Dear Security Team, Please could we upload to wheezy-security with the attached debdiff to fix issues in kfreebsd-9 (kernel).
This disables support for SCTP as previously discussed: https://lists.debian.org/debian-bsd/2014/08/msg00010.html and applies 3 other security patches from upstream. Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2014-06-04 12:43:29.000000000 +0000 +++ kfreebsd-9-9.0/debian/changelog 2014-11-05 01:39:14.000000000 +0000 @@ -1,3 +1,17 @@ +kfreebsd-9 (9.0-10+deb70.8) wheezy-security; urgency=high + + * Team upload. + * Disable SCTP due to CVE-2014-3953 and other potential issues; it + was anyway unsupported yet by userland tools. + * Pick SVN r268432 from FreeBSD 9-STABLE to fix SA-14:17 / CVE-2014-3952: + kernel memory disclosure in sockbuf control message (Closes: #754236) + * Pick SVN r273412 from FreeBSD 9-STABLE to fix SA-14:22 / CVE-2014-3711: + Memory leak in sandboxed namei lookup (Closes: #766275) + * Pick SVN r274112 from FreeBSD 9.1-RELEASE to fix SA-14:25 / CVE-2014-8476: + Kernel stack disclosure in setlogin(2) / getlogin(2) (Closes: #768104) + + -- Steven Chamberlain <ste...@pyro.eu.org> Wed, 05 Nov 2014 01:17:16 +0000 + kfreebsd-9 (9.0-10+deb70.7) wheezy-security; urgency=high * Team upload. diff -Nru kfreebsd-9-9.0/debian/patches/999_config.diff kfreebsd-9-9.0/debian/patches/999_config.diff --- kfreebsd-9-9.0/debian/patches/999_config.diff 2014-06-04 12:39:31.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/999_config.diff 2014-10-15 10:44:36.000000000 +0000 @@ -1,6 +1,6 @@ --- a/sys/amd64/conf/GENERIC +++ b/sys/amd64/conf/GENERIC -@@ -18,10 +18,12 @@ +@@ -18,16 +18,18 @@ # # $FreeBSD$ @@ -16,6 +16,13 @@ options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption + options INET # InterNETworking + options INET6 # IPv6 communications protocols +-options SCTP # Stream Control Transmission Protocol ++#options SCTP # Stream Control Transmission Protocol + options FFS # Berkeley Fast Filesystem + options SOFTUPDATES # Enable FFS soft updates support + options UFS_ACL # Support for access control lists @@ -49,7 +51,7 @@ options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 @@ -162,7 +169,7 @@ +options ALTQ_PRIQ # Priority Queuing (PRIQ) --- a/sys/i386/conf/GENERIC +++ b/sys/i386/conf/GENERIC -@@ -18,12 +18,14 @@ +@@ -18,18 +18,20 @@ # # $FreeBSD$ @@ -182,6 +189,13 @@ options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption + options INET # InterNETworking + options INET6 # IPv6 communications protocols +-options SCTP # Stream Control Transmission Protocol ++#options SCTP # Stream Control Transmission Protocol + options FFS # Berkeley Fast Filesystem + options SOFTUPDATES # Enable FFS soft updates support + options UFS_ACL # Support for access control lists @@ -43,6 +45,8 @@ options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch --- kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/SA-14_17.kern.patch 2014-07-08 23:02:23.000000000 +0000 @@ -0,0 +1,21 @@ +Description: + Fix kernel memory disclosure in sockbuf control message (CVE-2014-3952) +Origin: vendor, http://security.FreeBSD.org/patches/SA-14:17/kmem.patch +Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-14:17.kmem.asc +Bug-Debian: http://bugs.debian.org/754236 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=268432 + +--- kfreebsd-9-9.0.orig/sys/kern/uipc_sockbuf.c ++++ kfreebsd-9-9.0/sys/kern/uipc_sockbuf.c +@@ -1011,6 +1011,11 @@ + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch --- kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/SA-14_22.namei.patch 2014-10-21 21:41:34.000000000 +0000 @@ -0,0 +1,104 @@ +Description: + Fix memory leak in sandboxed namei lookup. [SA-14:22] + (CVE-2014-3711) +Origin: vendor, http://security.freebsd.org/patches/SA-14:22/namei-9.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-SA-14:22.namei.asc +Bug-Debian: http://bugs.debian.org/766275 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=273412 + +--- a/sys/kern/vfs_lookup.c ++++ b/sys/kern/vfs_lookup.c +@@ -121,6 +121,16 @@ + * if symbolic link, massage name in buffer and continue + * } + */ ++static void ++namei_cleanup_cnp(struct componentname *cnp) ++{ ++ uma_zfree(namei_zone, cnp->cn_pnbuf); ++#ifdef DIAGNOSTIC ++ cnp->cn_pnbuf = NULL; ++ cnp->cn_nameptr = NULL; ++#endif ++} ++ + int + namei(struct nameidata *ndp) + { +@@ -193,11 +203,7 @@ + } + #endif + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + ndp->ni_vp = NULL; + return (error); + } +@@ -251,11 +257,7 @@ + } + } + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + return (error); + } + } +@@ -281,8 +283,10 @@ + if (*(cnp->cn_nameptr) == '/') { + vrele(dp); + VFS_UNLOCK_GIANT(vfslocked); +- if (ndp->ni_strictrelative != 0) ++ if (ndp->ni_strictrelative != 0) { ++ namei_cleanup_cnp(cnp); + return (ENOTCAPABLE); ++ } + while (*(cnp->cn_nameptr) == '/') { + cnp->cn_nameptr++; + ndp->ni_pathlen--; +@@ -296,11 +300,7 @@ + ndp->ni_startdir = dp; + error = lookup(ndp); + if (error) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0, + 0, 0); + return (error); +@@ -312,11 +312,7 @@ + */ + if ((cnp->cn_flags & ISSYMLINK) == 0) { + if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + } else + cnp->cn_flags |= HASBUF; + +@@ -382,11 +378,7 @@ + vput(ndp->ni_vp); + dp = ndp->ni_dvp; + } +- uma_zfree(namei_zone, cnp->cn_pnbuf); +-#ifdef DIAGNOSTIC +- cnp->cn_pnbuf = NULL; +- cnp->cn_nameptr = NULL; +-#endif ++ namei_cleanup_cnp(cnp); + vput(ndp->ni_vp); + ndp->ni_vp = NULL; + vrele(ndp->ni_dvp); diff -Nru kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch --- kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/SA-14_25.setlogin.patch 2014-11-05 01:28:07.000000000 +0000 @@ -0,0 +1,69 @@ +Description: + Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:25] + (CVE-2014-8476) +Origin: vendor, http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch +Bug: http://security.freebsd.org/advisories/FreeBSD-SA-14:25.setlogin.asc +Bug-Debian: http://bugs.debian.org/768104 +Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=274112 + +--- a/sys/kern/kern_prot.c ++++ b/sys/kern/kern_prot.c +@@ -2073,19 +2073,20 @@ + int + sys_getlogin(struct thread *td, struct getlogin_args *uap) + { +- int error; + char login[MAXLOGNAME]; + struct proc *p = td->td_proc; ++ size_t len; + + if (uap->namelen > MAXLOGNAME) + uap->namelen = MAXLOGNAME; + PROC_LOCK(p); + SESS_LOCK(p->p_session); +- bcopy(p->p_session->s_login, login, uap->namelen); ++ len = strlcpy(login, p->p_session->s_login, uap->namelen) + 1; + SESS_UNLOCK(p->p_session); + PROC_UNLOCK(p); +- error = copyout(login, uap->namebuf, uap->namelen); +- return(error); ++ if (len > uap->namelen) ++ return (ERANGE); ++ return (copyout(login, uap->namebuf, len)); + } + + /* +@@ -2104,21 +2105,23 @@ + int error; + char logintmp[MAXLOGNAME]; + ++ CTASSERT(sizeof(p->p_session->s_login) >= sizeof(logintmp)); ++ + error = priv_check(td, PRIV_PROC_SETLOGIN); + if (error) + return (error); + error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); +- if (error == ENAMETOOLONG) +- error = EINVAL; +- else if (!error) { +- PROC_LOCK(p); +- SESS_LOCK(p->p_session); +- (void) memcpy(p->p_session->s_login, logintmp, +- sizeof(logintmp)); +- SESS_UNLOCK(p->p_session); +- PROC_UNLOCK(p); ++ if (error != 0) { ++ if (error == ENAMETOOLONG) ++ error = EINVAL; ++ return (error); + } +- return (error); ++ PROC_LOCK(p); ++ SESS_LOCK(p->p_session); ++ strcpy(p->p_session->s_login, logintmp); ++ SESS_UNLOCK(p->p_session); ++ PROC_UNLOCK(p); ++ return (0); + } + + void diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series 2014-06-04 12:39:31.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/series 2014-11-05 01:40:34.000000000 +0000 @@ -21,6 +21,9 @@ SA-14_05.nfsserver.patch SA-14_08.tcp.patch EN-14_06.exec.patch +SA-14_17.kern.patch +SA-14_22.namei.patch +SA-14_25.setlogin.patch # Other patches that might or might not be mergeable 001_misc.diff
