diff options
Diffstat (limited to 'tags/2.6.18-12/00000_README')
| -rw-r--r-- | tags/2.6.18-12/00000_README | 392 |
1 files changed, 392 insertions, 0 deletions
diff --git a/tags/2.6.18-12/00000_README b/tags/2.6.18-12/00000_README new file mode 100644 index 0000000..c9c4c91 --- /dev/null +++ b/tags/2.6.18-12/00000_README @@ -0,0 +1,392 @@ +Xen Patches README +------------------ + +These patches are intended to be stacked on top of genpatches-base. + +Many of the patches included here are swiped from various sources which +use their own four digit patch numbering scheme, so we are stuck with five +digits to indiciate the source for easier tracking and re-syncing. + +Numbering +--------- + +0xxxx Gentoo, not related to Xen. (in case we pull something from extras) +1xxxx XenSource, upstream Xen patch for 2.6.18 +2xxxx Redhat, we use their Xen patch for >=2.6.20 +3xxxx Debian, we use their security fixes for 2.6.18 +5xxxx Gentoo, Xen and other fixes for Redhat and/or Debian patches. + +Patches +------- + +10002_xen-3.3.0.patch + Upstream 3.3.0 patch + +30001_nfnetlink_log-null-deref.patch + [SECURITY] Fix remotely exploitable NULL pointer dereference in + nfulnl_recv_config() + See CVE-2007-1496 + +30002_nf_conntrack-set-nfctinfo.patch + [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED, + which allows remote attackers to bypass certain rulesets + See CVE-2007-1497 + +30003_netlink-infinite-recursion.patch + [SECURITY] Fix infinite recursion bug in netlink + See CVE-2007-1861 + +30004_nl_fib_lookup-oops.patch + Add fix for oops bug added by previous patch + +30005_core-dump-unreadable-PT_INTERP.patch + [SECURITY] Fix a vulnerability that allows local users to read + otherwise unreadable (but executable) files by triggering a core dump. + See CVE-2007-0958 + +30006_appletalk-length-mismatch.patch + [SECURITY] Fix a remote DoS (crash) in appletalk + Depends upon bugfix/appletalk-endianness-annotations.patch + See CVE-2007-1357 + +30007_cm4040-buffer-overflow.patch + [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver + See CVE-2007-0005 + +30008_ipv6_fl_socklist-no-share.patch + [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing + ipv6_fl_socklist between the listening socket and the socket created + for connection. + See CVE-2007-1592 + +30009_keys-serial-num-collision.patch + [SECURITY] Fix the key serial number collision avoidance code in + key_alloc_serial() that could lead to a local DoS (oops). + (closes: #398470) + See CVE-2007-0006 + +30010_ipv6_getsockopt_sticky-null-opt.patch + [SECURITY] Fix kernel memory leak vulnerability in + ipv6_getsockopt_sticky() which can be triggered by passing a len < 0. + See CVE-2007-1000 + +30011_ipv6_setsockopt-NULL-deref.patch + [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead + to a local DoS (oops). + See CVE-2007-1388 + +30012_ipv6-disallow-RH0-by-default.patch + [SECURITY] Avoid a remote DoS (network amplification between two routers) + by disabling type0 IPv6 route headers by default. Can be re-enabled via + a sysctl interface. Thanks to Vlad Yasevich for porting help. + +30013_listxattr-mem-corruption.patch + [SECURITY] Fix userspace corruption vulnerability caused by + incorrectly promoted return values in bad_inode_ops + This patch changes the kernel ABI. + See CVE-2006-5753 + +30014_bluetooth-l2cap-hci-info-leaks.patch + [SECURITY] Fix information leaks in setsockopt() implementations + See CVE-2007-1353 + +30015_usblcd-limit-memory-consumption.patch + [SECURITY] limit memory consumption during write in the usblcd driver + See CVE-2007-3513 + +30016_pppoe-socket-release-mem-leak.patch + [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released + after connect but before PPPIOCGCHAN ioctl is called upon it + See CVE-2007-2525 + +30017_nf_conntrack_h323-bounds-checking.patch + [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices' + index values + See CVE-2007-3642 + +30018_dn_fib-out-of-bounds.patch + [SECURITY] Fix out of bounds condition in dn_fib_props[] + See CVE-2007-2172 + +30019_random-fix-seeding-with-zero-entropy.patch, +30020_random-fix-error-in-entropy-extraction.patch + [SECURITY] Avoid seeding with the same values at boot time when a + system has no entropy source and fix a casting error in entropy + extraction that resulted in slightly less random numbers. + See CVE-2007-2453 + +30021_nf_conntrack_sctp-null-deref.patch + [SECURITY] Fix remotely triggerable NULL pointer dereference + by sending an unknown chunk type. + See CVE-2007-2876 + +30022_i965-secure-batchbuffer.patch + [SECURITY] Fix i965 secured batchbuffer usage + See CVE-2007-3851 + +30023_appletalk-endianness-annotations.patch + Dependency for 30006_appletalk-length-mismatch.patch. + +30024_drm-i965.patch + Dependency for 30022_i965-secure-batchbuffer.patch + +30025_ipv4-fib_props-out-of-bounds.patch + [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size + and check for out of bounds condition in index provided by userspace + See CVE-2007-2172 + +30026_cifs-fix-sign-settings.patch + [SECURITY] Fix overriding the server to force signing on caused by + checking the wrong gloal variable. + See CVE-2007-3843 + +30027_cpuset_tasks-underflow.patch + [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow + local attackers to read sensitive kernel memory if the cpuset filesystem + is mounted. + See CVE-2007-2875 + +30028_random-bound-check-ordering.patch + [SECURITY] Fix stack-based buffer overflow in the random number + generator + See CVE-2007-3105 + +30030_aacraid-ioctl-perm-check.patch + [SECURITY] Require admin capabilities to issue ioctls to aacraid devices + See CVE-2007-4308 + +30031_ptrace-handle-bogus-selector.patch, +30032_fixup-trace_irq-breakage.patch + [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field) + during ptrace single-step operations that can be used to trigger a + NULL-pointer dereference causing an Oops. + See CVE-2007-3731 + +30033_prevent-stack-growth-into-hugetlb-region.patch + [SECURITY] Prevent OOPS during stack expansion when the VMA crosses + into address space reserved for hugetlb pages. + See CVE-2007-3739 + +30034_cifs-honor-umask.patch + [SECURITY] Make CIFS honor a process' umask + See CVE-2007-3740 + +30035_amd64-zero-extend-32bit-ptrace.patch + [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. + See CVE-2007-4573 + +30036_jffs2-ACL-vs-mode-handling.patch + [SECURITY] Write correct legacy modes to the medium on inode creation to + prevent incorrect permissions upon remount. + See CVE-2007-4849 + +30039_hugetlb-prio_tree-unit-fix.patch + [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree + which could be used to trigger a BUG_ON() call in exit_mmap. + See CVE-2007-4133 + +30040_usb-pwc-disconnect-block.patch + [SECURITY] Fix issue with unplugging webcams that use the pwc driver. + If userspace still has the device open it can result, the driver would + wait for the device to close, blocking the USB subsystem. + See CVE-2007-5093 + +30041_ipv6-disallow-RH0-by-default-2.patch + Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the + fix for CVE-2007-2242. Thanks to Brian Haley for the patch. + (closes: Debian #440127) + +/* This is already in Xen 3.2 +30042_reset-pdeathsig-on-suid-upstream.patch + Update fix for CVE-2007-3848 with the patch accepted upstream + (formerly 30013_reset-pdeathsig-on-suid.patch) +*/ + +30043_don-t-leak-nt-bit-into-next-task-xen.patch + [SECURITY] Don't leak NT bit into next task (Xen). + See CVE-2006-5755 + +30044_cifs-better-failed-mount-errors.patch, +30045_cifs-corrupt-server-response-overflow.patch + [SECURITY][CIFS] Fix multiple overflows that can be remotely triggered + by a server sending a corrupt response. + See CVE-2007-5904 + +30046_wait_task_stopped-hang.patch + [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED - + check p->exit_state instead avoiding a potential system hang + See CVE-2007-5500 + +30047_ieee80211-underflow.patch + [SECURITY] Fix integer overflow in ieee80211 which makes it possible + for a malicious frame to crash a system using a driver built on top of + the Linux 802.11 wireless code. + See CVE-2007-4997 + +30048_sysfs_readdir-NULL-deref-1.patch, +30049_sysfs_readdir-NULL-deref-2.patch, +30050_sysfs-fix-condition-check.patch + [SECURITY] Fix potential NULL pointer dereference which can lead to + a local DoS (kernel oops) + See CVE-2007-3104 + +30051_tmpfs-restore-clear_highpage.patch + [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem + See CVE-2007-6417 + +30052_minixfs-printk-hang.patch + [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs + filesystem that would otherwise cause a system to hang (printk storm) + See CVE-2006-6058 + +30053_hrtimer-large-relative-timeouts-overflow.patch + [SECURITY] Avoid overflow in hrtimers due to large relative timeouts + See CVE-2007-5966 + +30054_coredump-only-to-same-uid.patch + [SECURITY] Fix an issue where core dumping over a file that + already exists retains the ownership of the original file + See CVE-2007-6206 + +30055_isdn-net-overflow.patch + [SECURITY] Fix potential overflows in the ISDN subsystem + See CVE-2007-6063 + +30056_proc-snd-page-alloc-mem-leak.patch + [SECURITY][ABI Changer] Fix an issue in the alsa subsystem that allows a + local user to read potentially sensitive kernel memory from the proc + filesystem + See CVE-2007-4571 + +30057_fat-move-ioctl-compat-code.patch +30058_bugfix/fat-fix-compat-ioctls.patch + [SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer + for fat ioctls + See CVE-2007-2878 + +30059_vfs-use-access-mode-flag.patch + [SECURITY] Use the access mode flag instead of the open flag when + testing access mode for a directory. Modify + features/all/vserver/vs2.0.2.2-rc9.patch to apply on top of this + See CVE-2008-0001 + +30060_i4l-isdn_ioctl-mem-overrun.patch + [SECURITY] Fix potential isdn ioctl memory overrun + See CVE-2007-6151 + +30061_vmsplice-security.patch + [SECURITY] Fix missing access check in vmsplice. + See CVE-2008-0010, CVE-2008-0600 + +30062_clear-spurious-irq.patch + Fix a minor denial of service issue that allows local users to disable + an interrupt by causing an interrupt handler to be quickly inserted/removed. + This has only been shown to happen with certain serial devices so can only + be triggered by a user who already has additional priveleges (dialout + group). (closes: Debian #404815) + +30063_mmap-VM_DONTEXPAND.patch + [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register + a fault handler but do not bounds check the offset argument + See CVE-2008-0007 + +30064_RLIMIT_CPU-earlier-checking.patch + [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier + to prevent a user escape (closes: #419706) + See CVE-2008-1294 + +30065_dnotify-race.patch + [SECURITY] Fix a race in the directory notify + See CVE-2008-1375 + +30066_fcntl_setlk-close-race.patch + [SECURITY] Fix an SMP race to prevent reordering of flock updates + and accesses to the descriptor table on close(). + See CVE-2008-1669 + +30067_sit-missing-kfree_skb-on-pskb_may_pull.patch + [SECURITY] Fix remotely-triggerable memory leak in the Simple + Internet Transition (SIT) code used for IPv6 over IPv4 tunnels + See CVE-2008-2136 + +30068_hrtimer-prevent-overrun.patch +30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch + [SECURITY] Fix potential infinite loop in hrtimer_forward on + 64-bit systems + See CVE-2007-6712 + +30070_amd64-cs-corruption.patch + [SECURITY] Fix local ptrace denial of service for amd64 flavor + kernels, bug #480390 + See CVE-2008-1615 + +30071_dccp-feature-length-check.patch + [SECURITY] Validate feature length to avoid heap overflow + See CVE-2008-2358 + +30072_asn1-ber-decoding-checks.patch + [SECURITY] Validate lengths in ASN.1 decoding code to avoid + heap overflow + See CVE-2008-1673 + +30073_nfs-write-corruption.patch + Fix potential nfs write corruption (closes: #470719) + +30074_x86-clear-df-before-calling-signal-handler.patch + [i386/amd64] Clear DF before calling signal handler. (closes: #469058) + CVE-2008-1367 + +30075_3w-xxxx-bigmem-corruption.patch + 3w-xxxx: Fix data corruption on em64t systems w/ > 2GB of memory + (closes: #464923). + +30076_dnotify-race-locking.patch + Add missing locking for the dnotify-race fix that was included in + the upstream commit + +30077_sctp-make-sure-n-sizeof-does-not-overflow.patch + [SECURITY] Fix potential overflow condition in + sctp_getsockopt_local_addrs_old + See CVE-2008-2826 + +30078_esp-iv-in-linear-part-of-skb.patch + [SECURITY] Avoid tripping BUG() in IPsec code when the first fragment + of an ESP packet does not contain the entire ESP header and IV + See CVE-2007-6282 + +30079a_amd64-fix-zeroing-on-exception-in-copy_user-pre.patch +30079b_amd64-fix-zeroing-on-exception-in-copy_user.patch + [SECURITY] [amd64] Fix potential information leak when a copy + operation fails by properly zeroing out destination memory + See CVE-2008-2729 + +30080_tty-fix-for-tty-operations-bugs.patch + [SECURITY] Fix issues with tty operation handling in various drivers + See CVE-2008-2812 + +30081_check-privileges-before-setting-mount-propagation.patch + [SECURITY] Check CAP_SYS_ADMIN when changing mountpoint type + See CVE-2008-2931 + +30082a_x86-add-copy_user_handle_tail.patch +30082b_x86-fix-copy_user.patch + [SECURITY][amd64] Fix memory leak in the copy_user routine, see #490910. + See CVE-2008-0598 + +30083_x86-wrong-register-was-used-in-align-macro.patch + Fix regression introduced upstream by the fix for CVE-2008-0598 + +30084_cifs-fix-compiler-warning.patch +30085_netfilter-nf_nat_snmp_basic-fix-range-check.patch + Fix regressions introduced upstream by the fixes for CVE-2008-1673 + +30086_sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch + Fix possible information leak in seq_oss_synth.c + See CVE-2008-3272 + +30087_vfs-fix-lookup-on-deleted-directory.patch + Fix potential memory leak in lookup path + See CVE-2008-3275 + +50009_gentooify-tls-warning.patch + Change tls warning instructions to apply directly to Gentoo. |