Re: [rt.debian.org #4573] Re: Bug#717958: kfreebsd-9: CVE-2013-4851: nfsserver

Steven Chamberlain Fri, 23 Aug 2013 06:33:51 -0700

Hi Robert,

On 23/08/13 14:26, Aurelien Jarno via RT wrote:
> The debdiff looks fine to me. Could you please upload the resulting
> package for either ki or ka to security-master? I'll handle the
> remaining part of the DSA when possible.


Would you be able to upload to security-master with the attached debdiff
please?  (Aurélien approved this on behalf of the security team).

This is also staged in SVN branches/wheezy/kfreebsd-9/ @r4901.

The other, unimportant issues can wait until the next s-p-u probably.

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org

diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog     2013-06-23 14:47:37.000000000 +0100
+++ kfreebsd-9-9.0/debian/changelog     2013-08-22 14:18:36.000000000 +0100
@@ -1,3 +1,15 @@
+kfreebsd-9 (9.0-10+deb70.3) wheezy-security; urgency=high
+
+  * Team upload.
+  * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851:
+    Incorrect privilege validation in the NFS server (Closes: #717958)
+  * Pick SVN 254629 from FreeBSD 9-STABLE to fix SA-13:09 / CVE-2013-3077:
+    integer overflow in IP_MSFILTER (Closes: #720468)
+  * Pick SVN 254352 from FreeBSD 9-STABLE to fix SA-13:10 / CVE-2013-5209:
+    Kernel memory disclosure in sctp(4) (Closes: #720475)
+
+ -- Steven Chamberlain <ste...@pyro.eu.org>  Thu, 22 Aug 2013 14:13:16 +0100
+
 kfreebsd-9 (9.0-10+deb70.2) wheezy-security; urgency=high
 
   * Team upload.
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch 
kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch      1970-01-01 
01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_08.nfsserver.patch      2013-08-22 
13:30:04.000000000 +0100
@@ -0,0 +1,23 @@
+Description:
+ Fix a bug that allows remote client bypass the normal
+ access checks when when -network or -host restrictions
+ are used at the same time with -mapall. [13:08]
+ (CVE-2013-4851)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch
+Bug: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:08.nfsserver.asc
+Bug-Debian: http://bugs.debian.org/717958
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=253693
+
+Index: kfreebsd-9-9.0/sys/kern/vfs_export.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/kern/vfs_export.c  2009-09-28 19:07:16.000000000 
+0100
++++ kfreebsd-9-9.0/sys/kern/vfs_export.c       2013-07-28 18:13:25.223547283 
+0100
+@@ -208,7 +208,7 @@
+       np->netc_anon = crget();
+       np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
+       crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
+-          np->netc_anon->cr_groups);
++          argp->ex_anon.cr_groups);
+       np->netc_anon->cr_prison = &prison0;
+       prison_hold(np->netc_anon->cr_prison);
+       np->netc_numsecflavors = argp->ex_numsecflavors;
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch 
kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch   1970-01-01 
01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_09.ip_multicast.patch   2013-08-22 
13:31:10.000000000 +0100
@@ -0,0 +1,35 @@
+Description:
+ Fix an integer overflow in computing the size of a temporary buffer
+ can result in a buffer which is too small for the requested
+ operation. [13:09] (CVE-2013-3077)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc
+Bug-Debian: http://bugs.debian.org/720468
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254629
+
+Index: kfreebsd-9-9.0/sys/netinet/in_mcast.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet/in_mcast.c 2010-04-10 13:05:31.000000000 
+0100
++++ kfreebsd-9-9.0/sys/netinet/in_mcast.c      2013-08-22 13:31:07.139830942 
+0100
+@@ -1613,6 +1613,8 @@
+        * has asked for, but we always tell userland how big the
+        * buffer really needs to be.
+        */
++      if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
++              msfr.msfr_nsrcs = in_mcast_maxsocksrc;
+       tss = NULL;
+       if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+               tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
+Index: kfreebsd-9-9.0/sys/netinet6/in6_mcast.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet6/in6_mcast.c       2011-11-23 
15:18:16.000000000 +0000
++++ kfreebsd-9-9.0/sys/netinet6/in6_mcast.c    2013-08-22 13:31:07.141767292 
+0100
+@@ -1624,6 +1624,8 @@
+        * has asked for, but we always tell userland how big the
+        * buffer really needs to be.
+        */
++      if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
++              msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
+       tss = NULL;
+       if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
+               tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch 
kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch
--- kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch   1970-01-01 
01:00:00.000000000 +0100
+++ kfreebsd-9-9.0/debian/patches/SA-13_10.sctp.patch   2013-08-22 
14:11:33.000000000 +0100
@@ -0,0 +1,27 @@
+Description:
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10] (CVE-2013-5209)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:10/sctp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc
+Bug-Debian: http://bugs.debian.org/720475
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254352
+
+Index: kfreebsd-9-9.0/sys/netinet/sctp_output.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet/sctp_output.c      2011-11-27 
19:13:45.000000000 +0000
++++ kfreebsd-9-9.0/sys/netinet/sctp_output.c   2013-08-22 13:56:33.325837810 
+0100
+@@ -5451,6 +5451,14 @@
+       }
+       SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+ 
++      /*
++       * We might not overwrite the identification[] completely and on
++       * some platforms time_entered will contain some padding. Therefore
++       * zero out the cookie to avoid putting uninitialized memory on the
++       * wire.
++       */
++      memset(&stc, 0, sizeof(struct sctp_state_cookie));
++
+       /* the time I built cookie */
+       (void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
+ 
diff -Nru kfreebsd-9-9.0/debian/patches/series 
kfreebsd-9-9.0/debian/patches/series
--- kfreebsd-9-9.0/debian/patches/series        2013-06-23 14:47:37.000000000 
+0100
+++ kfreebsd-9-9.0/debian/patches/series        2013-08-22 13:51:14.000000000 
+0100
@@ -10,6 +10,9 @@
 SA-12_08.linux.patch
 SA-13_05.nfsserver.patch
 SA-13_06.mmap.patch
+SA-13_08.nfsserver.patch
+SA-13_09.ip_multicast.patch
+SA-13_10.sctp.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

Re: [rt.debian.org #4573] Re: Bug#717958: kfreebsd-9: CVE-2013-4851: nfsserver

Reply via email to