tags 722338 + pending tags 722337 + pending branches/wheezy/kfreebsd-9/ r4939 is ready in SVN for anyone to test. I'm building it for kfreebsd-amd64 currently. Testing for working IPv6 and nullfs seems like a good idea.
Attached is a debdiff against unpacked source of 9.0-10+deb70.3 Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2013-08-22 14:18:36.000000000 +0100 +++ kfreebsd-9-9.0/debian/changelog 2013-09-10 12:44:46.000000000 +0100 @@ -0,4 +0,14 @@ +kfreebsd-9 (9.0-10+deb70.4) UNRELEASED; urgency=high + + * Team upload. + * Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:12 / CVE-2013-5691: + ifioctl credential checks missing (Closes: #722338) + * Pick SVN 255443 from FreeBSD 9-STABLE to fix SA-13:13 / CVE-2013-5710: + nullfs hardlinks across mounts (Closes: #722337) + + -- Steven Chamberlain <ste...@pyro.eu.org> Tue, 10 Sep 2013 11:57:14 +0100 + kfreebsd-9 (9.0-10+deb70.3) wheezy-security; urgency=high * Team upload. * Pick SVN 253693 from FreeBSD 9-STABLE to fix SA-13:08 / CVE-2013-4851: diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff --- kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/SA-13_12.ifioctl.diff 2013-09-10 12:42:48.000000000 +0100 @@ -0,0 +1,99 @@ +Description: + In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR + and SIOCSIFNETMASK at the socket layer rather than pass them on to the + link layer without validation or credential checks. [SA-13:12] + (CVE-2013-5691) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch +Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:12.ifioctl.asc +Bug-Debian: http://bugs.debian.org/722338 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255443 + +Index: kfreebsd-9-9.0/sys/netinet6/in6.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/netinet6/in6.c 2013-09-10 12:00:48.187797771 +0100 ++++ kfreebsd-9-9.0/sys/netinet6/in6.c 2013-09-10 12:00:48.821802804 +0100 +@@ -418,6 +418,18 @@ + case SIOCGIFSTAT_ICMP6: + sa6 = &ifr->ifr_addr; + break; ++ case SIOCSIFADDR: ++ case SIOCSIFBRDADDR: ++ case SIOCSIFDSTADDR: ++ case SIOCSIFNETMASK: ++ /* ++ * Although we should pass any non-INET6 ioctl requests ++ * down to driver, we filter some legacy INET requests. ++ * Drivers trust SIOCSIFADDR et al to come from an already ++ * privileged layer, and do not perform any credentials ++ * checks or input validation. ++ */ ++ return (EINVAL); + default: + sa6 = NULL; + break; +Index: kfreebsd-9-9.0/sys/netnatm/natm.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/netnatm/natm.c 2009-05-20 18:00:16.000000000 +0100 ++++ kfreebsd-9-9.0/sys/netnatm/natm.c 2013-09-10 12:00:48.832906800 +0100 +@@ -339,6 +339,21 @@ + npcb = (struct natmpcb *)so->so_pcb; + KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL")); + ++ switch (cmd) { ++ case SIOCSIFADDR: ++ case SIOCSIFBRDADDR: ++ case SIOCSIFDSTADDR: ++ case SIOCSIFNETMASK: ++ /* ++ * Although we should pass any non-ATM ioctl requests ++ * down to driver, we filter some legacy INET requests. ++ * Drivers trust SIOCSIFADDR et al to come from an already ++ * privileged layer, and do not perform any credentials ++ * checks or input validation. ++ */ ++ return (EINVAL); ++ } ++ + if (ifp == NULL || ifp->if_ioctl == NULL) + return (EOPNOTSUPP); + return ((*ifp->if_ioctl)(ifp, cmd, arg)); +Index: kfreebsd-9-9.0/sys/net/if.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/net/if.c 2011-07-03 13:22:02.000000000 +0100 ++++ kfreebsd-9-9.0/sys/net/if.c 2013-09-10 12:00:48.906783323 +0100 +@@ -2546,11 +2546,23 @@ + CURVNET_RESTORE(); + return (EOPNOTSUPP); + } ++ ++ /* ++ * Pass the request on to the socket control method, and if the ++ * latter returns EOPNOTSUPP, directly to the interface. ++ * ++ * Make an exception for the legacy SIOCSIF* requests. Drivers ++ * trust SIOCSIFADDR et al to come from an already privileged ++ * layer, and do not perform any credentials checks or input ++ * validation. ++ */ + #ifndef COMPAT_43 + error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd, + data, + ifp, td)); +- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL) ++ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL && ++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && ++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) + error = (*ifp->if_ioctl)(ifp, cmd, data); + #else + { +@@ -2594,7 +2606,9 @@ + data, + ifp, td)); + if (error == EOPNOTSUPP && ifp != NULL && +- ifp->if_ioctl != NULL) ++ ifp->if_ioctl != NULL && ++ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && ++ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) + error = (*ifp->if_ioctl)(ifp, cmd, data); + switch (ocmd) { + diff -Nru kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff --- kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff 1970-01-01 01:00:00.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/SA-13_13.nullfs.diff 2013-09-10 12:43:16.000000000 +0100 @@ -0,0 +1,36 @@ +Description: + Prevent cross-mount hardlinks between different nullfs mounts of the + same underlying filesystem. [SA-13:13] (CVE-2013-5710) +Origin: vendor, http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch +Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:13.nullfs.asc +Bug-Debian: http://bugs.debian.org/722337 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=255443 + +Index: kfreebsd-9-9.0/sys/fs/nullfs/null_vnops.c +=================================================================== +--- kfreebsd-9-9.0.orig/sys/fs/nullfs/null_vnops.c 2013-09-10 12:00:48.309797010 +0100 ++++ kfreebsd-9-9.0/sys/fs/nullfs/null_vnops.c 2013-09-10 12:00:58.269784374 +0100 +@@ -816,6 +816,15 @@ + return (error); + } + ++static int ++null_link(struct vop_link_args *ap) ++{ ++ ++ if (ap->a_tdvp->v_mount != ap->a_vp->v_mount) ++ return (EXDEV); ++ return (null_bypass((struct vop_generic_args *)ap)); ++} ++ + /* + * Global vfs data structures + */ +@@ -829,6 +838,7 @@ + .vop_getwritemount = null_getwritemount, + .vop_inactive = null_inactive, + .vop_islocked = vop_stdislocked, ++ .vop_link = null_link, + .vop_lock1 = null_lock, + .vop_lookup = null_lookup, + .vop_open = null_open, diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series 2013-08-22 13:51:14.000000000 +0100 +++ kfreebsd-9-9.0/debian/patches/series 2013-09-10 11:58:53.000000000 +0100 @@ -13,6 +13,8 @@ SA-13_08.nfsserver.patch SA-13_09.ip_multicast.patch SA-13_10.sctp.patch +SA-13_12.ifioctl.diff +SA-13_13.nullfs.diff # Other patches that might or might not be mergeable 001_misc.diff
