by previous patch

30005_core-dump-unreadable-PT_INTERP.patch
    [SECURITY] Fix a vulnerability that allows local users to read
    otherwise unreadable (but executable) files by triggering a core dump.
    See CVE-2007-0958

30006_appletalk-length-mismatch.patch
    [SECURITY] Fix a remote DoS (crash) in appletalk
    Depends upon bugfix/appletalk-endianness-annotations.patch
    See CVE-2007-1357

30007_cm4040-buffer-overflow.patch
    [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver
    See CVE-2007-0005

30008_ipv6_fl_socklist-no-share.patch
    [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
    ipv6_fl_socklist between the listening socket and the socket created
    for connection.
    See CVE-2007-1592

30009_keys-serial-num-collision.patch
    [SECURITY] Fix the key serial number collision avoidance code in
    key_alloc_serial() that could lead to a local DoS (oops).
    (closes: #398470)
    See CVE-2007-0006

30010_ipv6_getsockopt_sticky-null-opt.patch
    [SECURITY] Fix kernel memory leak vulnerability in
    ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
    See CVE-2007-1000

30011_ipv6_setsockopt-NULL-deref.patch
    [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
    to a local DoS (oops).
    See CVE-2007-1388

30012_ipv6-disallow-RH0-by-default.patch
    [SECURITY] Avoid a remote DoS (network amplification between two routers)
    by disabling type0 IPv6 route headers by default. Can be re-enabled via
    a sysctl interface. Thanks to Vlad Yasevich for porting help.

30013_listxattr-mem-corruption.patch
    [SECURITY] Fix userspace corruption vulnerability caused by
    incorrectly promoted return values in bad_inode_ops
    This patch changes the kernel ABI.
    See CVE-2006-5753

30014_bluetooth-l2cap-hci-info-leaks.patch
    [SECURITY] Fix information leaks in setsockopt() implementations
    See CVE-2007-1353

30015_usblcd-limit-memory-consumption.patch
    [SECURITY] limit memory consumption during write in the usblcd driver
    See CVE-2007-3513

30016_pppoe-socket-release-mem-leak.patch
    [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
    after connect but before PPPIOCGCHAN ioctl is called upon it
    See CVE-2007-2525

30017_nf_conntrack_h323-bounds-checking.patch
    [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
    index values
    See CVE-2007-3642

30018_dn_fib-out-of-bounds.patch
    [SECURITY] Fix out of bounds condition in dn_fib_props[]
    See CVE-2007-2172

30019_random-fix-seeding-with-zero-entropy.patch,
30020_random-fix-error-in-entropy-extraction.patch
    [SECURITY] Avoid seeding with the same values at boot time when a
    system has no entropy source and fix a casting error in entropy
    extraction that resulted in slightly less random numbers.
    See CVE-2007-2453

30021_nf_conntrack_sctp-null-deref.patch
    [SECURITY] Fix remotely triggerable NULL pointer dereference
    by sending an unknown chunk type.
    See CVE-2007-2876

30022_i965-secure-batchbuffer.patch
    [SECURITY] Fix i965 secured batchbuffer usage
    See CVE-2007-3851

30023_appletalk-endianness-annotations.patch
    Dependency for 30006_appletalk-length-mismatch.patch.

30024_drm-i965.patch
    Dependency for 30022_i965-secure-batchbuffer.patch

30025_ipv4-fib_props-out-of-bounds.patch
    [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
    and check for out of bounds condition in index provided by userspace
    See CVE-2007-2172

30026_cifs-fix-sign-settings.patch
    [SECURITY] Fix overriding the server to force signing on caused by
    checking the wrong gloal variable.
    See CVE-2007-3843

30027_cpuset_tasks-underflow.patch
    [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
    local attackers to read sensitive kernel memory if the cpuset filesystem
    is mounted.
    See CVE-2007-2875

30028_random-bound-check-ordering.patch
    [SECURITY] Fix stack-based buffer overflow in the random number
    generator
    See CVE-2007-3105

30030_aacraid-ioctl-perm-check.patch
    [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
    See CVE-2007-4308

30031_ptrace-handle-bogus-selector.patch,
30032_fixup-trace_irq-breakage.patch
    [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
    during ptrace single-step operations that can be used to trigger a
    NULL-pointer dereference causing an Oops.
    See CVE-2007-3731

30033_prevent-stack-growth-into-hugetlb-region.patch
    [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
    into address space reserved for hugetlb pages.
    See CVE-2007-3739

30034_cifs-honor-umask.patch
    [SECURITY] Make CIFS honor a process' umask
    See CVE-2007-3740

30035_amd64-zero-extend-32bit-ptrace.patch
    [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
    See CVE-2007-4573

30036_jffs2-ACL-vs-mode-handling.patch
    [SECURITY] Write correct legacy modes to the medium on inode creation to
    prevent incorrect permissions upon remount.
    See CVE-2007-4849

30037_amd64-zero-extend-32bit-ptrace-xen.patch
    [SECURITY] Zero extend all registers after ptrace in 32-bit entry path
    (Xen).
    See CVE-2007-4573

30038_don-t-leak-nt-bit-into-next-task-xen.patch
    [SECURITY] Don't leak NT bit into next task (Xen).
    See CVE-2006-5755

30039_hugetlb-prio_tree-unit-fix.patch
    [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
    which could be used to trigger a BUG_ON() call in exit_mmap.
    See CVE-2007-4133

30040_usb-pwc-disconnect-block.patch
    [SECURITY] Fix issue with unplugging webcams that use the pwc driver.
    If userspace still has the device open it can result, the driver would
    wait for the device to close, blocking the USB subsystem.
    See CVE-2007-5093

30041_ipv6-disallow-RH0-by-default-2.patch
    Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the
    fix for CVE-2007-2242. Thanks to Brian Haley for the patch.
    (closes: Debian #440127)

30042_reset-pdeathsig-on-suid-upstream.patch
    Update fix for CVE-2007-3848 with the patch accepted upstream
    (formerly 30013_reset-pdeathsig-on-suid.patch)

50001_make-install.patch
    Handle make install in a semi-sane way that plays nice with
    split domU/dom0 kernels.

50002_always-enable-xen-genapic.patch
    Compile fix for non-SMP (UP) kernels. Since UP support is broken in
    upstream Xen I'm not sure if I trust it or not. :-P

50007_disable-highpte.patch
    CONFIG_HIGHPTE can cause serious problems so lets save people's
    sanity, avoid killing kittens, and end all war by disabling it.