Security patches from Debian's 2.6.18.dfsg.1-13etch1

svn path=/patches/; revision=28

13 files changed, 1222 insertions, 0 deletions

diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README
index 1446e44..da42198 100644
--- a/trunk/2.6.18/00000_README
+++ b/trunk/2.6.18/00000_README
@@ -75,6 +75,61 @@ Patches
     to a local DoS (oops).
     See CVE-2007-1388
 
+30012_ipv6-disallow-RH0-by-default.patch
+    [SECURITY] Avoid a remote DoS (network amplification between two routers)
+    by disabling type0 IPv6 route headers by default. Can be re-enabled via
+    a sysctl interface. Thanks to Vlad Yasevich for porting help.
+
+30013_listxattr-mem-corruption.patch
+    [SECURITY] Fix userspace corruption vulnerability caused by
+    incorrectly promoted return values in bad_inode_ops
+    This patch changes the kernel ABI.
+    See CVE-2006-5753
+
+30013_reset-pdeathsig-on-suid.patch
+    [SECURITY] Fix potential privilege escalation caused by improper
+    clearing of the child process' pdeath signal.
+    Thanks to Marcel Holtmann for the patch.
+    See CVE-2007-3848
+
+30014_bluetooth-l2cap-hci-info-leaks.patch
+    [SECURITY] Fix information leaks in setsockopt() implementations
+    See CVE-2007-1353
+
+30015_usblcd-limit-memory-consumption.patch
+    [SECURITY] limit memory consumption during write in the usblcd driver
+    See CVE-2007-3513
+
+30016_pppoe-socket-release-mem-leak.patch
+    [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
+    after connect but before PPPIOCGCHAN ioctl is called upon it
+    See CVE-2007-2525
+
+30017_nf_conntrack_h323-bounds-checking.patch
+    [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
+    index values
+    See CVE-2007-3642
+
+30018_dn_fib-out-of-bounds.patch
+    [SECURITY] Fix out of bounds condition in dn_fib_props[]
+    See CVE-2007-2172
+
+30019_random-fix-seeding-with-zero-entropy.patch,
+30020_random-fix-error-in-entropy-extraction.patch
+    [SECURITY] Avoid seeding with the same values at boot time when a
+    system has no entropy source and fix a casting error in entropy
+    extraction that resulted in slightly less random numbers.
+    See CVE-2007-2453
+
+30021_nf_conntrack_sctp-null-deref.patch
+    [SECURITY] Fix remotely triggerable NULL pointer dereference
+    by sending an unknown chunk type.
+    See CVE-2007-2876
+
+30022_i965-secure-batchbuffer.patch
+    [SECURITY] Fix i965 secured batchbuffer usage
+    See CVE-2007-3851
+
 50001_make-install.patch
     Handle make install in a semi-sane way that plays nice with
     split domU/dom0 kernels.
@@ -82,3 +137,4 @@ Patches
 50002_always-enable-xen-genapic.patch
     Compile fix for non-SMP (UP) kernels. Since UP support is broken in
     upstream Xen I'm not sure if I trust it or not. :-P
+
diff --git a/trunk/2.6.18/30012_ipv6-disallow-RH0-by-default.patch b/trunk/2.6.18/30012_ipv6-disallow-RH0-by-default.patch
new file mode 100644
index 0000000..9d59779
--- /dev/null
+++ b/trunk/2.6.18/30012_ipv6-disallow-RH0-by-default.patch
@@ -0,0 +1,166 @@
+From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Date: Thu, 26 Apr 2007 04:56:57 +0000 (-0700)
+Subject: [PATCH] IPV6: Disallow RH0 by default.
+X-Git-Tag: v2.6.20.9~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=010831ab8436dfd9304b203467566fb6b135c24f
+
+[PATCH] IPV6: Disallow RH0 by default.
+
+[IPV6]: Disallow RH0 by default.
+
+A security issue is emerging.  Disallow Routing Header Type 0 by default
+as we have been doing for IPv4.
+Note: We allow RH2 by default because it is harmless.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+Backported to Debian's 2.6.18 by dann frazier and Vlad Yasevich
+
+diff -urpN linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt linux-source-2.6.18/Documentation/networking/ip-sysctl.txt
+--- linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt	2007-05-11 15:09:21.000000000 -0600
++++ linux-source-2.6.18/Documentation/networking/ip-sysctl.txt	2007-05-11 15:10:03.000000000 -0600
+@@ -775,6 +775,14 @@ accept_redirects - BOOLEAN
+ 	Functional default: enabled if local forwarding is disabled.
+ 			    disabled if local forwarding is enabled.
+ 
++accept_source_route - INTEGER
++	Accept source routing (routing extension header).
++
++	> 0: Accept routing header.
++	= 0: Do not accept routing header.
++
++	Default: 0
++
+ autoconf - BOOLEAN
+ 	Autoconfigure addresses using Prefix Information in Router 
+ 	Advertisements.
+diff -urpN linux-source-2.6.18.orig/include/linux/ipv6.h linux-source-2.6.18/include/linux/ipv6.h
+--- linux-source-2.6.18.orig/include/linux/ipv6.h	2007-05-11 15:09:21.000000000 -0600
++++ linux-source-2.6.18/include/linux/ipv6.h	2007-05-11 15:10:03.000000000 -0600
+@@ -153,6 +153,7 @@ struct ipv6_devconf {
+ 	__s32		accept_ra_rt_info_max_plen;
+ #endif
+ #endif
++	__s32		accept_source_route;
+ 	void		*sysctl;
+ };
+ 
+@@ -180,6 +181,7 @@ enum {
+ 	DEVCONF_ACCEPT_RA_RTR_PREF,
+ 	DEVCONF_RTR_PROBE_INTERVAL,
+ 	DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN,
++	DEVCONF_ACCEPT_SOURCE_ROUTE,
+ 	DEVCONF_MAX
+ };
+ 
+diff -urpN linux-source-2.6.18.orig/include/linux/sysctl.h linux-source-2.6.18/include/linux/sysctl.h
+--- linux-source-2.6.18.orig/include/linux/sysctl.h	2007-05-11 15:09:21.000000000 -0600
++++ linux-source-2.6.18/include/linux/sysctl.h	2007-05-11 15:10:03.000000000 -0600
+@@ -553,6 +553,7 @@ enum {
+ 	NET_IPV6_ACCEPT_RA_RTR_PREF=20,
+ 	NET_IPV6_RTR_PROBE_INTERVAL=21,
+ 	NET_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=22,
++	NET_IPV6_ACCEPT_SOURCE_ROUTE=23,
+ 	__NET_IPV6_MAX
+ };
+ 
+diff -urpN linux-source-2.6.18.orig/net/ipv6/addrconf.c linux-source-2.6.18/net/ipv6/addrconf.c
+--- linux-source-2.6.18.orig/net/ipv6/addrconf.c	2007-05-11 15:09:21.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/addrconf.c	2007-05-11 15:10:07.000000000 -0600
+@@ -173,6 +173,7 @@ struct ipv6_devconf ipv6_devconf = {
+ 	.accept_ra_rt_info_max_plen = 0,
+ #endif
+ #endif
++	.accept_source_route	= 0,	/* we do not accept RH0 by default. */
+ };
+ 
+ static struct ipv6_devconf ipv6_devconf_dflt = {
+@@ -203,6 +204,7 @@ static struct ipv6_devconf ipv6_devconf_
+ 	.accept_ra_rt_info_max_plen = 0,
+ #endif
+ #endif
++	.accept_source_route	= 0,	/* we do not accept RH0 by default. */
+ };
+ 
+ /* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
+@@ -3333,6 +3335,7 @@ static void inline ipv6_store_devconf(st
+ 	array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen;
+ #endif
+ #endif
++	array[DEVCONF_ACCEPT_SOURCE_ROUTE] = cnf->accept_source_route;
+ }
+ 
+ /* Maximum length of ifinfomsg attributes */
+@@ -3847,6 +3850,14 @@ static struct addrconf_sysctl_table
+ #endif
+ #endif
+ 		{
++			.ctl_name	=	NET_IPV6_ACCEPT_SOURCE_ROUTE,
++			.procname	=	"accept_source_route",
++			.data		=	&ipv6_devconf.accept_source_route,
++			.maxlen		=	sizeof(int),
++			.mode		=	0644,
++			.proc_handler	=	&proc_dointvec,
++		},
++		{
+ 			.ctl_name	=	0,	/* sentinel */
+ 		}
+ 	},
+diff -urpN linux-source-2.6.18.orig/net/ipv6/exthdrs.c linux-source-2.6.18/net/ipv6/exthdrs.c
+--- linux-source-2.6.18.orig/net/ipv6/exthdrs.c	2007-05-11 15:09:21.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/exthdrs.c	2007-05-11 15:10:03.000000000 -0600
+@@ -221,10 +221,24 @@ static int ipv6_rthdr_rcv(struct sk_buff
+ 	struct inet6_skb_parm *opt = IP6CB(skb);
+ 	struct in6_addr *addr;
+ 	struct in6_addr daddr;
++	struct inet6_dev *idev;
+ 	int n, i;
+-
+ 	struct ipv6_rt_hdr *hdr;
+ 	struct rt0_hdr *rthdr;
++	int accept_source_route = ipv6_devconf.accept_source_route;
++
++	if (accept_source_route == 0 ||
++	    ((idev = in6_dev_get(skb->dev)) == NULL)) {
++		kfree_skb(skb);
++		return -1;
++	}
++	if (idev->cnf.accept_source_route == 0) {
++		in6_dev_put(idev);
++		kfree_skb(skb);
++		return -1;
++	}
++
++	in6_dev_put(idev);
+ 
+ 	if (!pskb_may_pull(skb, (skb->h.raw-skb->data)+8) ||
+ 	    !pskb_may_pull(skb, (skb->h.raw-skb->data)+((skb->h.raw[1]+1)<<3))) {
+@@ -235,6 +249,12 @@ static int ipv6_rthdr_rcv(struct sk_buff
+ 
+ 	hdr = (struct ipv6_rt_hdr *) skb->h.raw;
+ 
++	if (hdr->type != IPV6_SRCRT_TYPE_0) {
++		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
++		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
++		return -1;
++	}
++
+ 	if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
+ 	    skb->pkt_type != PACKET_HOST) {
+ 		IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS);
+@@ -253,12 +273,6 @@ looped_back:
+ 		return 1;
+ 	}
+ 
+-	if (hdr->type != IPV6_SRCRT_TYPE_0) {
+-		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+-		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
+-		return -1;
+-	}
+-	
+ 	if (hdr->hdrlen & 0x01) {
+ 		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+ 		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw);
diff --git a/trunk/2.6.18/30013_listxattr-mem-corruption.patch b/trunk/2.6.18/30013_listxattr-mem-corruption.patch
new file mode 100644
index 0000000..10f37da
--- /dev/null
+++ b/trunk/2.6.18/30013_listxattr-mem-corruption.patch
@@ -0,0 +1,441 @@
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Sat, 6 Jan 2007 00:36:36 +0000 (-0800)
+Subject: [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
+X-Git-Tag: v2.6.20-rc4~60
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8;hp=2723f9603a8f8bb2cd8c7b581f7c94b8d75e3837
+
+[PATCH] fix memory corruption from misinterpreted bad_inode_ops return values
+
+CVE-2006-5753 is for a case where an inode can be marked bad, switching
+the ops to bad_inode_ops, which are all connected as:
+
+static int return_EIO(void)
+{
+        return -EIO;
+}
+
+#define EIO_ERROR ((void *) (return_EIO))
+
+static struct inode_operations bad_inode_ops =
+{
+        .create         = bad_inode_create
+...etc...
+
+The problem here is that the void cast causes return types to not be
+promoted, and for ops such as listxattr which expect more than 32 bits of
+return value, the 32-bit -EIO is interpreted as a large positive 64-bit
+number, i.e. 0x00000000fffffffa instead of 0xfffffffa.
+
+This goes particularly badly when the return value is taken as a number of
+bytes to copy into, say, a user's buffer for example...
+
+I originally had coded up the fix by creating a return_EIO_<TYPE> macro
+for each return type, like this:
+
+static int return_EIO_int(void)
+{
+	return -EIO;
+}
+#define EIO_ERROR_INT ((void *) (return_EIO_int))
+
+static struct inode_operations bad_inode_ops =
+{
+	.create		= EIO_ERROR_INT,
+...etc...
+
+but Al felt that it was probably better to create an EIO-returner for each
+actual op signature.  Since so few ops share a signature, I just went ahead
+& created an EIO function for each individual file & inode op that returns
+a value.
+
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+--- linux-source-2.6.18/fs/bad_inode.c.orig	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/bad_inode.c	2007-03-19 20:56:08.000000000 -0600
+@@ -14,61 +14,321 @@
+ #include <linux/time.h>
+ #include <linux/smp_lock.h>
+ #include <linux/namei.h>
++#include <linux/poll.h>
+ 
+-static int return_EIO(void)
++
++static loff_t bad_file_llseek(struct file *file, loff_t offset, int origin)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_read(struct file *filp, char __user *buf,
++			size_t size, loff_t *ppos)
++{
++        return -EIO;
++}
++
++static ssize_t bad_file_write(struct file *filp, const char __user *buf,
++			size_t siz, loff_t *ppos)
++{
++        return -EIO;
++}
++
++static ssize_t bad_file_aio_read(struct kiocb *iocb, char __user *buf,
++				 size_t siz, loff_t pos)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_aio_write(struct kiocb *iocb, const char __user *buf,
++			size_t siz, loff_t pos)
++{
++	return -EIO;
++}
++
++static int bad_file_readdir(struct file *filp, void *dirent, filldir_t filldir)
++{
++	return -EIO;
++}
++
++static unsigned int bad_file_poll(struct file *filp, poll_table *wait)
++{
++	return POLLERR;
++}
++
++static int bad_file_ioctl (struct inode *inode, struct file *filp,
++			unsigned int cmd, unsigned long arg)
++{
++	return -EIO;
++}
++
++static long bad_file_unlocked_ioctl(struct file *file, unsigned cmd,
++			unsigned long arg)
++{
++	return -EIO;
++}
++
++static long bad_file_compat_ioctl(struct file *file, unsigned int cmd,
++			unsigned long arg)
++{
++	return -EIO;
++}
++
++static int bad_file_mmap(struct file *file, struct vm_area_struct *vma)
++{
++	return -EIO;
++}
++
++static int bad_file_open(struct inode *inode, struct file *filp)
++{
++	return -EIO;
++}
++
++static int bad_file_flush(struct file *file, fl_owner_t id)
++{
++	return -EIO;
++}
++
++static int bad_file_release(struct inode *inode, struct file *filp)
++{
++	return -EIO;
++}
++
++static int bad_file_fsync(struct file *file, struct dentry *dentry,
++			int datasync)
++{
++	return -EIO;
++}
++
++static int bad_file_aio_fsync(struct kiocb *iocb, int datasync)
++{
++	return -EIO;
++}
++
++static int bad_file_fasync(int fd, struct file *filp, int on)
++{
++	return -EIO;
++}
++
++static int bad_file_lock(struct file *file, int cmd, struct file_lock *fl)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_readv(struct file *filp, const struct iovec *iov,
++			unsigned long nr_segs, loff_t *ppos)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_writev(struct file *filp, const struct iovec *iov,
++			unsigned long nr_segs, loff_t *ppos)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_sendfile(struct file *in_file, loff_t *ppos,
++			size_t count, read_actor_t actor, void *target)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_sendpage(struct file *file, struct page *page,
++			int off, size_t len, loff_t *pos, int more)
++{
++	return -EIO;
++}
++
++static unsigned long bad_file_get_unmapped_area(struct file *file,
++				unsigned long addr, unsigned long len,
++				unsigned long pgoff, unsigned long flags)
+ {
+ 	return -EIO;
+ }
+ 
+-#define EIO_ERROR ((void *) (return_EIO))
++static int bad_file_check_flags(int flags)
++{
++	return -EIO;
++}
++
++static int bad_file_dir_notify(struct file *file, unsigned long arg)
++{
++	return -EIO;
++}
++
++static int bad_file_flock(struct file *filp, int cmd, struct file_lock *fl)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_splice_write(struct pipe_inode_info *pipe,
++			struct file *out, loff_t *ppos, size_t len,
++			unsigned int flags)
++{
++	return -EIO;
++}
++
++static ssize_t bad_file_splice_read(struct file *in, loff_t *ppos,
++			struct pipe_inode_info *pipe, size_t len,
++			unsigned int flags)
++{
++	return -EIO;
++}
+ 
+ static const struct file_operations bad_file_ops =
+ {
+-	.llseek		= EIO_ERROR,
+-	.aio_read	= EIO_ERROR,
+-	.read		= EIO_ERROR,
+-	.write		= EIO_ERROR,
+-	.aio_write	= EIO_ERROR,
+-	.readdir	= EIO_ERROR,
+-	.poll		= EIO_ERROR,
+-	.ioctl		= EIO_ERROR,
+-	.mmap		= EIO_ERROR,
+-	.open		= EIO_ERROR,
+-	.flush		= EIO_ERROR,
+-	.release	= EIO_ERROR,
+-	.fsync		= EIO_ERROR,
+-	.aio_fsync	= EIO_ERROR,
+-	.fasync		= EIO_ERROR,
+-	.lock		= EIO_ERROR,
+-	.readv		= EIO_ERROR,
+-	.writev		= EIO_ERROR,
+-	.sendfile	= EIO_ERROR,
+-	.sendpage	= EIO_ERROR,
+-	.get_unmapped_area = EIO_ERROR,
++	.llseek		= bad_file_llseek,
++	.read		= bad_file_read,
++	.write		= bad_file_write,
++	.aio_read	= bad_file_aio_read,
++	.aio_write	= bad_file_aio_write,
++	.readdir	= bad_file_readdir,
++	.poll		= bad_file_poll,
++	.ioctl		= bad_file_ioctl,
++	.unlocked_ioctl	= bad_file_unlocked_ioctl,
++	.compat_ioctl	= bad_file_compat_ioctl,
++	.mmap		= bad_file_mmap,
++	.open		= bad_file_open,
++	.flush		= bad_file_flush,
++	.release	= bad_file_release,
++	.fsync		= bad_file_fsync,
++	.aio_fsync	= bad_file_aio_fsync,
++	.fasync		= bad_file_fasync,
++	.lock		= bad_file_lock,
++	.readv		= bad_file_readv,
++	.writev		= bad_file_writev,
++	.sendfile	= bad_file_sendfile,
++	.sendpage	= bad_file_sendpage,
++	.get_unmapped_area = bad_file_get_unmapped_area,
++	.check_flags	= bad_file_check_flags,
++	.dir_notify	= bad_file_dir_notify,
++	.flock		= bad_file_flock,
++	.splice_write	= bad_file_splice_write,
++	.splice_read	= bad_file_splice_read,
+ };
+ 
++static int bad_inode_create (struct inode *dir, struct dentry *dentry,
++		int mode, struct nameidata *nd)
++{
++	return -EIO;
++}
++
++static struct dentry *bad_inode_lookup(struct inode *dir,
++			struct dentry *dentry, struct nameidata *nd)
++{
++	return ERR_PTR(-EIO);
++}
++
++static int bad_inode_link (struct dentry *old_dentry, struct inode *dir,
++		struct dentry *dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_unlink(struct inode *dir, struct dentry *dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_symlink (struct inode *dir, struct dentry *dentry,
++		const char *symname)
++{
++	return -EIO;
++}
++
++static int bad_inode_mkdir(struct inode *dir, struct dentry *dentry,
++			int mode)
++{
++	return -EIO;
++}
++
++static int bad_inode_rmdir (struct inode *dir, struct dentry *dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_mknod (struct inode *dir, struct dentry *dentry,
++			int mode, dev_t rdev)
++{
++	return -EIO;
++}
++
++static int bad_inode_rename (struct inode *old_dir, struct dentry *old_dentry,
++		struct inode *new_dir, struct dentry *new_dentry)
++{
++	return -EIO;
++}
++
++static int bad_inode_readlink(struct dentry *dentry, char __user *buffer,
++		int buflen)
++{
++	return -EIO;
++}
++
++static int bad_inode_permission(struct inode *inode, int mask,
++			struct nameidata *nd)
++{
++	return -EIO;
++}
++
++static int bad_inode_getattr(struct vfsmount *mnt, struct dentry *dentry,
++			struct kstat *stat)
++{
++	return -EIO;
++}
++
++static int bad_inode_setattr(struct dentry *direntry, struct iattr *attrs)
++{
++	return -EIO;
++}
++
++static int bad_inode_setxattr(struct dentry *dentry, const char *name,
++		const void *value, size_t size, int flags)
++{
++	return -EIO;
++}
++
++static ssize_t bad_inode_getxattr(struct dentry *dentry, const char *name,
++			void *buffer, size_t size)
++{
++	return -EIO;
++}
++
++static ssize_t bad_inode_listxattr(struct dentry *dentry, char *buffer,
++			size_t buffer_size)
++{
++	return -EIO;
++}
++
++static int bad_inode_removexattr(struct dentry *dentry, const char *name)
++{
++	return -EIO;
++}
++
+ static struct inode_operations bad_inode_ops =
+ {
+-	.create		= EIO_ERROR,
+-	.lookup		= EIO_ERROR,
+-	.link		= EIO_ERROR,
+-	.unlink		= EIO_ERROR,
+-	.symlink	= EIO_ERROR,
+-	.mkdir		= EIO_ERROR,
+-	.rmdir		= EIO_ERROR,
+-	.mknod		= EIO_ERROR,
+-	.rename		= EIO_ERROR,
+-	.readlink	= EIO_ERROR,
++	.create		= bad_inode_create,
++	.lookup		= bad_inode_lookup,
++	.link		= bad_inode_link,
++	.unlink		= bad_inode_unlink,
++	.symlink	= bad_inode_symlink,
++	.mkdir		= bad_inode_mkdir,
++	.rmdir		= bad_inode_rmdir,
++	.mknod		= bad_inode_mknod,
++	.rename		= bad_inode_rename,
++	.readlink	= bad_inode_readlink,
+ 	/* follow_link must be no-op, otherwise unmounting this inode
+ 	   won't work */
+-	.truncate	= EIO_ERROR,
+-	.permission	= EIO_ERROR,
+-	.getattr	= EIO_ERROR,
+-	.setattr	= EIO_ERROR,
+-	.setxattr	= EIO_ERROR,
+-	.getxattr	= EIO_ERROR,
+-	.listxattr	= EIO_ERROR,
+-	.removexattr	= EIO_ERROR,
++	/* put_link returns void */
++	/* truncate returns void */
++	.permission	= bad_inode_permission,
++	.getattr	= bad_inode_getattr,
++	.setattr	= bad_inode_setattr,
++	.setxattr	= bad_inode_setxattr,
++	.getxattr	= bad_inode_getxattr,
++	.listxattr	= bad_inode_listxattr,
++	.removexattr	= bad_inode_removexattr,
++	/* truncate_range returns void */
+ };
+ 
+ 
+@@ -90,7 +350,7 @@
+  *	on it to fail from this point on.
+  */
+  
+-void make_bad_inode(struct inode * inode) 
++void make_bad_inode(struct inode *inode)
+ {
+ 	remove_inode_hash(inode);
+ 
+@@ -115,7 +375,7 @@
+  *	Returns true if the inode in question has been marked as bad.
+  */
+  
+-int is_bad_inode(struct inode * inode) 
++int is_bad_inode(struct inode *inode)
+ {
+ 	return (inode->i_op == &bad_inode_ops);	
+ }
diff --git a/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch b/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch
new file mode 100644
index 0000000..1be66aa
--- /dev/null
+++ b/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch
@@ -0,0 +1,22 @@
+--- linux-source-2.6.18/fs/exec.c.orig	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/exec.c	2007-08-10 19:44:43.000000000 -0600
+@@ -887,6 +887,7 @@
+ 	    file_permission(bprm->file, MAY_READ) ||
+ 	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+ 		suid_keys(current);
++		current->pdeath_signal = 0;
+ 		current->mm->dumpable = suid_dumpable;
+ 	}
+ 
+@@ -977,8 +978,10 @@
+ {
+ 	int unsafe;
+ 
+-	if (bprm->e_uid != current->uid)
++	if (bprm->e_uid != current->uid) {
+ 		suid_keys(current);
++		current->pdeath_signal = 0;
++	}
+ 	exec_keys(current);
+ 
+ 	task_lock(current);
diff --git a/trunk/2.6.18/30014_bluetooth-l2cap-hci-info-leaks.patch b/trunk/2.6.18/30014_bluetooth-l2cap-hci-info-leaks.patch
new file mode 100644
index 0000000..0c64d1d
--- /dev/null
+++ b/trunk/2.6.18/30014_bluetooth-l2cap-hci-info-leaks.patch
@@ -0,0 +1,63 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 4 May 2007 22:35:59 +0000 (+0200)
+Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
+X-Git-Tag: v2.6.22-rc1~822^2~2^2~6
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0878b6667f28772aa7d6b735abff53efc7bf6d91
+
+[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
+
+The L2CAP and HCI setsockopt() implementations have a small information
+leak that makes it possible to leak kernel stack memory to userspace.
+
+If the optlen parameter is 0, no data will be copied by copy_from_user(),
+but the uninitialized stack buffer will be read and stored later. A call
+to getsockopt() can now retrieve the leaked information.
+
+To fix this problem the stack buffer given to copy_from_user() must be
+initialized with the current settings.
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+---
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 832b5f4..bfc9a35 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -499,6 +499,15 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
+ 		break;
+ 
+ 	case HCI_FILTER:
++		{
++			struct hci_filter *f = &hci_pi(sk)->filter;
++
++			uf.type_mask = f->type_mask;
++			uf.opcode    = f->opcode;
++			uf.event_mask[0] = *((u32 *) f->event_mask + 0);
++			uf.event_mask[1] = *((u32 *) f->event_mask + 1);
++		}
++
+ 		len = min_t(unsigned int, len, sizeof(uf));
+ 		if (copy_from_user(&uf, optval, len)) {
+ 			err = -EFAULT;
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index a586787..a59b1fb 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -954,11 +954,17 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+ 
+ 	switch (optname) {
+ 	case L2CAP_OPTIONS:
++		opts.imtu     = l2cap_pi(sk)->imtu;
++		opts.omtu     = l2cap_pi(sk)->omtu;
++		opts.flush_to = l2cap_pi(sk)->flush_to;
++		opts.mode     = 0x00;
++
+ 		len = min_t(unsigned int, sizeof(opts), optlen);
+ 		if (copy_from_user((char *) &opts, optval, len)) {
+ 			err = -EFAULT;
+ 			break;
+ 		}
++
+ 		l2cap_pi(sk)->imtu  = opts.imtu;
+ 		l2cap_pi(sk)->omtu  = opts.omtu;
+ 		break;
diff --git a/trunk/2.6.18/30015_usblcd-limit-memory-consumption.patch b/trunk/2.6.18/30015_usblcd-limit-memory-consumption.patch
new file mode 100644
index 0000000..735810b
--- /dev/null
+++ b/trunk/2.6.18/30015_usblcd-limit-memory-consumption.patch
@@ -0,0 +1,89 @@
+From: Oliver Neukum <oneukum@suse.de>
+Date: Mon, 11 Jun 2007 13:36:02 +0000 (+0200)
+Subject: USB: usblcd doesn't limit memory consumption during write
+X-Git-Tag: v2.6.22-rc7~49^2~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=5afeb104e7901168b21aad0437fb51dc620dfdd3
+
+USB: usblcd doesn't limit memory consumption during write
+
+usblcd currently has no way to limit memory consumption by fast writers.
+This is a security problem, as it allows users with write access to this
+device to drive the system into oom despite resource limits.
+Here's the fix taken from the modern skeleton driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/drivers/usb/misc/usblcd.c linux-source-2.6.18/drivers/usb/misc/usblcd.c
+--- linux-source-2.6.18.orig/drivers/usb/misc/usblcd.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/usb/misc/usblcd.c	2007-08-07 16:12:28.000000000 -0600
+@@ -42,10 +42,14 @@ struct usb_lcd {
+ 	size_t			bulk_in_size;		/* the size of the receive buffer */
+ 	__u8			bulk_in_endpointAddr;	/* the address of the bulk in endpoint */
+ 	__u8			bulk_out_endpointAddr;	/* the address of the bulk out endpoint */
+-	struct kref             kref;
++	struct kref		kref;
++	struct semaphore	limit_sem;		/* to stop writes at full throttle from
++							 * using up all RAM */
+ };
+ #define to_lcd_dev(d) container_of(d, struct usb_lcd, kref)
+ 
++#define USB_LCD_CONCURRENT_WRITES	5
++
+ static struct usb_driver lcd_driver;
+ 
+ 
+@@ -183,12 +187,13 @@ static void lcd_write_bulk_callback(stru
+ 	/* free up our allocated buffer */
+ 	usb_buffer_free(urb->dev, urb->transfer_buffer_length,
+ 			urb->transfer_buffer, urb->transfer_dma);
++	up(&dev->limit_sem);
+ }
+ 
+ static ssize_t lcd_write(struct file *file, const char __user * user_buffer, size_t count, loff_t *ppos)
+ {
+ 	struct usb_lcd *dev;
+-        int retval = 0;
++        int retval = 0, r;
+ 	struct urb *urb = NULL;
+ 	char *buf = NULL;
+ 	
+@@ -198,10 +203,16 @@ static ssize_t lcd_write(struct file *fi
+ 	if (count == 0)
+ 		goto exit;
+ 
++	r = down_interruptible(&dev->limit_sem);
++	if (r < 0)
++		return -EINTR;
++
+ 	/* create a urb, and a buffer for it, and copy the data to the urb */
+ 	urb = usb_alloc_urb(0, GFP_KERNEL);
+-	if (!urb)
+-		return -ENOMEM;
++	if (!urb) {
++		retval = -ENOMEM;
++		goto err_no_buf;
++	}
+ 	
+ 	buf = usb_buffer_alloc(dev->udev, count, GFP_KERNEL, &urb->transfer_dma);
+ 	if (!buf) {
+@@ -236,6 +247,8 @@ exit:
+ error:
+ 	usb_buffer_free(dev->udev, count, buf, urb->transfer_dma);
+ 	usb_free_urb(urb);
++err_no_buf:
++	up(&dev->limit_sem);
+ 	return retval;
+ }
+ 
+@@ -274,6 +287,7 @@ static int lcd_probe(struct usb_interfac
+ 		goto error;
+ 	}
+ 	kref_init(&dev->kref);
++	sema_init(&dev->limit_sem, USB_LCD_CONCURRENT_WRITES);
+ 
+ 	dev->udev = usb_get_dev(interface_to_usbdev(interface));
+ 	dev->interface = interface;
diff --git a/trunk/2.6.18/30016_pppoe-socket-release-mem-leak.patch b/trunk/2.6.18/30016_pppoe-socket-release-mem-leak.patch
new file mode 100644
index 0000000..10f833c
--- /dev/null
+++ b/trunk/2.6.18/30016_pppoe-socket-release-mem-leak.patch
@@ -0,0 +1,42 @@
+From: Florian Zumbiehl <florz@florz.de>
+Date: Fri, 20 Apr 2007 23:58:14 +0000 (-0700)
+Subject: [PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called ...
+X-Git-Tag: v2.6.22-rc1~1128^2~92
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=202a03acf9994076055df40ae093a5c5474ad0bd
+
+[PPPOE]: memory leak when socket is release()d before PPPIOCGCHAN has been called on it
+
+below you find a patch that fixes a memory leak when a PPPoE socket is
+release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl
+ever has been called on it.
+
+This is somewhat of a security problem, too, since PPPoE sockets can be
+created by any user, so any user can easily allocate all the machine's
+RAM to non-swappable address space and thus DoS the system.
+
+Is there any specific reason for PPPoE sockets being available to any
+unprivileged process, BTW? After all, you need a packet socket for the
+discovery stage anyway, so it's unlikely that any unprivileged process
+will ever need to create a PPPoE socket, no? Allocating all session IDs
+for a known AC is a kind of DoS, too, after all - with Juniper ERXes,
+this is really easy, actually, since they don't ever assign session ids
+above 8000 ...
+
+Signed-off-by: Florian Zumbiehl <florz@florz.de>
+Acked-by: Michal Ostrowski <mostrows@earthlink.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/drivers/net/pppox.c b/drivers/net/pppox.c
+index 9315046..3f8115d 100644
+--- a/drivers/net/pppox.c
++++ b/drivers/net/pppox.c
+@@ -58,7 +58,7 @@ void pppox_unbind_sock(struct sock *sk)
+ {
+ 	/* Clear connection to ppp device, if attached. */
+ 
+-	if (sk->sk_state & (PPPOX_BOUND | PPPOX_ZOMBIE)) {
++	if (sk->sk_state & (PPPOX_BOUND | PPPOX_CONNECTED | PPPOX_ZOMBIE)) {
+ 		ppp_unregister_channel(&pppox_sk(sk)->chan);
+ 		sk->sk_state = PPPOX_DEAD;
+ 	}
diff --git a/trunk/2.6.18/30017_nf_conntrack_h323-bounds-checking.patch b/trunk/2.6.18/30017_nf_conntrack_h323-bounds-checking.patch
new file mode 100644
index 0000000..1101b89
--- /dev/null
+++ b/trunk/2.6.18/30017_nf_conntrack_h323-bounds-checking.patch
@@ -0,0 +1,42 @@
+From: Jing Min Zhao <zhaojingmin@vivecode.com>
+Date: Fri, 6 Jul 2007 00:05:01 +0000 (-0700)
+Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+X-Git-Tag: v2.6.22~11^2~2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=25845b5155b55cd77e42655ec24161ba3feffa47
+
+[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+Choices' index values may be out of range while still encoded in the fixed
+length bit-field. This bug may cause access to undefined types (NULL
+pointers) and thus crashes (Reported by Zhongling Wen).
+
+This patch also adds checking of decode flag when decoding SEQUENCEs.
+
+Signed-off-by: Jing Min Zhao <zhaojingmin@vivecode.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c linux-source-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
+--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c	2007-07-11 00:23:22.000000000 -0600
+@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * 
+ 			CHECK_BOUND(bs, 2);
+ 			len = get_len(bs);
+ 			CHECK_BOUND(bs, len);
+-			if (!base) {
++			if (!base || !(son->attr & DECODE)) {
+ 				PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
+ 				      " ", son->name);
+ 				bs->cur += len;
+@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
+ 	} else {
+ 		ext = 0;
+ 		type = get_bits(bs, f->sz);
++		if (type >= f->lb)
++			return H323_ERROR_RANGE;
+ 	}
+ 
+ 	/* Write Type */
diff --git a/trunk/2.6.18/30018_dn_fib-out-of-bounds.patch b/trunk/2.6.18/30018_dn_fib-out-of-bounds.patch
new file mode 100644
index 0000000..98be43e
--- /dev/null
+++ b/trunk/2.6.18/30018_dn_fib-out-of-bounds.patch
@@ -0,0 +1,37 @@
+commit a979101106f549f4ed80d6dcbc35077be34d4346
+Author: Thomas Graf <tgraf@suug.ch>
+Date:   Sat Mar 24 20:33:27 2007 -0700
+
+    [DECNet] fib: Fix out of bound access of dn_fib_props[]
+    
+    Fixes a typo which caused fib_props[] to have the wrong size
+    and makes sure the value used to index the array which is
+    provided by userspace via netlink is checked to avoid out of
+    bound access.
+    
+    Signed-off-by: Thomas Graf <tgraf@suug.ch>
+    Signed-off-by: David S. Miller <davem@davemloft.net>
+
+diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
+index 3cbfddc..82d58a9 100644
+--- a/net/decnet/dn_fib.c
++++ b/net/decnet/dn_fib.c
+@@ -63,7 +63,7 @@ static struct
+ {
+ 	int error;
+ 	u8 scope;
+-} dn_fib_props[RTA_MAX+1] = {
++} dn_fib_props[RTN_MAX+1] = {
+ 	[RTN_UNSPEC] =      { .error = 0,       .scope = RT_SCOPE_NOWHERE },
+ 	[RTN_UNICAST] =     { .error = 0,       .scope = RT_SCOPE_UNIVERSE },
+ 	[RTN_LOCAL] =       { .error = 0,       .scope = RT_SCOPE_HOST },
+@@ -276,6 +276,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta
+ 	struct dn_fib_info *ofi;
+ 	int nhs = 1;
+ 
++	if (r->rtm_type > RTN_MAX)
++		goto err_inval;
++
+ 	if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
+ 		goto err_inval;
+ 
diff --git a/trunk/2.6.18/30019_random-fix-seeding-with-zero-entropy.patch b/trunk/2.6.18/30019_random-fix-seeding-with-zero-entropy.patch
new file mode 100644
index 0000000..b61a03e
--- /dev/null
+++ b/trunk/2.6.18/30019_random-fix-seeding-with-zero-entropy.patch
@@ -0,0 +1,97 @@
+commit 7f397dcdb78d699a20d96bfcfb595a2411a5bbd2
+Author: Matt Mackall <mpm@selenic.com>
+Date:   Tue May 29 21:58:10 2007 -0500
+
+    random: fix seeding with zero entropy
+    
+    Add data from zero-entropy random_writes directly to output pools to
+    avoid accounting difficulties on machines without entropy sources.
+    
+    Tested on lguest with all entropy sources disabled.
+    
+    Signed-off-by: Matt Mackall <mpm@selenic.com>
+    Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+# Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+--- linux-source-2.6.18/drivers/char/random.c.orig	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/char/random.c	2007-07-12 23:57:12.000000000 -0600
+@@ -1017,37 +1017,44 @@ random_poll(struct file *file, poll_tabl
+ 	return mask;
+ }
+ 
+-static ssize_t
+-random_write(struct file * file, const char __user * buffer,
+-	     size_t count, loff_t *ppos)
++static int
++write_pool(struct entropy_store *r, const char __user *buffer, size_t count)
+ {
+-	int ret = 0;
+ 	size_t bytes;
+ 	__u32 buf[16];
+ 	const char __user *p = buffer;
+-	size_t c = count;
+ 
+-	while (c > 0) {
+-		bytes = min(c, sizeof(buf));
++	while (count > 0) {
++		bytes = min(count, sizeof(buf));
++		if (copy_from_user(&buf, p, bytes))
++			return -EFAULT;
+ 
+-		bytes -= copy_from_user(&buf, p, bytes);
+-		if (!bytes) {
+-			ret = -EFAULT;
+-			break;
+-		}
+-		c -= bytes;
++		count -= bytes;
+ 		p += bytes;
+ 
+-		add_entropy_words(&input_pool, buf, (bytes + 3) / 4);
+-	}
+-	if (p == buffer) {
+-		return (ssize_t)ret;
+-	} else {
+-		struct inode *inode = file->f_dentry->d_inode;
+-	        inode->i_mtime = current_fs_time(inode->i_sb);
+-		mark_inode_dirty(inode);
+-		return (ssize_t)(p - buffer);
++		add_entropy_words(r, buf, (bytes + 3) / 4);
+ 	}
++
++	return 0;
++}
++
++static ssize_t
++random_write(struct file * file, const char __user * buffer,
++	     size_t count, loff_t *ppos)
++{
++	size_t ret;
++	struct inode *inode = file->f_dentry->d_inode;
++
++	ret = write_pool(&blocking_pool, buffer, count);
++	if (ret)
++		return ret;
++	ret = write_pool(&nonblocking_pool, buffer, count);
++	if (ret)
++		return ret;
++
++	inode->i_mtime = current_fs_time(inode->i_sb);
++	mark_inode_dirty(inode);
++	return (ssize_t)count;
+ }
+ 
+ static int
+@@ -1086,8 +1093,8 @@ random_ioctl(struct inode * inode, struc
+ 			return -EINVAL;
+ 		if (get_user(size, p++))
+ 			return -EFAULT;
+-		retval = random_write(file, (const char __user *) p,
+-				      size, &file->f_pos);
++		retval = write_pool(&input_pool, (const char __user *)p,
++				    size);
+ 		if (retval < 0)
+ 			return retval;
+ 		credit_entropy_store(&input_pool, ent_count);
diff --git a/trunk/2.6.18/30020_random-fix-error-in-entropy-extraction.patch b/trunk/2.6.18/30020_random-fix-error-in-entropy-extraction.patch
new file mode 100644
index 0000000..8a302fd
--- /dev/null
+++ b/trunk/2.6.18/30020_random-fix-error-in-entropy-extraction.patch
@@ -0,0 +1,51 @@
+commit 602b6aeefe8932dd8bb15014e8fe6bb25d736361
+Author: Matt Mackall <mpm@selenic.com>
+Date:   Tue May 29 21:54:27 2007 -0500
+
+    random: fix error in entropy extraction
+    
+    Fix cast error in entropy extraction.
+    Add comments explaining the magic 16.
+    Remove extra confusing loop variable.
+    
+    Signed-off-by: Matt Mackall <mpm@selenic.com>
+    Acked-by: "Theodore Ts'o" <tytso@mit.edu>
+    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 46c1b97..9705b43 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -760,7 +760,7 @@ static size_t account(struct entropy_store *r, size_t nbytes, int min,
+ 
+ static void extract_buf(struct entropy_store *r, __u8 *out)
+ {
+-	int i, x;
++	int i;
+ 	__u32 data[16], buf[5 + SHA_WORKSPACE_WORDS];
+ 
+ 	sha_init(buf);
+@@ -772,9 +772,11 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * attempts to find previous ouputs), unless the hash
+ 	 * function can be inverted.
+ 	 */
+-	for (i = 0, x = 0; i < r->poolinfo->poolwords; i += 16, x+=2) {
+-		sha_transform(buf, (__u8 *)r->pool+i, buf + 5);
+-		add_entropy_words(r, &buf[x % 5], 1);
++	for (i = 0; i < r->poolinfo->poolwords; i += 16) {
++		/* hash blocks of 16 words = 512 bits */
++		sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
++		/* feed back portion of the resulting hash */
++		add_entropy_words(r, &buf[i % 5], 1);
+ 	}
+ 
+ 	/*
+@@ -782,7 +784,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
+ 	 * portion of the pool while mixing, and hash one
+ 	 * final time.
+ 	 */
+-	__add_entropy_words(r, &buf[x % 5], 1, data);
++	__add_entropy_words(r, &buf[i % 5], 1, data);
+ 	sha_transform(buf, (__u8 *)data, buf + 5);
+ 
+ 	/*
diff --git a/trunk/2.6.18/30021_nf_conntrack_sctp-null-deref.patch b/trunk/2.6.18/30021_nf_conntrack_sctp-null-deref.patch
new file mode 100644
index 0000000..17117b6
--- /dev/null
+++ b/trunk/2.6.18/30021_nf_conntrack_sctp-null-deref.patch
@@ -0,0 +1,49 @@
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 5 Jun 2007 12:14:22 +0000 (+0200)
+Subject: [UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable ...
+X-Git-Url: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=3ccb814b91bca2e0a6fe4b5d1c5dbb35a06a848b
+
+[UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
+Cc: David Miller <davem@davemloft.net>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+
+modified:   net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+modified:   net/netfilter/nf_conntrack_proto_sctp.c
+---
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack 
+ 						SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -467,7 +467,8 @@ static int sctp_new(struct nf_conn *conn
+ 					 SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}
diff --git a/trunk/2.6.18/30022_i965-secure-batchbuffer.patch b/trunk/2.6.18/30022_i965-secure-batchbuffer.patch
new file mode 100644
index 0000000..0c813c1
--- /dev/null
+++ b/trunk/2.6.18/30022_i965-secure-batchbuffer.patch
@@ -0,0 +1,67 @@
+From: Dave Airlie <airlied@redhat.com>
+Date: Mon, 6 Aug 2007 23:09:51 +0000 (+1000)
+Subject: drm/i915: Fix i965 secured batchbuffer usage
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=21f16289270447673a7263ccc0b22d562fb01ecb
+
+drm/i915: Fix i965 secured batchbuffer usage
+
+This 965G and above chipsets moved the batch buffer non-secure bits to
+another place. This means that previous drm's allowed in-secure batchbuffers
+to be submitted to the hardware from non-privileged users who are logged
+into X and and have access to direct rendering.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/drivers/char/drm/i915_dma.c b/drivers/char/drm/i915_dma.c
+index 3359cc2..8e7d713 100644
+--- a/drivers/char/drm/i915_dma.c
++++ b/drivers/char/drm/i915_dma.c
+@@ -184,6 +184,8 @@ static int i915_initialize(struct drm_device * dev,
+ 	 * private backbuffer/depthbuffer usage.
+ 	 */
+ 	dev_priv->use_mi_batchbuffer_start = 0;
++	if (IS_I965G(dev)) /* 965 doesn't support older method */
++		dev_priv->use_mi_batchbuffer_start = 1;
+ 
+ 	/* Allow hardware batchbuffers unless told otherwise.
+ 	 */
+@@ -517,8 +519,13 @@ static int i915_dispatch_batchbuffer(struct drm_device * dev,
+ 
+ 		if (dev_priv->use_mi_batchbuffer_start) {
+ 			BEGIN_LP_RING(2);
+-			OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
+-			OUT_RING(batch->start | MI_BATCH_NON_SECURE);
++			if (IS_I965G(dev)) {
++				OUT_RING(MI_BATCH_BUFFER_START | (2 << 6) | MI_BATCH_NON_SECURE_I965);
++				OUT_RING(batch->start);
++			} else {
++				OUT_RING(MI_BATCH_BUFFER_START | (2 << 6));
++				OUT_RING(batch->start | MI_BATCH_NON_SECURE);
++			}
+ 			ADVANCE_LP_RING();
+ 		} else {
+ 			BEGIN_LP_RING(4);
+@@ -735,7 +742,8 @@ static int i915_setparam(DRM_IOCTL_ARGS)
+ 
+ 	switch (param.param) {
+ 	case I915_SETPARAM_USE_MI_BATCHBUFFER_START:
+-		dev_priv->use_mi_batchbuffer_start = param.value;
++		if (!IS_I965G(dev))
++			dev_priv->use_mi_batchbuffer_start = param.value;
+ 		break;
+ 	case I915_SETPARAM_TEX_LRU_LOG_GRANULARITY:
+ 		dev_priv->tex_lru_log_granularity = param.value;
+diff --git a/drivers/char/drm/i915_drv.h b/drivers/char/drm/i915_drv.h
+index fd91856..737088b 100644
+--- a/drivers/char/drm/i915_drv.h
++++ b/drivers/char/drm/i915_drv.h
+@@ -282,6 +282,7 @@ extern int i915_wait_ring(struct drm_device * dev, int n, const char *caller);
+ #define MI_BATCH_BUFFER_START 	(0x31<<23)
+ #define MI_BATCH_BUFFER_END 	(0xA<<23)
+ #define MI_BATCH_NON_SECURE	(1)
++#define MI_BATCH_NON_SECURE_I965 (1<<8)
+ 
+ #define MI_WAIT_FOR_EVENT       ((0x3<<23))
+ #define MI_WAIT_FOR_PLANE_A_FLIP      (1<<2)