* Linux 2.4.27-rc5
@ 2004-08-03 23:42 Marcelo Tosatti
2004-08-04 15:53 ` Geert Uytterhoeven
0 siblings, 1 reply; 3+ messages in thread
From: Marcelo Tosatti @ 2004-08-03 23:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Alan Cox, akpm
Hi,
Here goes the fifth release candidate of kernel v2.4.27.
It includes a handful of XFS fixes, a network update (Bluetooth, Netfilter,
bridge), it revert problematic DVD-RW support for now (should be back in
2.4.28).
Most importantly this release fixes an exploitable race in file offset handling
which allows unpriviledged users from potentially reading kernel memory.
This touches several drivers and generic proc code. This issue is covered by
CAN-2004-0415.
Vendors should be releasing their updates real soon now.
Here are the most important security issues fixed by the 2.4.27 release:
CAN-2004-0495 (Al Viro sparse fixes)
CAN-2004-0497 (users could modify group ID of arbitrary files on the system)
CAN-2004-0535 (e1000 minor info leak)
CAN-2004-0685 (backported Conectiva usb sparse fixes)
CAN-2004-0415 (file offset pointer handling race)
CAN-2004-0565 (information leak ia64)
-final should be out in a few days if nothing bad shows up.
For more details please read the detailed changelog.
Summary of changes from v2.4.27-rc4 to v2.4.27-rc5
============================================
Adrian Bunk:
o [NET]: Update CONFIG_NET_SCH_NETEM Configure.help entry
Chris Wright:
o ethtool_get_regs copy right number of bytes to user
Eric Sandeen:
o [XFS] Don't lock down user pages when doing direct IO; this can lead to trouble (double-locking zero page, etc).
Harald Welte:
o [NETFILTER]: ipt_ULOG fix for packet delay
o [NETFILTER]: Fix broken debug assertion
Marcel Holtmann:
o [Bluetooth] Fix kernel panic when device config fails
o [Bluetooth] Replace BCSP retransmitting message with BT_DBG
o [Bluetooth] Fix resetting to default filters
o [Bluetooth] Send HCI_Reset for ISSC USB dongles
Marcelo Tosatti:
o Revert DVD-RW write support for now: axboe@suse.de|ChangeSet|20040606235035|46544
o Cset exclude: axboe@suse.de|ChangeSet|20040607195639|57919
o Remove mm/page_alloc.c debugging
o Al Viro and others: Fix file offset handling races in several drivers
o Changed EXTRAVERSION to -rc5
o update-i386-defconfig.patch
Nathan Scott:
o [XFS] Fix data loss problem - we no longer update i_size anywhere without holding i_sem for 2.4 as well.
o [XFS] Fix diotest4 test case issues with direct reads in XFS
Ralf Bächle:
o Fix non-use of HZ in 6pack.c
Stephen Hemminger:
o bridge fix
o [TCP]: Bic tcp congestion calculation timestamp
o [PKT_SCHED]: netem limit not returned correctly
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Linux 2.4.27-rc5
2004-08-03 23:42 Linux 2.4.27-rc5 Marcelo Tosatti
@ 2004-08-04 15:53 ` Geert Uytterhoeven
2004-08-04 19:17 ` Marcelo Tosatti
0 siblings, 1 reply; 3+ messages in thread
From: Geert Uytterhoeven @ 2004-08-04 15:53 UTC (permalink / raw)
To: Marcelo Tosatti; +Cc: Linux Kernel Development, Alan Cox, Andrew Morton
On Tue, 3 Aug 2004, Marcelo Tosatti wrote:
> Most importantly this release fixes an exploitable race in file offset handling
> which allows unpriviledged users from potentially reading kernel memory.
> This touches several drivers and generic proc code. This issue is covered by
> CAN-2004-0415.
> Marcelo Tosatti:
> o Al Viro and others: Fix file offset handling races in several drivers
Breaks the build with gcc 2.95. Trivial fix below:
--- linux-2.4.27-rc5/net/atm/br2684.c.orig 2004-08-04 15:33:22.000000000 +0200
+++ linux-2.4.27-rc5/net/atm/br2684.c 2004-08-04 17:21:16.000000000 +0200
@@ -736,8 +736,9 @@ static ssize_t br2684_proc_read(struct f
{
unsigned long page;
int len = 0, x, left;
- page = get_free_page(GFP_KERNEL);
loff_t n = *pos;
+
+ page = get_free_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
left = PAGE_SIZE - 256;
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Linux 2.4.27-rc5
2004-08-04 15:53 ` Geert Uytterhoeven
@ 2004-08-04 19:17 ` Marcelo Tosatti
0 siblings, 0 replies; 3+ messages in thread
From: Marcelo Tosatti @ 2004-08-04 19:17 UTC (permalink / raw)
To: Geert Uytterhoeven; +Cc: Linux Kernel Development, Alan Cox, Andrew Morton
On Wed, Aug 04, 2004 at 05:53:39PM +0200, Geert Uytterhoeven wrote:
> On Tue, 3 Aug 2004, Marcelo Tosatti wrote:
> > Most importantly this release fixes an exploitable race in file offset handling
> > which allows unpriviledged users from potentially reading kernel memory.
> > This touches several drivers and generic proc code. This issue is covered by
> > CAN-2004-0415.
> > Marcelo Tosatti:
> > o Al Viro and others: Fix file offset handling races in several drivers
>
> Breaks the build with gcc 2.95. Trivial fix below:
>
> --- linux-2.4.27-rc5/net/atm/br2684.c.orig 2004-08-04 15:33:22.000000000 +0200
> +++ linux-2.4.27-rc5/net/atm/br2684.c 2004-08-04 17:21:16.000000000 +0200
> @@ -736,8 +736,9 @@ static ssize_t br2684_proc_read(struct f
> {
> unsigned long page;
> int len = 0, x, left;
> - page = get_free_page(GFP_KERNEL);
> loff_t n = *pos;
> +
> + page = get_free_page(GFP_KERNEL);
> if (!page)
> return -ENOMEM;
> left = PAGE_SIZE - 256;
Applied, thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-08-04 21:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-03 23:42 Linux 2.4.27-rc5 Marcelo Tosatti
2004-08-04 15:53 ` Geert Uytterhoeven
2004-08-04 19:17 ` Marcelo Tosatti
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox