1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
|
Xen Patches README
------------------
These patches are intended to be stacked on top of genpatches-base.
Many of the patches included here are swiped from various sources which
use their own four digit patch numbering scheme, so we are stuck with five
digits to indiciate the source for easier tracking and re-syncing.
Numbering
---------
0xxxx Gentoo, not related to Xen. (in case we pull something from extras)
1xxxx XenSource, upstream Xen patch for 2.6.18
2xxxx Redhat, we use their Xen patch for >=2.6.20
3xxxx Debian, we use their security fixes for 2.6.18
5xxxx Gentoo, Xen and other fixes for Redhat and/or Debian patches.
Patches
-------
10001_xen-3.2.0.patch
Upstream 3.2.0 patch
30001_nfnetlink_log-null-deref.patch
[SECURITY] Fix remotely exploitable NULL pointer dereference in
nfulnl_recv_config()
See CVE-2007-1496
30002_nf_conntrack-set-nfctinfo.patch
[SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
which allows remote attackers to bypass certain rulesets
See CVE-2007-1497
30003_netlink-infinite-recursion.patch
[SECURITY] Fix infinite recursion bug in netlink
See CVE-2007-1861
30004_nl_fib_lookup-oops.patch
Add fix for oops bug added by previous patch
30005_core-dump-unreadable-PT_INTERP.patch
[SECURITY] Fix a vulnerability that allows local users to read
otherwise unreadable (but executable) files by triggering a core dump.
See CVE-2007-0958
30006_appletalk-length-mismatch.patch
[SECURITY] Fix a remote DoS (crash) in appletalk
Depends upon bugfix/appletalk-endianness-annotations.patch
See CVE-2007-1357
30007_cm4040-buffer-overflow.patch
[SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver
See CVE-2007-0005
30008_ipv6_fl_socklist-no-share.patch
[SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
ipv6_fl_socklist between the listening socket and the socket created
for connection.
See CVE-2007-1592
30009_keys-serial-num-collision.patch
[SECURITY] Fix the key serial number collision avoidance code in
key_alloc_serial() that could lead to a local DoS (oops).
(closes: #398470)
See CVE-2007-0006
30010_ipv6_getsockopt_sticky-null-opt.patch
[SECURITY] Fix kernel memory leak vulnerability in
ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
See CVE-2007-1000
30011_ipv6_setsockopt-NULL-deref.patch
[SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
to a local DoS (oops).
See CVE-2007-1388
30012_ipv6-disallow-RH0-by-default.patch
[SECURITY] Avoid a remote DoS (network amplification between two routers)
by disabling type0 IPv6 route headers by default. Can be re-enabled via
a sysctl interface. Thanks to Vlad Yasevich for porting help.
30013_listxattr-mem-corruption.patch
[SECURITY] Fix userspace corruption vulnerability caused by
incorrectly promoted return values in bad_inode_ops
This patch changes the kernel ABI.
See CVE-2006-5753
30014_bluetooth-l2cap-hci-info-leaks.patch
[SECURITY] Fix information leaks in setsockopt() implementations
See CVE-2007-1353
30015_usblcd-limit-memory-consumption.patch
[SECURITY] limit memory consumption during write in the usblcd driver
See CVE-2007-3513
30016_pppoe-socket-release-mem-leak.patch
[SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
after connect but before PPPIOCGCHAN ioctl is called upon it
See CVE-2007-2525
30017_nf_conntrack_h323-bounds-checking.patch
[SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
index values
See CVE-2007-3642
30018_dn_fib-out-of-bounds.patch
[SECURITY] Fix out of bounds condition in dn_fib_props[]
See CVE-2007-2172
30019_random-fix-seeding-with-zero-entropy.patch,
30020_random-fix-error-in-entropy-extraction.patch
[SECURITY] Avoid seeding with the same values at boot time when a
system has no entropy source and fix a casting error in entropy
extraction that resulted in slightly less random numbers.
See CVE-2007-2453
30021_nf_conntrack_sctp-null-deref.patch
[SECURITY] Fix remotely triggerable NULL pointer dereference
by sending an unknown chunk type.
See CVE-2007-2876
30022_i965-secure-batchbuffer.patch
[SECURITY] Fix i965 secured batchbuffer usage
See CVE-2007-3851
30023_appletalk-endianness-annotations.patch
Dependency for 30006_appletalk-length-mismatch.patch.
30024_drm-i965.patch
Dependency for 30022_i965-secure-batchbuffer.patch
30025_ipv4-fib_props-out-of-bounds.patch
[SECURITY] Fix a typo which caused fib_props[] to be of the wrong size
and check for out of bounds condition in index provided by userspace
See CVE-2007-2172
30026_cifs-fix-sign-settings.patch
[SECURITY] Fix overriding the server to force signing on caused by
checking the wrong gloal variable.
See CVE-2007-3843
30027_cpuset_tasks-underflow.patch
[SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow
local attackers to read sensitive kernel memory if the cpuset filesystem
is mounted.
See CVE-2007-2875
30028_random-bound-check-ordering.patch
[SECURITY] Fix stack-based buffer overflow in the random number
generator
See CVE-2007-3105
30030_aacraid-ioctl-perm-check.patch
[SECURITY] Require admin capabilities to issue ioctls to aacraid devices
See CVE-2007-4308
30031_ptrace-handle-bogus-selector.patch,
30032_fixup-trace_irq-breakage.patch
[SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
during ptrace single-step operations that can be used to trigger a
NULL-pointer dereference causing an Oops.
See CVE-2007-3731
30033_prevent-stack-growth-into-hugetlb-region.patch
[SECURITY] Prevent OOPS during stack expansion when the VMA crosses
into address space reserved for hugetlb pages.
See CVE-2007-3739
30034_cifs-honor-umask.patch
[SECURITY] Make CIFS honor a process' umask
See CVE-2007-3740
30035_amd64-zero-extend-32bit-ptrace.patch
[SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
See CVE-2007-4573
30036_jffs2-ACL-vs-mode-handling.patch
[SECURITY] Write correct legacy modes to the medium on inode creation to
prevent incorrect permissions upon remount.
See CVE-2007-4849
30039_hugetlb-prio_tree-unit-fix.patch
[SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree
which could be used to trigger a BUG_ON() call in exit_mmap.
See CVE-2007-4133
30040_usb-pwc-disconnect-block.patch
[SECURITY] Fix issue with unplugging webcams that use the pwc driver.
If userspace still has the device open it can result, the driver would
wait for the device to close, blocking the USB subsystem.
See CVE-2007-5093
30041_ipv6-disallow-RH0-by-default-2.patch
Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the
fix for CVE-2007-2242. Thanks to Brian Haley for the patch.
(closes: Debian #440127)
/* This is already in Xen 3.2
30042_reset-pdeathsig-on-suid-upstream.patch
Update fix for CVE-2007-3848 with the patch accepted upstream
(formerly 30013_reset-pdeathsig-on-suid.patch)
*/
30043_don-t-leak-nt-bit-into-next-task-xen.patch
[SECURITY] Don't leak NT bit into next task (Xen).
See CVE-2006-5755
30044_cifs-better-failed-mount-errors.patch,
30045_cifs-corrupt-server-response-overflow.patch
[SECURITY][CIFS] Fix multiple overflows that can be remotely triggered
by a server sending a corrupt response.
See CVE-2007-5904
30046_wait_task_stopped-hang.patch
[SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED -
check p->exit_state instead avoiding a potential system hang
See CVE-2007-5500
30047_ieee80211-underflow.patch
[SECURITY] Fix integer overflow in ieee80211 which makes it possible
for a malicious frame to crash a system using a driver built on top of
the Linux 802.11 wireless code.
See CVE-2007-4997
30048_sysfs_readdir-NULL-deref-1.patch,
30049_sysfs_readdir-NULL-deref-2.patch,
30050_sysfs-fix-condition-check.patch
[SECURITY] Fix potential NULL pointer dereference which can lead to
a local DoS (kernel oops)
See CVE-2007-3104
30051_tmpfs-restore-clear_highpage.patch
[SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
See CVE-2007-6417
30052_minixfs-printk-hang.patch
[SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
filesystem that would otherwise cause a system to hang (printk storm)
See CVE-2006-6058
30053_hrtimer-large-relative-timeouts-overflow.patch
[SECURITY] Avoid overflow in hrtimers due to large relative timeouts
See CVE-2007-5966
30054_coredump-only-to-same-uid.patch
[SECURITY] Fix an issue where core dumping over a file that
already exists retains the ownership of the original file
See CVE-2007-6206
30055_isdn-net-overflow.patch
[SECURITY] Fix potential overflows in the ISDN subsystem
See CVE-2007-6063
30056_proc-snd-page-alloc-mem-leak.patch
[SECURITY][ABI Changer] Fix an issue in the alsa subsystem that allows a
local user to read potentially sensitive kernel memory from the proc
filesystem
See CVE-2007-4571
30057_fat-move-ioctl-compat-code.patch
30058_bugfix/fat-fix-compat-ioctls.patch
[SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer
for fat ioctls
See CVE-2007-2878
30059_vfs-use-access-mode-flag.patch
[SECURITY] Use the access mode flag instead of the open flag when
testing access mode for a directory. Modify
features/all/vserver/vs2.0.2.2-rc9.patch to apply on top of this
See CVE-2008-0001
30060_i4l-isdn_ioctl-mem-overrun.patch
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
30061_vmsplice-security.patch
[SECURITY] Fix missing access check in vmsplice.
See CVE-2008-0010, CVE-2008-0600
30062_clear-spurious-irq.patch
Fix a minor denial of service issue that allows local users to disable
an interrupt by causing an interrupt handler to be quickly inserted/removed.
This has only been shown to happen with certain serial devices so can only
be triggered by a user who already has additional priveleges (dialout
group). (closes: Debian #404815)
30063_mmap-VM_DONTEXPAND.patch
[SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register
a fault handler but do not bounds check the offset argument
See CVE-2008-0007
30064_RLIMIT_CPU-earlier-checking.patch
[SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier
to prevent a user escape (closes: #419706)
See CVE-2008-1294
30065_dnotify-race.patch
[SECURITY] Fix a race in the directory notify
See CVE-2008-1375
30066_fcntl_setlk-close-race.patch
[SECURITY] Fix an SMP race to prevent reordering of flock updates
and accesses to the descriptor table on close().
See CVE-2008-1669
30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
[SECURITY] Fix remotely-triggerable memory leak in the Simple
Internet Transition (SIT) code used for IPv6 over IPv4 tunnels
See CVE-2008-2136
30068_hrtimer-prevent-overrun.patch
30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
[SECURITY] Fix potential infinite loop in hrtimer_forward on
64-bit systems
See CVE-2007-6712
30070_amd64-cs-corruption.patch
[SECURITY] Fix local ptrace denial of service for amd64 flavor
kernels, bug #480390
See CVE-2008-1615
30071_dccp-feature-length-check.patch
[SECURITY] Validate feature length to avoid heap overflow
See CVE-2008-2358
30072_asn1-ber-decoding-checks.patch
[SECURITY] Validate lengths in ASN.1 decoding code to avoid
heap overflow
See CVE-2008-1673
50009_gentooify-tls-warning.patch
Change tls warning instructions to apply directly to Gentoo.
|