diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/lxc-CVE-2018-6556.patch | 116 | ||||
| -rw-r--r-- | gnu/packages/patches/polkit-drop-test.patch | 18 | ||||
| -rw-r--r-- | gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch | 53 | ||||
| -rw-r--r-- | gnu/packages/patches/xorg-server-rotate-fb.patch | 35 |
4 files changed, 169 insertions, 53 deletions
diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch new file mode 100644 index 0000000000..7eab7101f1 --- /dev/null +++ b/gnu/packages/patches/lxc-CVE-2018-6556.patch @@ -0,0 +1,116 @@ +Fix CVE-2018-6556: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556 +https://bugzilla.suse.com/show_bug.cgi?id=988348#c8 + +Patch copied from upstream source repository: + +https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032 + +From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001 +From: Christian Brauner <christian.brauner@ubuntu.com> +Date: Wed, 25 Jul 2018 19:56:54 +0200 +Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic + +Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> +--- + src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- + src/lxc/utils.c | 12 ++++++++++++ + src/lxc/utils.h | 5 +++++ + 3 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c +index ec9cd97e0..c5beb6c8d 100644 +--- a/src/lxc/cmd/lxc_user_nic.c ++++ b/src/lxc/cmd/lxc_user_nic.c +@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) + exit(EXIT_FAILURE); + } + } else if (request == LXC_USERNIC_DELETE) { +- netns_fd = open(args.pid, O_RDONLY); ++ char opath[LXC_PROC_PID_FD_LEN]; ++ ++ /* Open the path with O_PATH which will not trigger an actual ++ * open(). Don't report an errno to the caller to not leak ++ * information whether the path exists or not. ++ * When stracing setuid is stripped so this is not a concern ++ * either. ++ */ ++ netns_fd = open(args.pid, O_PATH | O_CLOEXEC); + if (netns_fd < 0) { +- usernic_error("Could not open \"%s\": %s\n", args.pid, +- strerror(errno)); ++ usernic_error("Failed to open \"%s\"\n", args.pid); ++ exit(EXIT_FAILURE); ++ } ++ ++ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { ++ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); ++ if (ret < 0 || (size_t)ret >= sizeof(opath)) { ++ close(netns_fd); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* Now get an fd that we can use in setns() calls. */ ++ ret = open(opath, O_RDONLY | O_CLOEXEC); ++ if (ret < 0) { ++ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); ++ close(netns_fd); + exit(EXIT_FAILURE); + } ++ close(netns_fd); ++ netns_fd = ret; + } + + if (!create_db_dir(LXC_USERNIC_DB)) { +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 530b1f81a..3b854e35b 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) + return has_type; + } + ++bool fhas_fs_type(int fd, fs_type_magic magic_val) ++{ ++ int ret; ++ struct statfs sb; ++ ++ ret = fstatfs(fd, &sb); ++ if (ret < 0) ++ return false; ++ ++ return is_fs_type(&sb, magic_val); ++} ++ + bool lxc_nic_exists(char *nic) + { + #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 6a0bebded..0805f5d0d 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -95,6 +95,10 @@ + #define CGROUP2_SUPER_MAGIC 0x63677270 + #endif + ++#ifndef NSFS_MAGIC ++#define NSFS_MAGIC 0x6e736673 ++#endif ++ + /* Useful macros */ + /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ + #define LXC_NUMSTRLEN64 21 +@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz); + /* __typeof__ should be safe to use with all compilers. */ + typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; + extern bool has_fs_type(const char *path, fs_type_magic magic_val); ++extern bool fhas_fs_type(int fd, fs_type_magic magic_val); + extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); + extern bool lxc_nic_exists(char *nic); + extern int lxc_make_tmpfile(char *template, bool rm); diff --git a/gnu/packages/patches/polkit-drop-test.patch b/gnu/packages/patches/polkit-drop-test.patch deleted file mode 100644 index 2fd0c8bdf6..0000000000 --- a/gnu/packages/patches/polkit-drop-test.patch +++ /dev/null @@ -1,18 +0,0 @@ -Drop test failing with the following message: -FAIL: polkitbackendjsauthoritytest -================================== -/PolkitBackendJsAuthority/get_admin_identities: Error getting system bus: Could not connect: No such file or directoryError loading /var/run/ConsoleKit/database: Error statting file /var/run/ConsoleKit/database: No such file or directory - - -diff -ru polkit-0.112.old/test/Makefile.in polkit-0.112/test/Makefile.in ---- polkit-0.112.old/test/Makefile.in 2013-07-08 22:52:13.000000000 +0200 -+++ polkit-0.112/test/Makefile.in 2014-11-09 18:43:47.000000000 +0100 -@@ -388,7 +388,7 @@ - top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ --SUBDIRS = mocklibc . polkit polkitbackend -+SUBDIRS = mocklibc . polkit - AM_CFLAGS = $(GLIB_CFLAGS) - noinst_LTLIBRARIES = libpolkit-test-helper.la - libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch b/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch new file mode 100644 index 0000000000..d3d5cbc46a --- /dev/null +++ b/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch @@ -0,0 +1,53 @@ +Fix CVE-2018-14526: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526 +https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt + +Patch downloaded from upstream: + +https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch + +From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> +Date: Sun, 15 Jul 2018 01:25:53 +0200 +Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data + +Ignore unauthenticated encrypted EAPOL-Key data in supplicant +processing. When using WPA2, these are frames that have the Encrypted +flag set, but not the MIC flag. + +When using WPA2, EAPOL-Key frames that had the Encrypted flag set but +not the MIC flag, had their data field decrypted without first verifying +the MIC. In case the data field was encrypted using RC4 (i.e., when +negotiating TKIP as the pairwise cipher), this meant that +unauthenticated but decrypted data would then be processed. An adversary +could abuse this as a decryption oracle to recover sensitive information +in the data field of EAPOL-Key messages (e.g., the group key). +(CVE-2018-14526) + +Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> +--- + src/rsn_supp/wpa.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c +--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c 2016-10-02 21:51:11.000000000 +0300 ++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c 2018-08-08 16:55:11.506831029 +0300 +@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c + + if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && + (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { ++ /* ++ * Only decrypt the Key Data field if the frame's authenticity ++ * was verified. When using AES-SIV (FILS), the MIC flag is not ++ * set, so this check should only be performed if mic_len != 0 ++ * which is the case in this code branch. ++ */ ++ if (!(key_info & WPA_KEY_INFO_MIC)) { ++ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, ++ "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); ++ goto out; ++ } + if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data, + &key_data_len)) + goto out; diff --git a/gnu/packages/patches/xorg-server-rotate-fb.patch b/gnu/packages/patches/xorg-server-rotate-fb.patch deleted file mode 100644 index f47036b2a7..0000000000 --- a/gnu/packages/patches/xorg-server-rotate-fb.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit a85e94a50c94b07574c8701a3ff3c1243f4257f4 -Author: Olivier Fourdan <ofourdan@redhat.com> -Date: Fri Jun 15 08:57:12 2018 +0200 - - modesetting: use drmmode_bo_import() for rotate_fb - - drmmode_shadow_allocate() still uses drmModeAddFB() which may fail if - the format is not as expected, preventing from using a rotated output. - - Change it to use the new function drmmode_bo_import() which takes care - of calling the drmModeAddFB2() API. - - Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=106715 - Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> - Tested-by: Tomas Pelka <tpelka@redhat.com> - Reviewed-by: Lyude Paul <lyude@redhat.com> - -diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c -index 859a21a9d..ec11b3f56 100644 ---- a/hw/xfree86/drivers/modesetting/drmmode_display.c -+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c -@@ -1794,11 +1794,8 @@ drmmode_shadow_allocate(xf86CrtcPtr crtc, int width, int height) - return NULL; - } - -- ret = drmModeAddFB(drmmode->fd, width, height, crtc->scrn->depth, -- drmmode->kbpp, -- drmmode_bo_get_pitch(&drmmode_crtc->rotate_bo), -- drmmode_bo_get_handle(&drmmode_crtc->rotate_bo), -- &drmmode_crtc->rotate_fb_id); -+ ret = drmmode_bo_import(drmmode, &drmmode_crtc->rotate_bo, -+ &drmmode_crtc->rotate_fb_id); - - if (ret) { - ErrorF("failed to add rotate fb\n"); |