RSBAC JAIL security fix. (#55698) ; iptables dos security fix (#55694)

author: Guillaume Destuynder <kang@gentoo.org> 2004-06-30 20:48:19 +0000
committer: Guillaume Destuynder <kang@gentoo.org> 2004-06-30 20:48:19 +0000
commit: 0af4b1ec57f8f27a912820d816fd67f387c4f142 (patch)
tree: d044f01210e6daed877ab7c71365024c38f615e9 /sys-kernel
parent: glibc -> libc (Manifest recommit) (diff)
download: gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.tar.gz
gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.tar.bz2
gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.zip
13 files changed, 50 insertions, 159 deletions
diff --git a/sys-kernel/rsbac-dev-sources/ChangeLog b/sys-kernel/rsbac-dev-sources/ChangeLog
index 43b01c3143c1..9f1e5b8d209d 100644
--- a/sys-kernel/rsbac-dev-sources/ChangeLog
+++ b/sys-kernel/rsbac-dev-sources/ChangeLog
@@ -1,9 +1,26 @@
 # ChangeLog for sys-kernel/rsbac-dev-sources
 # Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/ChangeLog,v 1.4 2004/06/29 00:08:39 kang Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/ChangeLog,v 1.5 2004/06/30 20:48:19 kang Exp $
 
-*rsbac-dev-sources-26.7 (28 Jun 2004)
-  28 Jun 2004; <kang@gentoo.org> rsbac-dev-sources-2.6.7.ebuild
+*rsbac-dev-sources-2.6.7-r1 (30 Jun 2004)
+
+  30 Jun 2004; Guillaume Destuynder <kang@gentoo.org>
+  +rsbac-dev-sources-2.6.7-r1.ebuild,
+  +files/rsbac-dev-sources-v1.2.3-3.patch,
+  +files/rsbac-dev-sources-iptables-dos.patch,
+  -rsbac-dev-sources-2.6.7.ebuild,
+  -rsbac-dev-sources-2.6.5-r1.ebuild,
+  -files/rsbac-dev-sources.CAN-2004-0075.patch,
+  -files/rsbac-dev-sources.CAN-2004-0228.patch,
+  -files/rsbac-dev-sources.CAN-2004-0229.patch,
+  -files/rsbac-dev-sources.CAN-2004-0427.patch,
+  -files/rsbac-dev-sources.FPULockup-53804.patch:
+  Security fix for RSBAC JAIL (rsbac.org ; #55698)
+  Security fix for 2.6.x iptables dos (#55694)
+
+*rsbac-dev-sources-2.6.7 (28 Jun 2004)
+
+  28 Jun 2004; Guillaume Destuynder <kang@gentoo.org> +rsbac-dev-sources-2.6.7.ebuild
   Version bump. Includes hardened 2.6.7 patches and latest PaX.
 
 *rsbac-dev-sources-2.6.5-r1 (14 Jun 2004)
diff --git a/sys-kernel/rsbac-dev-sources/Manifest b/sys-kernel/rsbac-dev-sources/Manifest
index 5f72c0af3d2d..ac44da3dddc0 100644
--- a/sys-kernel/rsbac-dev-sources/Manifest
+++ b/sys-kernel/rsbac-dev-sources/Manifest
@@ -1,11 +1,7 @@
 MD5 fee9abc7797fef753c42454679bae9a7 metadata.xml 456
-MD5 308c2f4678bc7df06378a3bfaac5c403 rsbac-dev-sources-2.6.5-r1.ebuild 1737
-MD5 623fa779838d11ccd52bcd58cd69b917 rsbac-dev-sources-2.6.7.ebuild 1132
-MD5 1c8c4fe938bc1094372cad72e4952aa7 ChangeLog 1148
-MD5 df80f2b0e3e4b832b26e59c30042bb4a files/digest-rsbac-dev-sources-2.6.5-r1 210
-MD5 6f4bba5dda7a99d77b1564f5489fef6e files/rsbac-dev-sources.CAN-2004-0075.patch 1129
-MD5 1dd59d14a720c0c23e47e28d0b4fd6f9 files/rsbac-dev-sources.CAN-2004-0228.patch 437
-MD5 a92712e41465c49670ef7a54c2d16040 files/rsbac-dev-sources.CAN-2004-0229.patch 471
-MD5 5674421c7e2c7e50e2509bed7d96c4d4 files/rsbac-dev-sources.CAN-2004-0427.patch 332
-MD5 02c062ec3a11a6a1498cdf0b1716c90a files/rsbac-dev-sources.FPULockup-53804.patch 895
+MD5 0bbf391f5c53a209b04dfd942e2c60ea ChangeLog 1807
+MD5 fd960b32202a81e44cc3e9281a1071fe rsbac-dev-sources-2.6.7-r1.ebuild 1315
 MD5 ff6ffe7543ce01c98eb4ca1c8d9ca1c3 files/digest-rsbac-dev-sources-2.6.7 205
+MD5 a869ab037c7e264df5f8e899864f08e9 files/rsbac-dev-sources-v1.2.3-3.patch 557
+MD5 6451bd210935a3978fd3a3edac673591 files/rsbac-dev-sources-iptables-dos.patch 389
+MD5 ff6ffe7543ce01c98eb4ca1c8d9ca1c3 files/digest-rsbac-dev-sources-2.6.7-r1 205
diff --git a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r1 b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r1
deleted file mode 100644
index 60e446567061..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r1
+++ /dev/null
@@ -1,3 +0,0 @@
-MD5 9a76bf64c1151369b250f967d83077aa linux-2.6.5.tar.bz2 34684611
-MD5 0cceda57d9cae4794fe1b99e2153d2c5 rsbac-v1.2.3-pre5.tar.bz2 482975
-MD5 53c8bd1e1b5847527eb731eaba6b00a7 rsbac-patches-2.6-5.3.tar.bz2 104985
diff --git a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7 b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r1
index 89b064e672f0..89b064e672f0 100644
--- a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7
+++ b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r1
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch
new file mode 100644
index 000000000000..9eb1c3cd1667
--- /dev/null
+++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch
@@ -0,0 +1,11 @@
+--- net/ipv4/netfilter/ip_tables.c.ski	2004-06-30 22:33:38.890839488 +0200
++++ net/ipv4/netfilter/ip_tables.c	2004-06-30 22:34:27.547442560 +0200
+@@ -1458,7 +1458,7 @@
+ 		int *hotdrop)
+ {
+ 	/* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
+-	char opt[60 - sizeof(struct tcphdr)];
++	u_int8_t opt[60 - sizeof(struct tcphdr)];
+ 	unsigned int i;
+ 
+ 	duprintf("tcp_match: finding option\n");
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch
new file mode 100644
index 000000000000..90484797584c
--- /dev/null
+++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch
@@ -0,0 +1,10 @@
+--- linux-2.4.26-rsbac-v1.2.3/rsbac/adf/jail/jail_main.c.sik	2004-06-08 11:37:30.000000000 +0200
++++ linux-2.4.26-rsbac-v1.2.3/rsbac/adf/jail/jail_main.c	2004-06-30 09:27:42.000000000 +0200
+@@ -396,6 +396,7 @@
+                   if(   (attr == A_create_data)
+                      && (   S_ISCHR(attr_val.create_data.mode)
+                          || S_ISBLK(attr_val.create_data.mode)
++                         || (attr_val.create_data.mode & (S_ISUID | S_ISGID))
+                         )
+                     )
+                     return NOT_GRANTED;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch
deleted file mode 100644
index e131c957cb0a..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- linux-2.6.6-rc1/drivers/usb/media/vicam.c	2004-04-15 11:18:18.000000000 +0200
-+++ linux-2.6.6-rc1-mich/drivers/usb/media/vicam.c	2004-04-15 11:50:02.791604312 +0200
-@@ -612,15 +612,20 @@ vicam_ioctl(struct inode *inode, struct 
- 
- 	case VIDIOCSPICT:
- 		{
--			struct video_picture *vp = (struct video_picture *) arg;
--
--			DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth,
--			    vp->palette);
-+			struct video_picture vp;
-+			
-+			if (copy_from_user(&vp, arg, sizeof(vp))) {
-+				retval = -EFAULT;
-+				break;
-+			}
-+			
-+			DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp.depth,
-+			    vp.palette);
- 
--			cam->gain = vp->brightness >> 8;
-+			cam->gain = vp.brightness >> 8;
- 
--			if (vp->depth != 24
--			    || vp->palette != VIDEO_PALETTE_RGB24)
-+			if (vp.depth != 24
-+			    || vp.palette != VIDEO_PALETTE_RGB24)
- 				retval = -EINVAL;
- 
- 			break;
-@@ -659,7 +659,7 @@
- 		{
- 
- 			struct video_window *vw = (struct video_window *) arg;
--			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
-+			DBG("VIDIOCSWIN %d x %d\n", vw.width, vw.height);
- 
- 			if ( vw->width != 320 || vw->height != 240 )
- 				retval = -EFAULT;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch
deleted file mode 100644
index 746ade9ab1c0..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/drivers/cpufreq/cpufreq_userspace.c.overflow	2004-02-18 04:57:16.000000000 +0100
-+++ linux-2.6.3/drivers/cpufreq/cpufreq_userspace.c	2004-05-14 11:40:37.000000000 +0200
-@@ -168,7 +168,7 @@ cpufreq_procctl(ctl_table *ctl, int writ
- {
- 	char buf[16], *p;
- 	int cpu = (int) ctl->extra1;
--	int len, left = *lenp;
-+	unsigned int len, left = *lenp;
- 
- 	if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
- 		*lenp = 0;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch
deleted file mode 100644
index 2b6dfff88e25..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/drivers/video/fbmem.c.zy67	2004-04-23 07:32:22.000000000 -0400
-+++ linux-2.6.3/drivers/video/fbmem.c	2004-04-23 07:33:09.000000000 -0400
-@@ -1042,7 +1042,7 @@
- 	case FBIOGETCMAP:
- 		if (copy_from_user(&cmap, (void *) arg, sizeof(cmap)))
- 			return -EFAULT;
--		return (fb_copy_cmap(&info->cmap, &cmap, 0));
-+		return (fb_copy_cmap(&info->cmap, &cmap, 2));
- 	case FBIOPAN_DISPLAY:
- 		if (copy_from_user(&var, (void *) arg, sizeof(var)))
- 			return -EFAULT;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch
deleted file mode 100644
index adadefd53db2..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/kernel/fork.c.zy64	2004-04-21 12:26:51.000000000 -0400
-+++ linux-2.6.3/kernel/fork.c	2004-04-21 12:29:34.000000000 -0400
-@@ -1073,6 +1073,8 @@
- 	exit_namespace(p);
- bad_fork_cleanup_mm:
- 	exit_mm(p);
-+	if (p->active_mm)
-+		mmdrop(p->active_mm);
- bad_fork_cleanup_signal:
- 	exit_signal(p);
- bad_fork_cleanup_sighand:
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch
deleted file mode 100644
index a813f48ec23b..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -Nru a/include/asm-i386/i387.h b/include/asm-i386/i387.h
---- a/include/asm-i386/i387.h	2004-05-06 12:26:10 -07:00
-+++ b/include/asm-i386/i387.h	2004-06-12 19:12:23 -07:00
-@@ -51,7 +51,7 @@
- #define __clear_fpu( tsk )					\
- do {								\
- 	if ((tsk)->thread_info->status & TS_USEDFPU) {		\
--		asm volatile("fwait");				\
-+		asm volatile("fnclex ; fwait");			\
- 		(tsk)->thread_info->status &= ~TS_USEDFPU;	\
- 		stts();						\
- 	}							\
-diff -Nru a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h
---- a/include/asm-x86_64/i387.h	2004-06-13 20:43:56.742530792 +0100
-+++ a/include/asm-x86_64/i387.h	2004-06-13 20:42:59.200278544 +0100
-@@ -46,7 +46,7 @@
- 
- #define clear_fpu(tsk) do { \
- 	if ((tsk)->thread_info->status & TS_USEDFPU) {		\
--		asm volatile("fwait");				\
-+		asm volatile("fnclex; fwait");			\
- 		(tsk)->thread_info->status &= ~TS_USEDFPU;	\
- 		stts();						\
- 	}							\
diff --git a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild
deleted file mode 100644
index 0846bb2f7115..000000000000
--- a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild,v 1.2 2004/06/24 23:01:08 agriffis Exp $
-
-IUSE=""
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-# rsbac 
-RSBACV=1.2.3
-REL="-pre5"
-RSBAC_SRC="mirror://rsbac-v${RSBACV}${REL}.tar.bz2 http://zeus.polsl.gliwice.pl/~albeiro/rsbac/v$RSBACV/rsbac-v${RSBACV}${REL}.tar.bz2"
-
-# rsbac kernel patches
-RGPV=5.3
-RGPV_SRC="mirror://rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2 http://zeus.polsl.gliwice.pl/~albeiro/rsbac/v${RSBACV}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2"
-
-UNIPATCH_STRICTORDER="yes"
-# exclude 12xx grsec and 13xx selinux patches
-UNIPATCH_EXCLUDE="12 13"
-UNIPATCH_LIST="${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2
-	${FILESDIR}/${PN}.CAN-2004-0075.patch
-	${FILESDIR}/${PN}.CAN-2004-0228.patch
-	${FILESDIR}/${PN}.CAN-2004-0229.patch
-	${FILESDIR}/${PN}.CAN-2004-0427.patch
-	${FILESDIR}/${PN}.FPULockup-53804.patch"
-UNIPATCH_DOCS="${WORKDIR}/patches/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}/0000_README"
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/rsbac"
-DESCRIPTION="RSBAC hardened sources for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
-
-SRC_URI="${KERNEL_URI} ${RSBAC_SRC} ${RGPV_SRC} ${GPV_SRC}"
-KEYWORDS="~x86"
-
-src_unpack() {
-	universal_unpack
-	(cd ${WORKDIR}/linux-${KV}; unpack rsbac-v${RSBACV}${REL}.tar.bz2)
-	[ -n "${UNIPATCH_LIST}" -o -n "${UNIPATCH_LIST_DEFAULT}" ] && unipatch "${UNIPATCH_LIST_DEFAULT} ${UNIPATCH_LIST}"
-	[ -z "${K_NOSETEXTRAVERSION}" ] && unpack_set_extraversion
-	[ $(kernel_is_2_4) $? == 0 ] && unpack_2_4
-}
-
-pkg_postinst() {
-	postinst_sources
-}
diff --git a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild
index 80c0d339c85d..f9d3a8ba3071 100644
--- a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild
+++ b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild,v 1.1 2004/06/29 00:08:39 kang Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild,v 1.1 2004/06/30 20:48:19 kang Exp $
 
 IUSE=""
 ETYPE="sources"
@@ -16,7 +16,9 @@ RGPV=7.1
 RGPV_SRC="mirror://rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2"
 
 UNIPATCH_STRICTORDER="yes"
-UNIPATCH_LIST="${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2"
+UNIPATCH_LIST="${FILESDIR}/${PN}-iptables-dos.patch
+	${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2
+	${FILESDIR}/${PN}-v1.2.3-3.patch"
 UNIPATCH_DOCS="${WORKDIR}/patches/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}/0000_README"
 
 HOMEPAGE="http://hardened.gentoo.org/rsbac/"
author	Guillaume Destuynder <kang@gentoo.org>	2004-06-30 20:48:19 +0000
committer	Guillaume Destuynder <kang@gentoo.org>	2004-06-30 20:48:19 +0000
commit	0af4b1ec57f8f27a912820d816fd67f387c4f142 (patch)
tree	d044f01210e6daed877ab7c71365024c38f615e9 /sys-kernel
parent	glibc -> libc (Manifest recommit) (diff)
download	gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.tar.gz gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.tar.bz2 gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.zip