linux rebuild for security patch

acpi-call/PKGBUILD

@@ -3,12 +3,12 @@
 #
 # maintainer abveritas@chakra-project.org
 
-_kver="3.7.6-1-CHAKRA"
+_kver="3.7.6-2-CHAKRA"
 
 pkgname=acpi-call
 _pkgname=acpi_call
 pkgver=1.0.0
-pkgrel=3
+pkgrel=4
 pkgdesc="A kernel module that enables you to call parameterless ACPI methods by writing the method name to /proc/acpi/call, e.g. to turn off discrete graphics card in a dual graphics environment (like NVIDIA Optimus)."
 arch=('x86_64')
 url=("http://github.com/mkottman/acpi_call")

linux/PKGBUILD

@@ -9,7 +9,7 @@ pkgname=('linux' 'linux-headers' 'linux-docs')
 _kernelname=${pkgname#linux}
 _basekernel=3.7
 pkgver=3.7.6
-pkgrel=1
+pkgrel=2
 arch=('x86_64')
 url="http://www.kernel.org/"
 license=('GPL2')
@@ -32,7 +32,8 @@ source=("http://www.kernel.org/pub/linux/kernel/v3.x/linux-3.7.tar.xz"
         'change-default-console-loglevel.patch'
         'fat-3.6.x.patch'
         'sp5100_tco-Add-SB8x0-chipset-support2.patch'
-        'ath3k.patch')
+        'ath3k.patch'
+        'security.patch')
 md5sums=('21223369d682bcf44bcdfe1521095983'
          'ec61c44f37585a768d41c0439101ef9c'
          '05befa9b6c2a91015f89d6cda6802198'
@@ -47,7 +48,8 @@ md5sums=('21223369d682bcf44bcdfe1521095983'
          '65cbe8e4c8efaf96dd162102e46ce81d'
          '88d501404f172dac6fcb248978251560'
          '57ee9aa09bdec07a5ce2b553b94c7039'
-         'd393a0bbd762bf9d6f42d770b89e6811')
+         'd393a0bbd762bf9d6f42d770b89e6811'
+         'fc4928d107d638bb106901f1bfedd684')
 
 build() {
   cd "${srcdir}/linux-${_basekernel}"
@@ -65,6 +67,10 @@ build() {
   #patch -p1 -i "${srcdir}/sp5100_tco-Add-SB8x0-chipset-support2.patch"
   # bug http://chakra-linux.org/bugs/index.php?do=details&task_id=501
   patch -p1 -i "${srcdir}/ath3k.patch"
+  # Fix out-of-bounds access to sock_diag_handlerscurrent, code does not test for
+  # this condition therefore is vulnerable to an out-of-bound access opening doors
+  # for a privilege escalation
+  patch -p1 -i "${srcdir}/security.patch"
 
   # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param)
   # remove this when a Kconfig knob is made available by upstream

linux/linux.install

@@ -2,7 +2,7 @@
 # arg 2:  the old package version
 
 KERNEL_NAME=
-KERNEL_VERSION=3.7.6-1-CHAKRA
+KERNEL_VERSION=3.7.6-2-CHAKRA
 
 # set a sane PATH to ensure that critical utils like depmod will be found
 export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

linux/security.patch

+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 23 Feb 2013 01:13:47 +0000 (+0000)
+Subject: sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
+X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet.git;a=commitdiff_plain;h=6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0;hp=c9b20a5effcb29acf0f8a2a31c875073b2a0c74e
+
+sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
+
+Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+with a family greater or equal then AF_MAX -- the array size of
+sock_diag_handlers[]. The current code does not test for this
+condition therefore is vulnerable to an out-of-bound access opening
+doors for a privilege escalation.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
+index 602cd63..750f44f 100644
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ 	if (nlmsg_len(nlh) < sizeof(*req))
+ 		return -EINVAL;
+ 
++	if (req->sdiag_family >= AF_MAX)
++		return -EINVAL;
++
+ 	hndl = sock_diag_lock_handler(req->sdiag_family);
+ 	if (hndl == NULL)
+ 		err = -ENOENT;