Dear Security Team, Please could we upload to wheezy-security as in the attached debdiff, using upstream's patch to fix CVE-2013-4851 / Bug#717958 in kfreebsd-9.
Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-06-23 14:47:37.000000000 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-07-28 19:34:25.000000000 +0100 @@ -1,3 +1,11 @@ +kfreebsd-9 (9.0-10+deb70.3) wheezy-security; urgency=high + + * Team upload. + * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851: + Incorrect privilege validation in the NFS server (Closes: #717958) + + -- Steven Chamberlain <ste...@pyro.eu.org> Sun, 28 Jul 2013 18:15:26 +0100 + kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high * Team upload. diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch --- kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch 2013-07-28 19:30:16.000000000 +0100 @@ -0,0 +1,23 @@ +Description: + Fix a bug that allows remote client bypass the normal + access checks when when -network or -host restrictions + are used at the same time with -mapall. [13:08] + (CVE-2013-4851) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch +Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:08.nfsserver.asc +Bug-Debian: http://bugs.debian.org/717958 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=253693 + +Index: kfreebsd-9-9.0/sys/kern/vfs_export.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/kern/vfs_export.c 2009-09-28 19:07:16.000000000 +0100 ++++ kfreebsd-9-9.0/sys/kern/vfs_export.c 2013-07-28 18:13:25.223547283 +0100 +@@ -208,7 +208,7 @@ + np->netc_anon = crget(); + np->netc_anon->cr_uid = argp->ex_anon.cr_uid; + crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups, +- np->netc_anon->cr_groups); ++ argp->ex_anon.cr_groups); + np->netc_anon->cr_prison = &prison0; + prison_hold(np->netc_anon->cr_prison); + np->netc_numsecflavors = argp->ex_numsecflavors; diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series 2013-06-23 14:47:37.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/series 2013-07-28 19:30:16.000000000 +0100 @@ -10,6 +10,7 @@ SA-12_08.linux.patch SA-13_05.nfsserver.patch SA-13_06.mmap.patch +SA-13_08.nfsserver.patch # Other patches that might or might not be mergeable 001_misc.diff
