summaryrefslogtreecommitdiffstats
path: root/freed-ora/current
diff options
context:
space:
mode:
authorAlexandre Oliva <lxoliva@fsfla.org>2017-07-22 14:57:03 +0000
committerAlexandre Oliva <lxoliva@fsfla.org>2017-07-22 14:57:03 +0000
commit2f383754cd413cefe0bdd024a2514421eb9c3ef3 (patch)
treef86c79e9d8c2b51adef7e917d67df79f0b274fd3 /freed-ora/current
parent795fa8cc056a258658f703cee8e95cff8350c975 (diff)
downloadlinux-libre-raptor-2f383754cd413cefe0bdd024a2514421eb9c3ef3.tar.gz
linux-libre-raptor-2f383754cd413cefe0bdd024a2514421eb9c3ef3.zip
4.11.12-200.fc25.gnu
Diffstat (limited to 'freed-ora/current')
-rw-r--r--freed-ora/current/f25/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch54
-rw-r--r--freed-ora/current/f25/CVE-2017-11473.patch48
-rw-r--r--freed-ora/current/f25/kernel.spec18
-rw-r--r--freed-ora/current/f25/patch-4.11-gnu-4.11.11-gnu.xz.sign6
-rw-r--r--freed-ora/current/f25/patch-4.11-gnu-4.11.12-gnu.xz.sign6
-rw-r--r--freed-ora/current/f25/sources2
6 files changed, 126 insertions, 8 deletions
diff --git a/freed-ora/current/f25/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/freed-ora/current/f25/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
new file mode 100644
index 000000000..be8b6c6a0
--- /dev/null
+++ b/freed-ora/current/f25/0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
@@ -0,0 +1,54 @@
+From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 19 Jul 2017 22:28:55 +0200
+Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
+
+In some cases, offset can overflow and can cause an infinite loop in
+ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
+cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
+
+This problem has been here since before the beginning of git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv6/output_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index e9065b8..abb2c30 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
+
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+- u16 offset = sizeof(struct ipv6hdr);
++ unsigned int offset = sizeof(struct ipv6hdr);
+ unsigned int packet_len = skb_tail_pointer(skb) -
+ skb_network_header(skb);
+ int found_rhdr = 0;
+@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ while (offset <= packet_len) {
+ struct ipv6_opt_hdr *exthdr;
++ unsigned int len;
+
+ switch (**nexthdr) {
+
+@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+
+ exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ offset);
+- offset += ipv6_optlen(exthdr);
++ len = ipv6_optlen(exthdr);
++ if (len + offset >= IPV6_MAXPLEN)
++ return -EINVAL;
++ offset += len;
+ *nexthdr = &exthdr->nexthdr;
+ }
+
+--
+2.9.4
+
diff --git a/freed-ora/current/f25/CVE-2017-11473.patch b/freed-ora/current/f25/CVE-2017-11473.patch
new file mode 100644
index 000000000..e3e0658a4
--- /dev/null
+++ b/freed-ora/current/f25/CVE-2017-11473.patch
@@ -0,0 +1,48 @@
+From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
+From: Seunghun Han <kkamagui@gmail.com>
+Date: Tue, 18 Jul 2017 20:03:51 +0900
+Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
+
+The bus_irq argument of mp_override_legacy_irq() is used as the index into
+the isa_irq_to_gsi[] array. The bus_irq argument originates from
+ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
+tables, but is nowhere sanity checked.
+
+That allows broken or malicious ACPI tables to overwrite memory, which
+might cause malfunction, panic or arbitrary code execution.
+
+Add a sanity check and emit a warning when that triggers.
+
+[ tglx: Added warning and rewrote changelog ]
+
+Signed-off-by: Seunghun Han <kkamagui@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: security@kernel.org
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: stable@vger.kernel.org
+---
+ arch/x86/kernel/acpi/boot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
+index 6bb6806..7491e73 100644
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
+ struct mpc_intsrc mp_irq;
+
+ /*
++ * Check bus_irq boundary.
++ */
++ if (bus_irq >= NR_IRQS_LEGACY) {
++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
++ return;
++ }
++
++ /*
+ * Convert 'gsi' to 'ioapic.pin'.
+ */
+ ioapic = mp_find_ioapic(gsi);
+--
+cgit v1.1
+
diff --git a/freed-ora/current/f25/kernel.spec b/freed-ora/current/f25/kernel.spec
index 7e43d6fed..142d50717 100644
--- a/freed-ora/current/f25/kernel.spec
+++ b/freed-ora/current/f25/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
-%define stable_update 11
+%define stable_update 12
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev %{stable_update}
@@ -682,6 +682,12 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch
# rhbz 1458599
Patch685: 0001-ACPI-LPSS-Only-call-pwm_add_table-for-the-first-PWM-.patch
+# CVE-2017-7542 rhbz 1473649 1473650
+Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+
+# CVE-2017-11473 rhbz 1473209 147310
+Patch702: CVE-2017-11473.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -2342,6 +2348,16 @@ fi
#
#
%changelog
+* Fri Jul 21 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.11.12-gnu.
+
+* Fri Jul 21 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.12-200
+- Linux v4.11.12
+
+* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-7542 (rhbz 1473649 1473650)
+- Fix CVE-2017-11473 (rhbz 1473209 147310)
+
* Mon Jul 17 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
- GNU Linux-libre 4.11.11-gnu.
diff --git a/freed-ora/current/f25/patch-4.11-gnu-4.11.11-gnu.xz.sign b/freed-ora/current/f25/patch-4.11-gnu-4.11.11-gnu.xz.sign
deleted file mode 100644
index 66f614d30..000000000
--- a/freed-ora/current/f25/patch-4.11-gnu-4.11.11-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWWqx/QAKCRC8t8+Hfn1H
-pwVlAJ0aJZTSmXZR7C7KMV/iysNYW/3EngCcC9s/U3eM6f1Myx4xGIMiTlR+j64=
-=nk38
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/patch-4.11-gnu-4.11.12-gnu.xz.sign b/freed-ora/current/f25/patch-4.11-gnu-4.11.12-gnu.xz.sign
new file mode 100644
index 000000000..6fabc81e5
--- /dev/null
+++ b/freed-ora/current/f25/patch-4.11-gnu-4.11.12-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWXJY0wAKCRC8t8+Hfn1H
+p9WdAJ9zu5czcHKjb86Ck/zRIOGceezLeACeIzJmprj1K21VDgRmgsf8KUX2qaU=
+=2lZ4
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f25/sources b/freed-ora/current/f25/sources
index 3f109c122..dab610517 100644
--- a/freed-ora/current/f25/sources
+++ b/freed-ora/current/f25/sources
@@ -1,3 +1,3 @@
SHA512 (linux-libre-4.11-gnu.tar.xz) = f1d9138024b127385248de5c8eb72123b717bbbaba3e80bded20f073acac816a7ea979c4677ddc72252a8ec77c6a6c1d1738b1c20106f7d53ef39c9cf64c1853
SHA512 (perf-man-4.11.tar.gz) = 0b070d2f10a743329de2f532e2d7e19ef385a3e6ef3c700b591ae2697604dbe542b36e31121b3e37517ee8071ab800386fa8663c24a5b36520a18e096c6eefc8
-SHA512 (patch-4.11-gnu-4.11.11-gnu.xz) = 5b40a7e75ec613569f0b2d9d3b87a7d4757be697c0ad6ad2356bee1c95f2ef84a3aa83babb7bf2b0b382d27157a23716ef2d983432bcbf5a32c9220ac3456ed9
+SHA512 (patch-4.11-gnu-4.11.12-gnu.xz) = 68a2665f6ef29aa3ba08321990f743663dab03bae178b2ca0beccf6e9384e440a3ff86006b8da3b197bbf8d1d05c0b5f1aac8a44521b2dae08fe06399de59795
OpenPOWER on IntegriCloud