3.14.22-100.fc19.gnu

6 files changed, 109 insertions, 10 deletions

diff --git a/freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch b/freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch
new file mode 100644
index 000000000..ce9de6641
--- /dev/null
+++ b/freed-ora/current/f19/fs-Add-a-missing-permission-check-to-do_umount.patch
@@ -0,0 +1,31 @@
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 8 Oct 2014 12:37:46 -0700
+Subject: [PATCH] fs: Add a missing permission check to do_umount
+
+Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
+only one of the two call sites was appropriately protected.
+
+Fixes CVE-2014-7975.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+---
+ fs/namespace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index c8e3034ff4b2..fbba8b17330d 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags)
+ 		 * Special case for "unmounting" root ...
+ 		 * we just try to remount it readonly.
+ 		 */
++		if (!capable(CAP_SYS_ADMIN))
++			return -EPERM;
+ 		down_write(&sb->s_umount);
+ 		if (!(sb->s_flags & MS_RDONLY))
+ 			retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
+-- 
+1.9.3
+
diff --git a/freed-ora/current/f19/kernel.spec b/freed-ora/current/f19/kernel.spec
index 450942aeb..49cf9cc29 100644
--- a/freed-ora/current/f19/kernel.spec
+++ b/freed-ora/current/f19/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 21
+%define stable_update 22
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -816,6 +816,12 @@ Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pa
 Patch25110: 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
 Patch25111: 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
 
+#CVE-2014-7970 rhbz 1151095 1151484
+Patch26032: mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
+
+#CVE-2014-7975 rhbz 1151108 1152025
+Patch26042: fs-Add-a-missing-permission-check-to-do_umount.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1574,6 +1580,12 @@ ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pat
 ApplyPatch 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
 ApplyPatch 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
 
+#CVE-2014-7970 rhbz 1151095 1151484
+ApplyPatch mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
+
+#CVE-2014-7975 rhbz 1151108 1152025
+ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2397,7 +2409,19 @@ fi
 # and build.
 
 %changelog
-* Sat Oct 11 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Thu Oct 16 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.14.22-gnu.
+
+* Wed Oct 15 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.22-100
+- Linux v3.14.22
+
+* Mon Oct 13 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-7975 fs: umount DoS (rhbz 1151108 1152025)
+
+* Fri Oct 10 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-7970 VFS: DoS with USER_NS (rhbz 1151095 1151484)
+
+* Fri Oct 10 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre Sat Oct 11
 - GNU Linux-libre 3.14.21-gnu.
 
 * Thu Oct 09 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.21-100
diff --git a/freed-ora/current/f19/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/freed-ora/current/f19/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
new file mode 100644
index 000000000..0faadaf55
--- /dev/null
+++ b/freed-ora/current/f19/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
@@ -0,0 +1,44 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 8 Oct 2014 10:42:27 -0700
+Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount
+ tree
+
+Andy Lutomirski recently demonstrated that when chroot is used to set
+the root path below the path for the new ``root'' passed to pivot_root
+the pivot_root system call succeeds and leaks mounts.
+
+In examining the code I see that starting with a new root that is
+below the current root in the mount tree will result in a loop in the
+mount tree after the mounts are detached and then reattached to one
+another.  Resulting in all kinds of ugliness including a leak of that
+mounts involved in the leak of the mount loop.
+
+Prevent this problem by ensuring that the new mount is reachable from
+the current root of the mount tree.
+
+Upstream-status: Submitted for 3.18
+Bugzilla: 1151095,1151484
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ fs/namespace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index ef42d9bee212..74647c2fe69c 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
+ 	/* make sure we can reach put_old from new_root */
+ 	if (!is_path_reachable(old_mnt, old.dentry, &new))
+ 		goto out4;
++	/* make certain new is below the root */
++	if (!is_path_reachable(new_mnt, new.dentry, &root))
++		goto out4;
+ 	root_mp->m_count++; /* pin it so it won't go away */
+ 	lock_mount_hash();
+ 	detach_mnt(new_mnt, &parent_path);
+-- 
+1.9.3
+
diff --git a/freed-ora/current/f19/patch-3.14-gnu-3.14.21-gnu.xz.sign b/freed-ora/current/f19/patch-3.14-gnu-3.14.21-gnu.xz.sign
deleted file mode 100644
index eae3902a2..000000000
--- a/freed-ora/current/f19/patch-3.14-gnu-3.14.21-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlQ3T30ACgkQvLfPh359R6dK0QCfXAqoyRPuGWpqL+5zMj4Y02YC
-2HAAn2TF62GBT0NXXGRhQY1c5yf4iJiy
-=H1GE
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign b/freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign
new file mode 100644
index 000000000..063e0b6b5
--- /dev/null
+++ b/freed-ora/current/f19/patch-3.14-gnu-3.14.22-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEUEABECAAYFAlQ/Ix0ACgkQvLfPh359R6cCVQCYw00+rGBb0WefZv9O7Zbp7SKS
+0QCgp7xp3cvpTALk6Usbgd8WTlfEQkM=
+=11Vx
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f19/sources b/freed-ora/current/f19/sources
index 3b3517aea..427a25e8d 100644
--- a/freed-ora/current/f19/sources
+++ b/freed-ora/current/f19/sources
@@ -1,2 +1,2 @@
 c108ec52eeb2a9b9ddbb8d12496ff25f  linux-libre-3.14-gnu.tar.xz
-fcd9a5665fb3fcec38abea5e366f4427  patch-3.14-gnu-3.14.21-gnu.xz
+548d5b5c7e091eeb23cc3204a7dc4d07  patch-3.14-gnu-3.14.22-gnu.xz