Security fixes for 2.6.32-stable

Security fixes for 2.6.32-stable

[Ben Hutchings]

[-- Attachment #1.1: Type: text/plain, Size: 1346 bytes --]

Willy, here are the security patches I've recently applied to Debian's
2.6.32 branch, aside from "pipe: iovec: Fix memory corruption when
retrying atomic copy as non-atomic" which I sent earlier.

All except the last one ("udp: fix behavior of wrong checksums") have
already been released without reported regressions. The mapping to CVE
IDs is:

  * TTY: drop driver reference in tty_open fail path (CVE-2011-5321)
  * netlink: fix possible spoofing from non-root processes (CVE-2012-6689)
  * eCryptfs: Remove buggy and unnecessary write in file name decode routine
    (CVE-2014-9683)
  * HID: fix a couple of off-by-ones (CVE-2014-3184)
  * udf: Verify i_size when loading inode (CVE-2014-9728, CVE-2014-9729)
  * udf: Verify symlink size before loading it (CVE-2014-9728)
  * udf: Treat symlink component of type 2 as / (dependency of following fix)
  * udf: Check path length when reading symlink (CVE-2014-9731)
  * udf: Check component length before reading it
    (CVE-2014-9728, CVE-2014-9730)
  * udf: Remove repeated loads blocksize (dependency of following fix)
  * udf: Check length of extended attributes and allocation descriptors
    (CVE-2015-4167)
  * udp: fix behavior of wrong checksums (CVE-2015-5364)

Ben.

-- 
Ben Hutchings
Every program is either trivial or else contains at least one bug


[-- Attachment #1.2: security-2.6.32.mbox --]
[-- Type: application/mbox, Size: 30719 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Security fixes for 2.6.32-stable

[Ben Hutchings]

[-- Attachment #1.1: Type: text/plain, Size: 861 bytes --]

Willy, here are the security patches I've recently applied to Debian's
2.6.32 branch, aside from those for CVE-2015-2925 - which we already
discussed - and for issues not yet fixed upstream.

These have already been released without reported regressions. The
mapping to CVE IDs is:

  * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
  * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
  * virtio-net: drop NETIF_F_FRAGLIST (CVE-2015-5156)
  * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)
  * ipc/sem.c: fully initialize sem_array before making it visible
    (no CVE ID, but similar issue to the following fix)
  * Initialize msg/shm IPC objects before doing ipc_addid()
    (CVE-2015-7613)

Ben.

-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

[-- Attachment #1.2: security-2.6.32.mbox --]
[-- Type: application/mbox, Size: 15335 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Re: Security fixes for 2.6.32-stable

[Willy Tarreau]

Hi Ben,

On Mon, Nov 16, 2015 at 07:47:37PM +0000, Ben Hutchings wrote:
> Willy, here are the security patches I've recently applied to Debian's
> 2.6.32 branch, aside from those for CVE-2015-2925 - which we already
> discussed - and for issues not yet fixed upstream.
> 
> These have already been released without reported regressions. The
> mapping to CVE IDs is:
> 
> � * md: use kzalloc() when bitmap is disabled�(CVE-2015-5697)
> � * ipv6: addrconf: validate new MTU before applying it�(CVE-2015-0272)
> � * virtio-net: drop NETIF_F_FRAGLIST�(CVE-2015-5156)
> � * USB: whiteheat: fix potential null-deref at probe�(CVE-2015-5257)
> � * ipc/sem.c: fully initialize sem_array before making it visible
>     (no CVE ID, but similar issue to the following fix)
> � * Initialize msg/shm IPC objects before doing ipc_addid()
>     (CVE-2015-7613)

Much appreciated, thank you! I'll try to issue a new kernel ASAP, probably
next week.

Cheers,
Willy

Security fixes for 2.6.32-stable

[Ben Hutchings]

[-- Attachment #1.1: Type: text/plain, Size: 826 bytes --]

Willy, here are the security patches I've recently applied to Debian's
2.6.32 branch, aside from issues not yet fixed upstream.

These have already been released without reported regressions. The
mapping to CVE IDs is:

  * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
    (dependency of following fix)
  * ppp, slip: Validate VJ compression slot parameters completely
    (CVE-2015-7799)
  * RDS: fix race condition when sending a message on unbound socket
   
 (CVE-2015-7990)
  * unix: avoid use-after-free in ep_remove_wait_queue
(CVE-2013-7446)
  * ext4: Fix null dereference in ext4_fill_super()
(CVE-2015-8324)

Ben.

-- 
Ben Hutchings
Power corrupts.  Absolute power is kind of neat.
                           - John Lehman, Secretary of the US Navy 1981-1987

[-- Attachment #1.2: security-2.6.32.mbox --]
[-- Type: application/mbox, Size: 21128 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Re: Security fixes for 2.6.32-stable

[Willy Tarreau]

Hi Ben,

On Sun, Dec 27, 2015 at 08:45:42PM +0000, Ben Hutchings wrote:
> Willy, here are the security patches I've recently applied to Debian's
> 2.6.32 branch, aside from issues not yet fixed upstream.
> 
> These have already been released without reported regressions. The
> mapping to CVE IDs is:
> 
> � * isdn_ppp: Add checks for allocation failure in isdn_ppp_open()
> � � (dependency of following fix)
> � * ppp, slip: Validate VJ compression slot parameters completely
> ����(CVE-2015-7799)
> � * RDS: fix race condition when sending a message on unbound socket
> ���
> �(CVE-2015-7990)
> � * unix: avoid use-after-free in ep_remove_wait_queue
> (CVE-2013-7446)
> � * ext4: Fix null dereference in ext4_fill_super()
> (CVE-2015-8324)

Just queued now, thank you!

Willy

Security fixes for 2.6.32-stable

[Ben Hutchings]

[-- Attachment #1.1: Type: text/plain, Size: 587 bytes --]

Willy, here are some more security patches I've recently applied to
Debian's 2.6.32 branch.  These have already been released without
reported regressions.

The mapping to CVE IDs is:

  * net: add validation for the socket syscall protocol argument (CVE-2015-8543)
  * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575)
  * KEYS: Fix race between read and revoke (CVE-2015-7550)

Ben.


-- 
Ben Hutchings
Theory and practice are closer in theory than in practice.
                                - John Levine, moderator of comp.compilers

[-- Attachment #1.2: security-2.6.32.mbox --]
[-- Type: application/mbox, Size: 9032 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Re: Security fixes for 2.6.32-stable

[Willy Tarreau]

Hi Ben,

On Sun, Jan 17, 2016 at 02:30:23PM +0000, Ben Hutchings wrote:
> Willy, here are some more security patches I've recently applied to
> Debian's 2.6.32 branch. �These have already been released without
> reported regressions.

Excellent, thank you. I plan to free some time soon for another 2.6.32
including these ones as well as your previous batch.

Best regards,
Willy

Security fixes for 2.6.32-stable

[Ben Hutchings]

[-- Attachment #1.1: Type: text/plain, Size: 1284 bytes --]

Willy, here are some more security patches I've recently applied to
Debian's 2.6.32 branch.  These are being released today in the final
security update for Debian 6.0 "squeeze".

The mapping to CVE IDs is:

 * usb: serial: visor: fix crash on detecting device without
   write_urbs (CVE-2015-7566)
 * [media] usbvision fix overflow of interfaces array (CVE-2015-7833)
 * [media] usbvision: fix crash on detecting device with invalid
   configuration (CVE-2015-7833)
 * sctp: Prevent soft lockup when sctp_accept() is called during a
   timeout event (CVE-2015-8767)
 * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
 * x86/mm: Add barriers and document switch_mm()-vs-flush
   synchronization (CVE-2016-2069)
 * x86/mm: Improve switch_mm() barrier comments (no CVE, just
   documenting previous fix)

Several recently reported CVEs were not fixed in squeeze, but you might
want to try backporting the fixes yourself:

CVE-2013-4312 (upstream commits: 712f4aad406b, 759c01142a5d)
CVE-2015-5307 (upstream commits: 54a20552e1ea)
CVE-2015-6526 (upstream commits: 9a5cbce421a2)
CVE-2015-8104 (upstream commits: cbdb967af3d5)

Ben.

-- 
Ben Hutchings
It is a miracle that curiosity survives formal education. - Albert Einstein

[-- Attachment #1.2: security-2.6.32.mbox --]
[-- Type: application/mbox, Size: 22119 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Re: Security fixes for 2.6.32-stable

[Willy Tarreau]

Hi Ben,

On Fri, Feb 05, 2016 at 05:45:24PM +0000, Ben Hutchings wrote:
> Willy, here are some more security patches I've recently applied to
> Debian's 2.6.32 branch. �These are being released today in the final
> security update for Debian 6.0 "squeeze".
> 
> The mapping to CVE IDs is:
> 
> �* usb: serial: visor: fix crash on detecting device without
>    write_urbs (CVE-2015-7566)
> �* [media] usbvision fix overflow of interfaces array (CVE-2015-7833)
> �* [media] usbvision: fix crash on detecting device with invalid
>    configuration (CVE-2015-7833)
> �* sctp: Prevent soft lockup when sctp_accept() is called during a
>    timeout event (CVE-2015-8767)
> �* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
> �* x86/mm: Add barriers and document switch_mm()-vs-flush
>    synchronization (CVE-2016-2069)
> �* x86/mm: Improve switch_mm() barrier comments (no CVE, just
>    documenting previous fix)
> 
> Several recently reported CVEs were not fixed in squeeze, but you might
> want to try backporting the fixes yourself:
> 
> CVE-2013-4312 (upstream commits: 712f4aad406b, 759c01142a5d)
> CVE-2015-5307 (upstream commits: 54a20552e1ea)
> CVE-2015-6526�(upstream commits: 9a5cbce421a2)
> CVE-2015-8104 (upstream commits: cbdb967af3d5)

Great, thank you very much for all this. I'll take a look at the commit
IDs to see if the backports are easy and if they're testable. I'd rather
not break the last version and let it rot that way :-)

Best regards,
willy