summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Buchholz <rbu@gentoo.org>2007-07-24 18:11:28 +0000
committerRobert Buchholz <rbu@gentoo.org>2007-07-24 18:11:28 +0000
commitec6574bb6ada4d468ae15a080a1983cf82f1bdd5 (patch)
treec64088f100b206e76754caffeefbc24d0c62c9d9 /tags/2.6.18/debian-security-patches-2.6.18.1-12etch2
parentInitial checkin of patches (diff)
downloadxen-ec6574bb6ada4d468ae15a080a1983cf82f1bdd5.tar.gz
xen-ec6574bb6ada4d468ae15a080a1983cf82f1bdd5.tar.bz2
xen-ec6574bb6ada4d468ae15a080a1983cf82f1bdd5.zip
Tagging tarballs
svn path=/patches/; revision=8
Diffstat (limited to 'tags/2.6.18/debian-security-patches-2.6.18.1-12etch2')
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README42
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch93
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch44
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch70
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch32
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch42
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch92
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch65
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch35
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch37
-rw-r--r--tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch34
11 files changed, 586 insertions, 0 deletions
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README
new file mode 100644
index 0000000..4cce70c
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README
@@ -0,0 +1,42 @@
+ * bugfix/nfnetlink_log-null-deref.patch
+ [SECURITY] Fix remotely exploitable NULL pointer dereference in
+ nfulnl_recv_config()
+ See CVE-2007-1496
+ * bugfix/nf_conntrack-set-nfctinfo.patch
+ [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
+ which allows remote attackers to bypass certain rulesets
+ See CVE-2007-1497
+ * bugfix/netlink-infinite-recursion.patch
+ [SECURITY] Fix infinite recursion bug in netlink
+ See CVE-2007-1861
+ * bugfix/nl_fib_lookup-oops.patch
+ Add fix for oops bug added by previous patch
+ * bugfix/core-dump-unreadable-PT_INTERP.patch
+ [SECURITY] Fix a vulnerability that allows local users to read
+ otherwise unreadable (but executable) files by triggering a core dump.
+ See CVE-2007-0958
+ * bugfix/appletalk-length-mismatch.patch
+ [SECURITY] Fix a remote DoS (crash) in appletalk
+ Depends upon bugfix/appletalk-endianness-annotations.patch
+ See CVE-2007-1357
+ * bugfix/cm4040-buffer-overflow.patch
+ [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver
+ See CVE-2007-0005
+ * bugfix/ipv6_fl_socklist-no-share.patch
+ [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+ ipv6_fl_socklist between the listening socket and the socket created
+ for connection.
+ See CVE-2007-1592
+ * bugfix/keys-serial-num-collision.patch
+ [SECURITY] Fix the key serial number collision avoidance code in
+ key_alloc_serial() that could lead to a local DoS (oops).
+ (closes: #398470)
+ See CVE-2007-0006
+ * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+ [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
+ to a local DoS (oops).
+ See CVE-2007-1388
+ * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+ [SECURITY] Fix kernel memory leak vulnerability in
+ ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
+ See CVE-2007-1000
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch
new file mode 100644
index 0000000..b82c4fe
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch
@@ -0,0 +1,93 @@
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 5 Apr 2007 06:52:46 +0000 (-0700)
+Subject: [APPLETALK]: Fix a remotely triggerable crash
+X-Git-Tag: v2.6.21-rc6~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a
+
+[APPLETALK]: Fix a remotely triggerable crash
+
+When we receive an AppleTalk frame shorter than what its header says,
+we still attempt to verify its checksum, and trip on the BUG_ON() at
+the end of function atalk_sum_skb() because of the length mismatch.
+
+This has security implications because this can be triggered by simply
+sending a specially crafted ethernet frame to a target victim,
+effectively crashing that host. Thus this qualifies, I think, as a
+remote DoS. Here is the frame I used to trigger the crash, in npg
+format:
+
+<Appletalk Killer>
+{
+# Ethernet header -----
+
+ XX XX XX XX XX XX # Destination MAC
+ 00 00 00 00 00 00 # Source MAC
+ 00 1D # Length
+
+# LLC header -----
+
+ AA AA 03
+ 08 00 07 80 9B # Appletalk
+
+# Appletalk header -----
+
+ 00 1B # Packet length (invalid)
+ 00 01 # Fake checksum
+ 00 00 00 00 # Destination and source networks
+ 00 00 00 00 # Destination and source nodes and ports
+
+# Payload -----
+
+ 0C 0D 0E 0F 10 11 12 13
+ 14
+}
+
+The destination MAC address must be set to those of the victim.
+
+The severity is mitigated by two requirements:
+* The target host must have the appletalk kernel module loaded. I
+ suspect this isn't so frequent.
+* AppleTalk frames are non-IP, thus I guess they can only travel on
+ local networks. I am no network expert though, maybe it is possible
+ to somehow encapsulate AppleTalk packets over IP.
+
+The bug has been reported back in June 2004:
+ http://bugzilla.kernel.org/show_bug.cgi?id=2979
+But it wasn't investigated, and was closed in July 2006 as both
+reporters had vanished meanwhile.
+
+This code was new in kernel 2.6.0-test5:
+ http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
+And not modified since then, so we can assume that vanilla kernels
+2.6.0-test5 and later, and distribution kernels based thereon, are
+affected.
+
+Note that I still do not know for sure what triggered the bug in the
+real-world cases. The frame could have been corrupted by the kernel if
+we have a bug hiding somewhere. But more likely, we are receiving the
+faulty frame from the network.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 113c175..c8b7dc2 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
+ /*
+ * Size check to see if ddp->deh_len was crap
+ * (Otherwise we'll detonate most spectacularly
+- * in the middle of recvmsg()).
++ * in the middle of atalk_checksum() or recvmsg()).
+ */
+- if (skb->len < sizeof(*ddp))
++ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) {
++ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, "
++ "skb->len=%u)\n", len_hops & 1023, skb->len);
+ goto freeit;
++ }
+
+ /*
+ * Any checksums. Note we don't do htons() on this == is assumed to be
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch
new file mode 100644
index 0000000..3047ff6
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch
@@ -0,0 +1,44 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Tue, 6 Mar 2007 21:12:00 +0000 (+0100)
+Subject: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
+X-Git-Tag: v2.6.21-rc3~17
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=059819a41d4331316dd8ddcf977a24ab338f4300
+
+[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
+
+Based on a patch from Don Howard <dhoward@redhat.com>
+
+When calling write() with a buffer larger than 512 bytes, the
+driver's write buffer overflows, allowing to overwrite the EIP and
+execute arbitrary code with kernel privileges.
+
+In read(), there exists a similar problem, but coming from the device.
+A malicous or buggy device sending more than 512 bytes can overflow
+of the driver's read buffer, with the same effects as above.
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Harald Welte <laforge@gnumonks.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c
+index 0e82968..f2e4ec4 100644
+--- a/drivers/char/pcmcia/cm4040_cs.c
++++ b/drivers/char/pcmcia/cm4040_cs.c
+@@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file *filp, char __user *buf,
+ DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read);
+
+ min_bytes_to_read = min(count, bytes_to_read + 5);
++ min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE);
+
+ DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read);
+
+@@ -340,7 +341,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf,
+ return 0;
+ }
+
+- if (count < 5) {
++ if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) {
+ DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count);
+ return -EIO;
+ }
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch
new file mode 100644
index 0000000..33c7c4f
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch
@@ -0,0 +1,70 @@
+From: Alexey Dobriyan <adobriyan@openvz.org>
+Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800)
+Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP
+X-Git-Tag: v2.6.20-rc7^0~60
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b
+
+[PATCH] core-dumping unreadable binaries via PT_INTERP
+
+Proposed patch to fix #5 in
+http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+aka
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
+
+To reproduce, do
+* grab poc at the end of advisory.
+* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
+ where first "4096" is something equal to or greater than 4096.
+* ./poc /usr/bin/sudo && ls -l
+
+Here I get with 2.6.20-rc5:
+
+ -rw------- 1 ad ad 102400 2007-01-15 19:17 core
+ ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
+
+Check for MAY_READ like binfmt_misc.c does.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 90461f4..669dbe5 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ retval = PTR_ERR(interpreter);
+ if (IS_ERR(interpreter))
+ goto out_free_interp;
++
++ /*
++ * If the binary is not readable then enforce
++ * mm->dumpable = 0 regardless of the interpreter's
++ * permissions.
++ */
++ if (file_permission(interpreter, MAY_READ) < 0)
++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ retval = kernel_read(interpreter, 0, bprm->buf,
+ BINPRM_BUF_SIZE);
+ if (retval != BINPRM_BUF_SIZE) {
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 6e6d456..a4d933a 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
+ goto error;
+ }
+
++ /*
++ * If the binary is not readable then enforce
++ * mm->dumpable = 0 regardless of the interpreter's
++ * permissions.
++ */
++ if (file_permission(interpreter, MAY_READ) < 0)
++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ retval = kernel_read(interpreter, 0, bprm->buf,
+ BINPRM_BUF_SIZE);
+ if (retval < 0)
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch
new file mode 100644
index 0000000..8749435
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch
@@ -0,0 +1,32 @@
+From: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
+Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700)
+Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared.
+X-Git-Tag: v2.6.21-rc5~72^2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299
+
+[IPV6]: ipv6_fl_socklist is inadvertently shared.
+
+The ipv6_fl_socklist from listening socket is inadvertently shared
+with new socket created for connection. This leads to a variety of
+interesting, but fatal, bugs. For example, removing one of the
+sockets may lead to the other socket's encountering a page fault
+when the now freed list is referenced.
+
+The fix is to not share the flow label list with the new socket.
+
+Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f57a9ba..92f9992 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ First: no IPv4 options.
+ */
+ newinet->opt = NULL;
++ newnp->ipv6_fl_list = NULL;
+
+ /* Clone RX bits */
+ newnp->rxopt.all = np->rxopt.all;
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch
new file mode 100644
index 0000000..1a124c2
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch
@@ -0,0 +1,42 @@
+From: David S. Miller <davem@sunset.davemloft.net>
+Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800)
+Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+X-Git-Tag: v2.6.21-rc4~99^2~7
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f
+
+[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 286c867..4e0561a 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
+ EXPORT_SYMBOL(compat_ipv6_setsockopt);
+ #endif
+
+-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
++static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
+ char __user *optval, int len)
+ {
+- if (!hdr)
++ struct ipv6_opt_hdr *hdr;
++
++ if (!opt || !opt->hopopt)
+ return 0;
++ hdr = opt->hopopt;
++
+ len = min_t(int, len, ipv6_optlen(hdr));
+ if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+ return -EFAULT;
+@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
+ {
+
+ lock_sock(sk);
+- len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
++ len = ipv6_getsockopt_sticky(sk, np->opt,
+ optval, len);
+ release_sock(sk);
+ return put_user(len, optlen);
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch
new file mode 100644
index 0000000..9875900
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch
@@ -0,0 +1,92 @@
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000)
+Subject: [PATCH] Keys: Fix key serial number collision handling
+X-Git-Tag: v2.6.21-rc2~42^2~22
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4
+
+[PATCH] Keys: Fix key serial number collision handling
+
+Fix the key serial number collision avoidance code in key_alloc_serial().
+
+This didn't use to be so much of a problem as the key serial numbers were
+allocated from a simple incremental counter, and it would have to go through
+two billion keys before it could possibly encounter a collision. However, now
+that random numbers are used instead, collisions are much more likely.
+
+This is fixed by finding a hole in the rbtree where the next unused serial
+number ought to be and using that by going almost back to the top of the
+insertion routine and redoing the insertion with the new serial number rather
+than trying to be clever and attempting to work out the insertion point
+pointer directly.
+
+This fixes kernel BZ #7727.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index ac9326c..700400d 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key)
+
+ spin_lock(&key_serial_lock);
+
++attempt_insertion:
+ parent = NULL;
+ p = &key_serial_tree.rb_node;
+
+@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key)
+ else
+ goto serial_exists;
+ }
+- goto insert_here;
++
++ /* we've found a suitable hole - arrange for this key to occupy it */
++ rb_link_node(&key->serial_node, parent, p);
++ rb_insert_color(&key->serial_node, &key_serial_tree);
++
++ spin_unlock(&key_serial_lock);
++ return;
+
+ /* we found a key with the proposed serial number - walk the tree from
+ * that point looking for the next unused serial number */
+ serial_exists:
+ for (;;) {
+ key->serial++;
+- if (key->serial < 2)
+- key->serial = 2;
+-
+- if (!rb_parent(parent))
+- p = &key_serial_tree.rb_node;
+- else if (rb_parent(parent)->rb_left == parent)
+- p = &(rb_parent(parent)->rb_left);
+- else
+- p = &(rb_parent(parent)->rb_right);
++ if (key->serial < 3) {
++ key->serial = 3;
++ goto attempt_insertion;
++ }
+
+ parent = rb_next(parent);
+ if (!parent)
+- break;
++ goto attempt_insertion;
+
+ xkey = rb_entry(parent, struct key, serial_node);
+ if (key->serial < xkey->serial)
+- goto insert_here;
++ goto attempt_insertion;
+ }
+
+- /* we've found a suitable hole - arrange for this key to occupy it */
+-insert_here:
+- rb_link_node(&key->serial_node, parent, p);
+- rb_insert_color(&key->serial_node, &key_serial_tree);
+-
+- spin_unlock(&key_serial_lock);
+-
+ } /* end key_alloc_serial() */
+
+ /*****************************************************************************/
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch
new file mode 100644
index 0000000..df76325
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch
@@ -0,0 +1,65 @@
+From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000)
+Subject: [PATCH] NETLINK: Infinite recursion in netlink.
+X-Git-Tag: v2.6.20.8~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad
+
+[PATCH] NETLINK: Infinite recursion in netlink.
+
+[NETLINK]: Infinite recursion in netlink.
+
+Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
+which resulted in infinite recursion and stack overflow.
+
+The bug is present in all kernel versions since the feature appeared.
+
+The patch also makes some minimal cleanup:
+
+1. Return something consistent (-ENOENT) when fib table is missing
+2. Do not crash when queue is empty (does not happen, but yet)
+3. Put result of lookup
+
+Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff -urN linux-source-2.6.18.orig/net/ipv4/fib_frontend.c linux-source-2.6.18/net/ipv4/fib_frontend.c
+--- linux-source-2.6.18.orig/net/ipv4/fib_frontend.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/fib_frontend.c 2007-05-01 15:21:37.000000000 -0600
+@@ -524,6 +524,8 @@
+ .fwmark = frn->fl_fwmark,
+ .tos = frn->fl_tos,
+ .scope = frn->fl_scope } } };
++
++ frn->err = -ENOENT;
+ if (tb) {
+ local_bh_disable();
+
+@@ -535,6 +537,7 @@
+ frn->nh_sel = res.nh_sel;
+ frn->type = res.type;
+ frn->scope = res.scope;
++ fib_res_put(&res);
+ }
+ local_bh_enable();
+ }
+@@ -549,6 +552,9 @@
+ struct fib_table *tb;
+
+ skb = skb_dequeue(&sk->sk_receive_queue);
++ if (skb == NULL)
++ return;
++
+ nlh = (struct nlmsghdr *)skb->data;
+ if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
+ nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
+@@ -561,7 +567,7 @@
+
+ nl_fib_lookup(frn, tb);
+
+- pid = nlh->nlmsg_pid; /*pid of sending process */
++ pid = NETLINK_CB(skb).pid; /* pid of sending process */
+ NETLINK_CB(skb).pid = 0; /* from kernel */
+ NETLINK_CB(skb).dst_pid = pid;
+ NETLINK_CB(skb).dst_group = 0; /* unicast */
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch
new file mode 100644
index 0000000..f540a67
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch
@@ -0,0 +1,35 @@
+From: Patrick McHardy <kaber@trash.net>
+Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
+Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+X-Git-Tag: v2.6.20.3~11
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
+
+nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+The individual fragments of a packet reassembled by conntrack have the
+conntrack reference from the reassembled packet attached, but nfctinfo
+is not copied. This leaves it initialized to 0, which unfortunately is
+the value of IP_CT_ESTABLISHED.
+
+The result is that all IPv6 fragments are tracked as ESTABLISHED,
+allowing them to bypass a usual ruleset which accepts ESTABLISHED
+packets early.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index a20615f..6155b80 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ }
+ nf_conntrack_get(reasm->nfct);
+ (*pskb)->nfct = reasm->nfct;
++ (*pskb)->nfctinfo = reasm->nfctinfo;
+ return NF_ACCEPT;
+ }
+
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch
new file mode 100644
index 0000000..b86a409
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch
@@ -0,0 +1,37 @@
+From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Date: Sun, 4 Mar 2007 23:59:20 +0000 (-0800)
+Subject: [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
+X-Git-Tag: v2.6.21~469^2~10
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd16704eba171b32ef0cded3a4f562b33b911066
+
+[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
+
+Eliminate possible NULL pointer dereference in nfulnl_recv_config().
+
+Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index 1b94051..b669db5 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -858,6 +858,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
+ ret = -EINVAL;
+ break;
+ }
++
++ if (!inst)
++ goto out;
+ } else {
+ if (!inst) {
+ UDEBUG("no config command, and no instance for "
+@@ -911,6 +914,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
+
+ out_put:
+ instance_put(inst);
++out:
+ return ret;
+ }
+
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch
new file mode 100644
index 0000000..c0547fa
--- /dev/null
+++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch
@@ -0,0 +1,34 @@
+From: Sergey Vlasov <vsu@altlinux.ru>
+Date: Fri, 27 Apr 2007 09:18:35 +0000 (-0700)
+Subject: IPV4: Fix OOPS'er added to netlink fib.
+X-Git-Tag: v2.6.20.10~2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=6af3412cff50b9a7b12b7b9cf6f01b34fbae4624
+
+IPV4: Fix OOPS'er added to netlink fib.
+
+[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res)
+
+When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup()
+needs to initialize the res.r field before fib_res_put(&res) - unlike
+fib_lookup(), a direct call to ->tb_lookup does not set this field.
+
+Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index fa2cb8c..30aae76 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -773,6 +773,10 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb )
+ .tos = frn->fl_tos,
+ .scope = frn->fl_scope } } };
+
++#ifdef CONFIG_IP_MULTIPLE_TABLES
++ res.r = NULL;
++#endif
++
+ frn->err = -ENOENT;
+ if (tb) {
+ local_bh_disable();