Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-kernel/rsbac-dev-sources
diff options
context:
space:
mode:
authorGuillaume Destuynder <kang@gentoo.org>2004-06-30 20:48:19 +0000
committerGuillaume Destuynder <kang@gentoo.org>2004-06-30 20:48:19 +0000
commit0af4b1ec57f8f27a912820d816fd67f387c4f142 (patch)
treed044f01210e6daed877ab7c71365024c38f615e9 /sys-kernel/rsbac-dev-sources
parentglibc -> libc (Manifest recommit) (diff)
downloadgentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.tar.gz
gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.tar.bz2
gentoo-2-0af4b1ec57f8f27a912820d816fd67f387c4f142.zip
RSBAC JAIL security fix. (#55698) ; iptables dos security fix (#55694)
Diffstat (limited to 'sys-kernel/rsbac-dev-sources')
-rw-r--r--sys-kernel/rsbac-dev-sources/ChangeLog23
-rw-r--r--sys-kernel/rsbac-dev-sources/Manifest14
-rw-r--r--sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r13
-rw-r--r--sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r1 (renamed from sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7)0
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch11
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch10
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch39
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch11
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch11
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch11
-rw-r--r--sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch24
-rw-r--r--sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild46
-rw-r--r--sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild (renamed from sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild)6
13 files changed, 50 insertions, 159 deletions
diff --git a/sys-kernel/rsbac-dev-sources/ChangeLog b/sys-kernel/rsbac-dev-sources/ChangeLog
index 43b01c3143c1..9f1e5b8d209d 100644
--- a/sys-kernel/rsbac-dev-sources/ChangeLog
+++ b/sys-kernel/rsbac-dev-sources/ChangeLog
@@ -1,9 +1,26 @@
# ChangeLog for sys-kernel/rsbac-dev-sources
# Copyright 2000-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/ChangeLog,v 1.4 2004/06/29 00:08:39 kang Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/ChangeLog,v 1.5 2004/06/30 20:48:19 kang Exp $
-*rsbac-dev-sources-26.7 (28 Jun 2004)
- 28 Jun 2004; <kang@gentoo.org> rsbac-dev-sources-2.6.7.ebuild
+*rsbac-dev-sources-2.6.7-r1 (30 Jun 2004)
+
+ 30 Jun 2004; Guillaume Destuynder <kang@gentoo.org>
+ +rsbac-dev-sources-2.6.7-r1.ebuild,
+ +files/rsbac-dev-sources-v1.2.3-3.patch,
+ +files/rsbac-dev-sources-iptables-dos.patch,
+ -rsbac-dev-sources-2.6.7.ebuild,
+ -rsbac-dev-sources-2.6.5-r1.ebuild,
+ -files/rsbac-dev-sources.CAN-2004-0075.patch,
+ -files/rsbac-dev-sources.CAN-2004-0228.patch,
+ -files/rsbac-dev-sources.CAN-2004-0229.patch,
+ -files/rsbac-dev-sources.CAN-2004-0427.patch,
+ -files/rsbac-dev-sources.FPULockup-53804.patch:
+ Security fix for RSBAC JAIL (rsbac.org ; #55698)
+ Security fix for 2.6.x iptables dos (#55694)
+
+*rsbac-dev-sources-2.6.7 (28 Jun 2004)
+
+ 28 Jun 2004; Guillaume Destuynder <kang@gentoo.org> +rsbac-dev-sources-2.6.7.ebuild
Version bump. Includes hardened 2.6.7 patches and latest PaX.
*rsbac-dev-sources-2.6.5-r1 (14 Jun 2004)
diff --git a/sys-kernel/rsbac-dev-sources/Manifest b/sys-kernel/rsbac-dev-sources/Manifest
index 5f72c0af3d2d..ac44da3dddc0 100644
--- a/sys-kernel/rsbac-dev-sources/Manifest
+++ b/sys-kernel/rsbac-dev-sources/Manifest
@@ -1,11 +1,7 @@
MD5 fee9abc7797fef753c42454679bae9a7 metadata.xml 456
-MD5 308c2f4678bc7df06378a3bfaac5c403 rsbac-dev-sources-2.6.5-r1.ebuild 1737
-MD5 623fa779838d11ccd52bcd58cd69b917 rsbac-dev-sources-2.6.7.ebuild 1132
-MD5 1c8c4fe938bc1094372cad72e4952aa7 ChangeLog 1148
-MD5 df80f2b0e3e4b832b26e59c30042bb4a files/digest-rsbac-dev-sources-2.6.5-r1 210
-MD5 6f4bba5dda7a99d77b1564f5489fef6e files/rsbac-dev-sources.CAN-2004-0075.patch 1129
-MD5 1dd59d14a720c0c23e47e28d0b4fd6f9 files/rsbac-dev-sources.CAN-2004-0228.patch 437
-MD5 a92712e41465c49670ef7a54c2d16040 files/rsbac-dev-sources.CAN-2004-0229.patch 471
-MD5 5674421c7e2c7e50e2509bed7d96c4d4 files/rsbac-dev-sources.CAN-2004-0427.patch 332
-MD5 02c062ec3a11a6a1498cdf0b1716c90a files/rsbac-dev-sources.FPULockup-53804.patch 895
+MD5 0bbf391f5c53a209b04dfd942e2c60ea ChangeLog 1807
+MD5 fd960b32202a81e44cc3e9281a1071fe rsbac-dev-sources-2.6.7-r1.ebuild 1315
MD5 ff6ffe7543ce01c98eb4ca1c8d9ca1c3 files/digest-rsbac-dev-sources-2.6.7 205
+MD5 a869ab037c7e264df5f8e899864f08e9 files/rsbac-dev-sources-v1.2.3-3.patch 557
+MD5 6451bd210935a3978fd3a3edac673591 files/rsbac-dev-sources-iptables-dos.patch 389
+MD5 ff6ffe7543ce01c98eb4ca1c8d9ca1c3 files/digest-rsbac-dev-sources-2.6.7-r1 205
diff --git a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r1 b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r1
deleted file mode 100644
index 60e446567061..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.5-r1
+++ /dev/null
@@ -1,3 +0,0 @@
-MD5 9a76bf64c1151369b250f967d83077aa linux-2.6.5.tar.bz2 34684611
-MD5 0cceda57d9cae4794fe1b99e2153d2c5 rsbac-v1.2.3-pre5.tar.bz2 482975
-MD5 53c8bd1e1b5847527eb731eaba6b00a7 rsbac-patches-2.6-5.3.tar.bz2 104985
diff --git a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7 b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r1
index 89b064e672f0..89b064e672f0 100644
--- a/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7
+++ b/sys-kernel/rsbac-dev-sources/files/digest-rsbac-dev-sources-2.6.7-r1
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch
new file mode 100644
index 000000000000..9eb1c3cd1667
--- /dev/null
+++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-iptables-dos.patch
@@ -0,0 +1,11 @@
+--- net/ipv4/netfilter/ip_tables.c.ski 2004-06-30 22:33:38.890839488 +0200
++++ net/ipv4/netfilter/ip_tables.c 2004-06-30 22:34:27.547442560 +0200
+@@ -1458,7 +1458,7 @@
+ int *hotdrop)
+ {
+ /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
+- char opt[60 - sizeof(struct tcphdr)];
++ u_int8_t opt[60 - sizeof(struct tcphdr)];
+ unsigned int i;
+
+ duprintf("tcp_match: finding option\n");
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch
new file mode 100644
index 000000000000..90484797584c
--- /dev/null
+++ b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources-v1.2.3-3.patch
@@ -0,0 +1,10 @@
+--- linux-2.4.26-rsbac-v1.2.3/rsbac/adf/jail/jail_main.c.sik 2004-06-08 11:37:30.000000000 +0200
++++ linux-2.4.26-rsbac-v1.2.3/rsbac/adf/jail/jail_main.c 2004-06-30 09:27:42.000000000 +0200
+@@ -396,6 +396,7 @@
+ if( (attr == A_create_data)
+ && ( S_ISCHR(attr_val.create_data.mode)
+ || S_ISBLK(attr_val.create_data.mode)
++ || (attr_val.create_data.mode & (S_ISUID | S_ISGID))
+ )
+ )
+ return NOT_GRANTED;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch
deleted file mode 100644
index e131c957cb0a..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0075.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- linux-2.6.6-rc1/drivers/usb/media/vicam.c 2004-04-15 11:18:18.000000000 +0200
-+++ linux-2.6.6-rc1-mich/drivers/usb/media/vicam.c 2004-04-15 11:50:02.791604312 +0200
-@@ -612,15 +612,20 @@ vicam_ioctl(struct inode *inode, struct
-
- case VIDIOCSPICT:
- {
-- struct video_picture *vp = (struct video_picture *) arg;
--
-- DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth,
-- vp->palette);
-+ struct video_picture vp;
-+
-+ if (copy_from_user(&vp, arg, sizeof(vp))) {
-+ retval = -EFAULT;
-+ break;
-+ }
-+
-+ DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp.depth,
-+ vp.palette);
-
-- cam->gain = vp->brightness >> 8;
-+ cam->gain = vp.brightness >> 8;
-
-- if (vp->depth != 24
-- || vp->palette != VIDEO_PALETTE_RGB24)
-+ if (vp.depth != 24
-+ || vp.palette != VIDEO_PALETTE_RGB24)
- retval = -EINVAL;
-
- break;
-@@ -659,7 +659,7 @@
- {
-
- struct video_window *vw = (struct video_window *) arg;
-- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
-+ DBG("VIDIOCSWIN %d x %d\n", vw.width, vw.height);
-
- if ( vw->width != 320 || vw->height != 240 )
- retval = -EFAULT;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch
deleted file mode 100644
index 746ade9ab1c0..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0228.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/drivers/cpufreq/cpufreq_userspace.c.overflow 2004-02-18 04:57:16.000000000 +0100
-+++ linux-2.6.3/drivers/cpufreq/cpufreq_userspace.c 2004-05-14 11:40:37.000000000 +0200
-@@ -168,7 +168,7 @@ cpufreq_procctl(ctl_table *ctl, int writ
- {
- char buf[16], *p;
- int cpu = (int) ctl->extra1;
-- int len, left = *lenp;
-+ unsigned int len, left = *lenp;
-
- if (!left || (filp->f_pos && !write) || !cpu_online(cpu)) {
- *lenp = 0;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch
deleted file mode 100644
index 2b6dfff88e25..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0229.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/drivers/video/fbmem.c.zy67 2004-04-23 07:32:22.000000000 -0400
-+++ linux-2.6.3/drivers/video/fbmem.c 2004-04-23 07:33:09.000000000 -0400
-@@ -1042,7 +1042,7 @@
- case FBIOGETCMAP:
- if (copy_from_user(&cmap, (void *) arg, sizeof(cmap)))
- return -EFAULT;
-- return (fb_copy_cmap(&info->cmap, &cmap, 0));
-+ return (fb_copy_cmap(&info->cmap, &cmap, 2));
- case FBIOPAN_DISPLAY:
- if (copy_from_user(&var, (void *) arg, sizeof(var)))
- return -EFAULT;
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch
deleted file mode 100644
index adadefd53db2..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.CAN-2004-0427.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- linux-2.6.3/kernel/fork.c.zy64 2004-04-21 12:26:51.000000000 -0400
-+++ linux-2.6.3/kernel/fork.c 2004-04-21 12:29:34.000000000 -0400
-@@ -1073,6 +1073,8 @@
- exit_namespace(p);
- bad_fork_cleanup_mm:
- exit_mm(p);
-+ if (p->active_mm)
-+ mmdrop(p->active_mm);
- bad_fork_cleanup_signal:
- exit_signal(p);
- bad_fork_cleanup_sighand:
diff --git a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch b/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch
deleted file mode 100644
index a813f48ec23b..000000000000
--- a/sys-kernel/rsbac-dev-sources/files/rsbac-dev-sources.FPULockup-53804.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -Nru a/include/asm-i386/i387.h b/include/asm-i386/i387.h
---- a/include/asm-i386/i387.h 2004-05-06 12:26:10 -07:00
-+++ b/include/asm-i386/i387.h 2004-06-12 19:12:23 -07:00
-@@ -51,7 +51,7 @@
- #define __clear_fpu( tsk ) \
- do { \
- if ((tsk)->thread_info->status & TS_USEDFPU) { \
-- asm volatile("fwait"); \
-+ asm volatile("fnclex ; fwait"); \
- (tsk)->thread_info->status &= ~TS_USEDFPU; \
- stts(); \
- } \
-diff -Nru a/include/asm-x86_64/i387.h b/include/asm-x86_64/i387.h
---- a/include/asm-x86_64/i387.h 2004-06-13 20:43:56.742530792 +0100
-+++ a/include/asm-x86_64/i387.h 2004-06-13 20:42:59.200278544 +0100
-@@ -46,7 +46,7 @@
-
- #define clear_fpu(tsk) do { \
- if ((tsk)->thread_info->status & TS_USEDFPU) { \
-- asm volatile("fwait"); \
-+ asm volatile("fnclex; fwait"); \
- (tsk)->thread_info->status &= ~TS_USEDFPU; \
- stts(); \
- } \
diff --git a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild
deleted file mode 100644
index 0846bb2f7115..000000000000
--- a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.5-r1.ebuild,v 1.2 2004/06/24 23:01:08 agriffis Exp $
-
-IUSE=""
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-# rsbac
-RSBACV=1.2.3
-REL="-pre5"
-RSBAC_SRC="mirror://rsbac-v${RSBACV}${REL}.tar.bz2 http://zeus.polsl.gliwice.pl/~albeiro/rsbac/v$RSBACV/rsbac-v${RSBACV}${REL}.tar.bz2"
-
-# rsbac kernel patches
-RGPV=5.3
-RGPV_SRC="mirror://rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2 http://zeus.polsl.gliwice.pl/~albeiro/rsbac/v${RSBACV}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2"
-
-UNIPATCH_STRICTORDER="yes"
-# exclude 12xx grsec and 13xx selinux patches
-UNIPATCH_EXCLUDE="12 13"
-UNIPATCH_LIST="${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2
- ${FILESDIR}/${PN}.CAN-2004-0075.patch
- ${FILESDIR}/${PN}.CAN-2004-0228.patch
- ${FILESDIR}/${PN}.CAN-2004-0229.patch
- ${FILESDIR}/${PN}.CAN-2004-0427.patch
- ${FILESDIR}/${PN}.FPULockup-53804.patch"
-UNIPATCH_DOCS="${WORKDIR}/patches/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}/0000_README"
-
-HOMEPAGE="http://www.gentoo.org/proj/en/hardened/rsbac"
-DESCRIPTION="RSBAC hardened sources for the ${KV_MAJOR}.${KV_MINOR} kernel tree"
-
-SRC_URI="${KERNEL_URI} ${RSBAC_SRC} ${RGPV_SRC} ${GPV_SRC}"
-KEYWORDS="~x86"
-
-src_unpack() {
- universal_unpack
- (cd ${WORKDIR}/linux-${KV}; unpack rsbac-v${RSBACV}${REL}.tar.bz2)
- [ -n "${UNIPATCH_LIST}" -o -n "${UNIPATCH_LIST_DEFAULT}" ] && unipatch "${UNIPATCH_LIST_DEFAULT} ${UNIPATCH_LIST}"
- [ -z "${K_NOSETEXTRAVERSION}" ] && unpack_set_extraversion
- [ $(kernel_is_2_4) $? == 0 ] && unpack_2_4
-}
-
-pkg_postinst() {
- postinst_sources
-}
diff --git a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild
index 80c0d339c85d..f9d3a8ba3071 100644
--- a/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild
+++ b/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2004 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7.ebuild,v 1.1 2004/06/29 00:08:39 kang Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/rsbac-dev-sources/rsbac-dev-sources-2.6.7-r1.ebuild,v 1.1 2004/06/30 20:48:19 kang Exp $
IUSE=""
ETYPE="sources"
@@ -16,7 +16,9 @@ RGPV=7.1
RGPV_SRC="mirror://rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2"
UNIPATCH_STRICTORDER="yes"
-UNIPATCH_LIST="${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2"
+UNIPATCH_LIST="${FILESDIR}/${PN}-iptables-dos.patch
+ ${DISTDIR}/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}.tar.bz2
+ ${FILESDIR}/${PN}-v1.2.3-3.patch"
UNIPATCH_DOCS="${WORKDIR}/patches/rsbac-patches-${KV_MAJOR}.${KV_MINOR}-${RGPV}/0000_README"
HOMEPAGE="http://hardened.gentoo.org/rsbac/"