diff --git a/acpi-call/PKGBUILD b/acpi-call/PKGBUILD index ba854c8996bd37bde6b5e53587b36fd3528faba2..a68805a7f0738a15e3a2bafbd106a268e403f181 100644 --- a/acpi-call/PKGBUILD +++ b/acpi-call/PKGBUILD @@ -3,12 +3,12 @@ # # maintainer abveritas@chakra-project.org -_kver="3.7.6-1-CHAKRA" +_kver="3.7.6-2-CHAKRA" pkgname=acpi-call _pkgname=acpi_call pkgver=1.0.0 -pkgrel=3 +pkgrel=4 pkgdesc="A kernel module that enables you to call parameterless ACPI methods by writing the method name to /proc/acpi/call, e.g. to turn off discrete graphics card in a dual graphics environment (like NVIDIA Optimus)." arch=('x86_64') url=("http://github.com/mkottman/acpi_call") diff --git a/linux/PKGBUILD b/linux/PKGBUILD index 7817523e2e4550359628f8ef06cee453bfee4737..4776650e8eb9f8706ba3658a19c0085ea1e618f3 100644 --- a/linux/PKGBUILD +++ b/linux/PKGBUILD @@ -9,7 +9,7 @@ pkgname=('linux' 'linux-headers' 'linux-docs') _kernelname=${pkgname#linux} _basekernel=3.7 pkgver=3.7.6 -pkgrel=1 +pkgrel=2 arch=('x86_64') url="http://www.kernel.org/" license=('GPL2') @@ -32,7 +32,8 @@ source=("http://www.kernel.org/pub/linux/kernel/v3.x/linux-3.7.tar.xz" 'change-default-console-loglevel.patch' 'fat-3.6.x.patch' 'sp5100_tco-Add-SB8x0-chipset-support2.patch' - 'ath3k.patch') + 'ath3k.patch' + 'security.patch') md5sums=('21223369d682bcf44bcdfe1521095983' 'ec61c44f37585a768d41c0439101ef9c' '05befa9b6c2a91015f89d6cda6802198' @@ -47,7 +48,8 @@ md5sums=('21223369d682bcf44bcdfe1521095983' '65cbe8e4c8efaf96dd162102e46ce81d' '88d501404f172dac6fcb248978251560' '57ee9aa09bdec07a5ce2b553b94c7039' - 'd393a0bbd762bf9d6f42d770b89e6811') + 'd393a0bbd762bf9d6f42d770b89e6811' + 'fc4928d107d638bb106901f1bfedd684') build() { cd "${srcdir}/linux-${_basekernel}" @@ -65,6 +67,10 @@ build() { #patch -p1 -i "${srcdir}/sp5100_tco-Add-SB8x0-chipset-support2.patch" # bug http://chakra-linux.org/bugs/index.php?do=details&task_id=501 patch -p1 -i "${srcdir}/ath3k.patch" + # Fix out-of-bounds access to sock_diag_handlerscurrent, code does not test for + # this condition therefore is vulnerable to an out-of-bound access opening doors + # for a privilege escalation + patch -p1 -i "${srcdir}/security.patch" # set DEFAULT_CONSOLE_LOGLEVEL to 4 (same value as the 'quiet' kernel param) # remove this when a Kconfig knob is made available by upstream diff --git a/linux/linux.install b/linux/linux.install index 1370631fa255dc1df5e3efecbdbefc795a658f71..3eb843b8ac5dd855341141437d6269cdc0da131f 100644 --- a/linux/linux.install +++ b/linux/linux.install @@ -2,7 +2,7 @@ # arg 2: the old package version KERNEL_NAME= -KERNEL_VERSION=3.7.6-1-CHAKRA +KERNEL_VERSION=3.7.6-2-CHAKRA # set a sane PATH to ensure that critical utils like depmod will be found export PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' diff --git a/linux/security.patch b/linux/security.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab113d87dd8a65d4efde2943f86b5838c13963f0 --- /dev/null +++ b/linux/security.patch @@ -0,0 +1,32 @@ +From: Mathias Krause +Date: Sat, 23 Feb 2013 01:13:47 +0000 (+0000) +Subject: sock_diag: Fix out-of-bounds access to sock_diag_handlers[] +X-Git-Url: https://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet.git;a=commitdiff_plain;h=6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0;hp=c9b20a5effcb29acf0f8a2a31c875073b2a0c74e + +sock_diag: Fix out-of-bounds access to sock_diag_handlers[] + +Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY +with a family greater or equal then AF_MAX -- the array size of +sock_diag_handlers[]. The current code does not test for this +condition therefore is vulnerable to an out-of-bound access opening +doors for a privilege escalation. + +Signed-off-by: Mathias Krause +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + +diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c +index 602cd63..750f44f 100644 +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + if (nlmsg_len(nlh) < sizeof(*req)) + return -EINVAL; + ++ if (req->sdiag_family >= AF_MAX) ++ return -EINVAL; ++ + hndl = sock_diag_lock_handler(req->sdiag_family); + if (hndl == NULL) + err = -ENOENT;