Xen Patches README ------------------ These patches are intended to be stacked on top of genpatches-base. Many of the patches included here are swiped from various sources which use their own four digit patch numbering scheme, so we are stuck with five digits to indiciate the source for easier tracking and re-syncing. Numbering --------- 0xxxx Gentoo, not related to Xen. (in case we pull something from extras) 1xxxx XenSource, upstream Xen patch for 2.6.18 2xxxx Redhat, we use their Xen patch for >=2.6.20 3xxxx Debian, we use their security fixes for 2.6.18 5xxxx Gentoo, Xen and other fixes for Redhat and/or Debian patches. Patches ------- 10001_xen-3.2.0.patch Upstream 3.2.0 patch 30001_nfnetlink_log-null-deref.patch [SECURITY] Fix remotely exploitable NULL pointer dereference in nfulnl_recv_config() See CVE-2007-1496 30002_nf_conntrack-set-nfctinfo.patch [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED, which allows remote attackers to bypass certain rulesets See CVE-2007-1497 30003_netlink-infinite-recursion.patch [SECURITY] Fix infinite recursion bug in netlink See CVE-2007-1861 30004_nl_fib_lookup-oops.patch Add fix for oops bug added by previous patch 30005_core-dump-unreadable-PT_INTERP.patch [SECURITY] Fix a vulnerability that allows local users to read otherwise unreadable (but executable) files by triggering a core dump. See CVE-2007-0958 30006_appletalk-length-mismatch.patch [SECURITY] Fix a remote DoS (crash) in appletalk Depends upon bugfix/appletalk-endianness-annotations.patch See CVE-2007-1357 30007_cm4040-buffer-overflow.patch [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver See CVE-2007-0005 30008_ipv6_fl_socklist-no-share.patch [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing ipv6_fl_socklist between the listening socket and the socket created for connection. See CVE-2007-1592 30009_keys-serial-num-collision.patch [SECURITY] Fix the key serial number collision avoidance code in key_alloc_serial() that could lead to a local DoS (oops). (closes: #398470) See CVE-2007-0006 30010_ipv6_getsockopt_sticky-null-opt.patch [SECURITY] Fix kernel memory leak vulnerability in ipv6_getsockopt_sticky() which can be triggered by passing a len < 0. See CVE-2007-1000 30011_ipv6_setsockopt-NULL-deref.patch [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead to a local DoS (oops). See CVE-2007-1388 30012_ipv6-disallow-RH0-by-default.patch [SECURITY] Avoid a remote DoS (network amplification between two routers) by disabling type0 IPv6 route headers by default. Can be re-enabled via a sysctl interface. Thanks to Vlad Yasevich for porting help. 30013_listxattr-mem-corruption.patch [SECURITY] Fix userspace corruption vulnerability caused by incorrectly promoted return values in bad_inode_ops This patch changes the kernel ABI. See CVE-2006-5753 30014_bluetooth-l2cap-hci-info-leaks.patch [SECURITY] Fix information leaks in setsockopt() implementations See CVE-2007-1353 30015_usblcd-limit-memory-consumption.patch [SECURITY] limit memory consumption during write in the usblcd driver See CVE-2007-3513 30016_pppoe-socket-release-mem-leak.patch [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released after connect but before PPPIOCGCHAN ioctl is called upon it See CVE-2007-2525 30017_nf_conntrack_h323-bounds-checking.patch [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices' index values See CVE-2007-3642 30018_dn_fib-out-of-bounds.patch [SECURITY] Fix out of bounds condition in dn_fib_props[] See CVE-2007-2172 30019_random-fix-seeding-with-zero-entropy.patch, 30020_random-fix-error-in-entropy-extraction.patch [SECURITY] Avoid seeding with the same values at boot time when a system has no entropy source and fix a casting error in entropy extraction that resulted in slightly less random numbers. See CVE-2007-2453 30021_nf_conntrack_sctp-null-deref.patch [SECURITY] Fix remotely triggerable NULL pointer dereference by sending an unknown chunk type. See CVE-2007-2876 30022_i965-secure-batchbuffer.patch [SECURITY] Fix i965 secured batchbuffer usage See CVE-2007-3851 30023_appletalk-endianness-annotations.patch Dependency for 30006_appletalk-length-mismatch.patch. 30024_drm-i965.patch Dependency for 30022_i965-secure-batchbuffer.patch 30025_ipv4-fib_props-out-of-bounds.patch [SECURITY] Fix a typo which caused fib_props[] to be of the wrong size and check for out of bounds condition in index provided by userspace See CVE-2007-2172 30026_cifs-fix-sign-settings.patch [SECURITY] Fix overriding the server to force signing on caused by checking the wrong gloal variable. See CVE-2007-3843 30027_cpuset_tasks-underflow.patch [SECURITY] Fix integer underflow in /dev/cpuset/tasks which could allow local attackers to read sensitive kernel memory if the cpuset filesystem is mounted. See CVE-2007-2875 30028_random-bound-check-ordering.patch [SECURITY] Fix stack-based buffer overflow in the random number generator See CVE-2007-3105 30030_aacraid-ioctl-perm-check.patch [SECURITY] Require admin capabilities to issue ioctls to aacraid devices See CVE-2007-4308 30031_ptrace-handle-bogus-selector.patch, 30032_fixup-trace_irq-breakage.patch [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field) during ptrace single-step operations that can be used to trigger a NULL-pointer dereference causing an Oops. See CVE-2007-3731 30033_prevent-stack-growth-into-hugetlb-region.patch [SECURITY] Prevent OOPS during stack expansion when the VMA crosses into address space reserved for hugetlb pages. See CVE-2007-3739 30034_cifs-honor-umask.patch [SECURITY] Make CIFS honor a process' umask See CVE-2007-3740 30035_amd64-zero-extend-32bit-ptrace.patch [SECURITY] Zero extend all registers after ptrace in 32-bit entry path. See CVE-2007-4573 30036_jffs2-ACL-vs-mode-handling.patch [SECURITY] Write correct legacy modes to the medium on inode creation to prevent incorrect permissions upon remount. See CVE-2007-4849 30039_hugetlb-prio_tree-unit-fix.patch [SECURITY] Fix misconversion of hugetlb_vmtruncate_list to prio_tree which could be used to trigger a BUG_ON() call in exit_mmap. See CVE-2007-4133 30040_usb-pwc-disconnect-block.patch [SECURITY] Fix issue with unplugging webcams that use the pwc driver. If userspace still has the device open it can result, the driver would wait for the device to close, blocking the USB subsystem. See CVE-2007-5093 30041_ipv6-disallow-RH0-by-default-2.patch Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the fix for CVE-2007-2242. Thanks to Brian Haley for the patch. (closes: Debian #440127) /* This is already in Xen 3.2 30042_reset-pdeathsig-on-suid-upstream.patch Update fix for CVE-2007-3848 with the patch accepted upstream (formerly 30013_reset-pdeathsig-on-suid.patch) */ 30043_don-t-leak-nt-bit-into-next-task-xen.patch [SECURITY] Don't leak NT bit into next task (Xen). See CVE-2006-5755 30044_cifs-better-failed-mount-errors.patch, 30045_cifs-corrupt-server-response-overflow.patch [SECURITY][CIFS] Fix multiple overflows that can be remotely triggered by a server sending a corrupt response. See CVE-2007-5904 30046_wait_task_stopped-hang.patch [SECURITY] wait_task_stopped was incorrectly testing for TASK_TRACED - check p->exit_state instead avoiding a potential system hang See CVE-2007-5500 30047_ieee80211-underflow.patch [SECURITY] Fix integer overflow in ieee80211 which makes it possible for a malicious frame to crash a system using a driver built on top of the Linux 802.11 wireless code. See CVE-2007-4997 30048_sysfs_readdir-NULL-deref-1.patch, 30049_sysfs_readdir-NULL-deref-2.patch, 30050_sysfs-fix-condition-check.patch [SECURITY] Fix potential NULL pointer dereference which can lead to a local DoS (kernel oops) See CVE-2007-3104 30051_tmpfs-restore-clear_highpage.patch [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem See CVE-2007-6417 30052_minixfs-printk-hang.patch [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs filesystem that would otherwise cause a system to hang (printk storm) See CVE-2006-6058 30053_hrtimer-large-relative-timeouts-overflow.patch [SECURITY] Avoid overflow in hrtimers due to large relative timeouts See CVE-2007-5966 30054_coredump-only-to-same-uid.patch [SECURITY] Fix an issue where core dumping over a file that already exists retains the ownership of the original file See CVE-2007-6206 30055_isdn-net-overflow.patch [SECURITY] Fix potential overflows in the ISDN subsystem See CVE-2007-6063 30056_proc-snd-page-alloc-mem-leak.patch [SECURITY][ABI Changer] Fix an issue in the alsa subsystem that allows a local user to read potentially sensitive kernel memory from the proc filesystem See CVE-2007-4571 30057_fat-move-ioctl-compat-code.patch 30058_bugfix/fat-fix-compat-ioctls.patch [SECURITY][ABI Changer] Fix kernel_dirent corruption in the compat layer for fat ioctls See CVE-2007-2878 30059_vfs-use-access-mode-flag.patch [SECURITY] Use the access mode flag instead of the open flag when testing access mode for a directory. Modify features/all/vserver/vs2.0.2.2-rc9.patch to apply on top of this See CVE-2008-0001 30060_i4l-isdn_ioctl-mem-overrun.patch [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 30061_vmsplice-security.patch [SECURITY] Fix missing access check in vmsplice. See CVE-2008-0010, CVE-2008-0600 30062_clear-spurious-irq.patch Fix a minor denial of service issue that allows local users to disable an interrupt by causing an interrupt handler to be quickly inserted/removed. This has only been shown to happen with certain serial devices so can only be triggered by a user who already has additional priveleges (dialout group). (closes: Debian #404815) 30063_mmap-VM_DONTEXPAND.patch [SECURITY] Add VM_DONTEXPAND to vm_flags in drivers that register a fault handler but do not bounds check the offset argument See CVE-2008-0007 30064_RLIMIT_CPU-earlier-checking.patch [SECURITY] Move check for an RLIMIT_CPU with a value of 0 earlier to prevent a user escape (closes: #419706) See CVE-2008-1294 30065_dnotify-race.patch [SECURITY] Fix a race in the directory notify See CVE-2008-1375 30066_fcntl_setlk-close-race.patch [SECURITY] Fix an SMP race to prevent reordering of flock updates and accesses to the descriptor table on close(). See CVE-2008-1669 30067_sit-missing-kfree_skb-on-pskb_may_pull.patch [SECURITY] Fix remotely-triggerable memory leak in the Simple Internet Transition (SIT) code used for IPv6 over IPv4 tunnels See CVE-2008-2136 30068_hrtimer-prevent-overrun.patch 30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch [SECURITY] Fix potential infinite loop in hrtimer_forward on 64-bit systems See CVE-2007-6712 30070_amd64-cs-corruption.patch [SECURITY] Fix local ptrace denial of service for amd64 flavor kernels, bug #480390 See CVE-2008-1615 30071_dccp-feature-length-check.patch [SECURITY] Validate feature length to avoid heap overflow See CVE-2008-2358 30072_asn1-ber-decoding-checks.patch [SECURITY] Validate lengths in ASN.1 decoding code to avoid heap overflow See CVE-2008-1673 50009_gentooify-tls-warning.patch Change tls warning instructions to apply directly to Gentoo.