Security fixes: CVE-2005-4352 (bug #158792), CVE-2006-4572 (bug #154327), CVE-2006-5619 (bug #154323), CVE-2006-6056 (bug #158786), CVE-2006-6060 (bug #155769) and dvb-core (bug #144870).

(Portage version: 2.1.1-r2)

9 files changed, 367 insertions, 2 deletions

diff --git a/sys-kernel/xen-sources/ChangeLog b/sys-kernel/xen-sources/ChangeLog
index 32fd570db7d6..2b97d8126ca9 100644
--- a/sys-kernel/xen-sources/ChangeLog
+++ b/sys-kernel/xen-sources/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-kernel/xen-sources
-# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/xen-sources/ChangeLog,v 1.36 2006/12/16 03:55:01 aross Exp $
+# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/xen-sources/ChangeLog,v 1.37 2007/01/27 07:44:34 aross Exp $
+
+*xen-sources-2.6.16.28-r2 (27 Jan 2007)
+
+  27 Jan 2007; Andrew Ross <aross@gentoo.org> +files/CVE-2005-4352.patch,
+  +files/CVE-2006-4572.patch, +files/CVE-2006-5619.patch,
+  +files/CVE-2006-6056.patch, +files/CVE-2006-6060.patch,
+  +files/dvb-core-ule-sndu.patch, +xen-sources-2.6.16.28-r2.ebuild:
+  Security fixes: CVE-2005-4352 (bug #158792), CVE-2006-4572 (bug #154327),
+  CVE-2006-5619 (bug #154323), CVE-2006-6056 (bug #158786), CVE-2006-6060 (bug
+  #155769) and dvb-core (bug #144870)
 
 *xen-sources-2.6.16.28-r1 (16 Dec 2006)
 
diff --git a/sys-kernel/xen-sources/files/CVE-2005-4352.patch b/sys-kernel/xen-sources/files/CVE-2005-4352.patch
new file mode 100644
index 000000000000..427d4cff3c2e
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2005-4352.patch
@@ -0,0 +1,11 @@
+--- security/seclvl.c-original	2007-01-27 14:14:55.000000000 +1100
++++ security/seclvl.c	2007-01-27 14:16:12.000000000 +1100
+@@ -381,6 +381,8 @@
+ 				      current->group_leader->pid);
+ 			return -EPERM;
+ 		}		/* if attempt to decrement time */
++		if (tv->tv_sec > 1924988400)	/* disallow dates after 2030) */
++			return -EPERM;		/* CVE-2005-4352 */
+ 	}			/* if seclvl > 1 */
+ 	return 0;
+ }
diff --git a/sys-kernel/xen-sources/files/CVE-2006-4572.patch b/sys-kernel/xen-sources/files/CVE-2006-4572.patch
new file mode 100644
index 000000000000..df46a7059260
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-4572.patch
@@ -0,0 +1,185 @@
+From: Patrick McHardy <kaber@trash.net>
+Date: Sun, 5 Nov 2006 08:04:23 +0000 (+0100)
+Subject: [NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
+X-Git-Tag: v2.6.16.31-rc1^0~1
+X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=0ddfcc96928145d6a6425fdd26dad6abfe7f891d;hp=6ac62be885810e1f8390f0c3b9d3ee451d3d3f19
+
+[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
+
+As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
+to a fragmentation attack causing false negatives on extension header
+matches.
+
+When extension headers occur in the non-first fragment after the fragment
+header (possibly with an incorrect nexthdr value in the fragment header)
+a rule looking for this extension header will never match.
+
+Drop fragments that are at offset 0 and don't contain the final protocol
+header regardless of the ruleset, since this should not happen normally.
+Since all extension headers are before the protocol header this makes sure
+an extension header is either not present or in the first fragment, where
+we can properly parse it.
+
+With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+---
+
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index a3e3da1..e2bb9ac 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1447,6 +1447,9 @@ static void __exit fini(void)
+  * If target header is found, its offset is set in *offset and return protocol
+  * number. Otherwise, return -1.
+  *
++ * If the first fragment doesn't contain the final protocol header or
++ * NEXTHDR_NONE it is considered invalid.
++ *
+  * Note that non-1st fragment is special case that "the protocol number
+  * of last header" is "next header" field in Fragment header. In this case,
+  * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
+@@ -1470,12 +1473,12 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+ 		if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
+ 			if (target < 0)
+ 				break;
+-			return -1;
++			return -ENOENT;
+ 		}
+ 
+ 		hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
+ 		if (hp == NULL)
+-			return -1;
++			return -EBADMSG;
+ 		if (nexthdr == NEXTHDR_FRAGMENT) {
+ 			unsigned short _frag_off, *fp;
+ 			fp = skb_header_pointer(skb,
+@@ -1484,7 +1487,7 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+ 						sizeof(_frag_off),
+ 						&_frag_off);
+ 			if (fp == NULL)
+-				return -1;
++				return -EBADMSG;
+ 
+ 			_frag_off = ntohs(*fp) & ~0x7;
+ 			if (_frag_off) {
+@@ -1495,7 +1498,7 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+ 						*fragoff = _frag_off;
+ 					return hp->nexthdr;
+ 				}
+-				return -1;
++				return -ENOENT;
+ 			}
+ 			hdrlen = 8;
+ 		} else if (nexthdr == NEXTHDR_AUTH)
+diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
+index 219a303..002b8a1 100644
+--- a/net/ipv6/netfilter/ip6t_ah.c
++++ b/net/ipv6/netfilter/ip6t_ah.c
+@@ -53,9 +53,14 @@ match(const struct sk_buff *skb,
+ 	const struct ip6t_ah *ahinfo = matchinfo;
+ 	unsigned int ptr;
+ 	unsigned int hdrlen = 0;
++	int err;
+ 
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
+ 	if (ah == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c
+index b4c153a..2441228 100644
+--- a/net/ipv6/netfilter/ip6t_dst.c
++++ b/net/ipv6/netfilter/ip6t_dst.c
+@@ -69,13 +69,18 @@ match(const struct sk_buff *skb,
+ 	u8 _opttype, *tp = NULL;
+ 	u8 _optlen, *lp = NULL;
+ 	unsigned int optlen;
++	int err;
+ 
+ #if HOPBYHOP
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL);
+ #else
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL);
+ #endif
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
+ 	if (oh == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
+index 4c14125..185f583 100644
+--- a/net/ipv6/netfilter/ip6t_frag.c
++++ b/net/ipv6/netfilter/ip6t_frag.c
+@@ -51,9 +51,14 @@ match(const struct sk_buff *skb,
+ 	struct frag_hdr _frag, *fh;
+ 	const struct ip6t_frag *fraginfo = matchinfo;
+ 	unsigned int ptr;
++	int err;
+ 
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
+ 	if (fh == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
+index 37a8474..af56eaf 100644
+--- a/net/ipv6/netfilter/ip6t_hbh.c
++++ b/net/ipv6/netfilter/ip6t_hbh.c
+@@ -69,13 +69,18 @@ match(const struct sk_buff *skb,
+ 	u8 _opttype, *tp = NULL;
+ 	u8 _optlen, *lp = NULL;
+ 	unsigned int optlen;
++	int err;
+ 
+ #if HOPBYHOP
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL);
+ #else
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL);
+ #endif
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
+ 	if (oh == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
+index 8f82476..537b311 100644
+--- a/net/ipv6/netfilter/ip6t_rt.c
++++ b/net/ipv6/netfilter/ip6t_rt.c
+@@ -57,9 +57,14 @@ match(const struct sk_buff *skb,
+ 	unsigned int hdrlen = 0;
+ 	unsigned int ret = 0;
+ 	struct in6_addr *ap, _addr;
++	int err;
+ 
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
+ 	if (rh == NULL) {
diff --git a/sys-kernel/xen-sources/files/CVE-2006-5619.patch b/sys-kernel/xen-sources/files/CVE-2006-5619.patch
new file mode 100644
index 000000000000..9e7a51122ab2
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-5619.patch
@@ -0,0 +1,11 @@
+--- net/ipv6/ip6_flowlabel.c-original	2007-01-27 15:31:44.000000000 +1100
++++ net/ipv6/ip6_flowlabel.c	2007-01-27 15:32:16.000000000 +1100
+@@ -589,6 +589,8 @@
+ 	while (!fl) {
+ 		if (++state->bucket <= FL_HASH_MASK)
+ 			fl = fl_ht[state->bucket];
++		else
++			break;
+ 	}
+ 	return fl;
+ }
diff --git a/sys-kernel/xen-sources/files/CVE-2006-6056.patch b/sys-kernel/xen-sources/files/CVE-2006-6056.patch
new file mode 100644
index 000000000000..2706315876b2
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-6056.patch
@@ -0,0 +1,61 @@
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
+Subject: [PATCH] hfs_fill_super returns success even if no root inode
+X-Git-Tag: v2.6.19
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22
+
+[PATCH] hfs_fill_super returns success even if no root inode
+
+http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html
+
+mount that image...
+fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended.  mounting read-only.
+hfs: get root inode failed.
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
+ printing eip
+...
+EIP is at superblock_doinit+0x21/0x767
+...
+ [] selinux_sb_kern_mount+0xc/0x4b
+ [] vfs_kern_mount+0x99/0xf6
+ [] do_kern_mount+0x2d/0x3e
+ [] do_mount+0x5fa/0x66d
+ [] sys_mount+0x77/0xae
+ [] syscall_call+0x7/0xb
+DWARF2 unwinder stuck at syscall_call+0x7/0xb
+
+hfs_fill_super() returns success even if
+  root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+or
+  sb->s_root = d_alloc_root(root_inode);
+
+fails.  This superblock finds its way to superblock_doinit() which does:
+
+        struct dentry *root = sb->s_root;
+        struct inode *inode = root->d_inode;
+
+and boom.  Need to make sure the error cases return an error, I think.
+
+[akpm@osdl.org: return -ENOMEM on oom]
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+---
+
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_b
+ 		hfs_find_exit(&fd);
+ 		goto bail_no_root;
+ 	}
++	res = -EINVAL;
+ 	root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+ 	hfs_find_exit(&fd);
+ 	if (!root_inode)
+ 		goto bail_no_root;
+ 
++	res = -ENOMEM;
+ 	sb->s_root = d_alloc_root(root_inode);
+ 	if (!sb->s_root)
+ 		goto bail_iput;
diff --git a/sys-kernel/xen-sources/files/CVE-2006-6060.patch b/sys-kernel/xen-sources/files/CVE-2006-6060.patch
new file mode 100644
index 000000000000..8d5eebcb0e77
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-6060.patch
@@ -0,0 +1,40 @@
+--- fs/buffer.c-original	2007-01-27 14:46:34.000000000 +1100
++++ fs/buffer.c	2007-01-27 14:51:17.000000000 +1100
+@@ -1179,6 +1179,19 @@
+ 	} while ((size << sizebits) < PAGE_SIZE);
+ 
+ 	index = block >> sizebits;
++	/*
++	* Check for a block which wants to lie outside our maximum possible
++	* pagecache index.  (this comparison is done using sector_t types).
++	*/
++	if (unlikely(index != block >> sizebits)) {
++		char b[BDEVNAME_SIZE];
++
++		printk(KERN_ERR "%s: requested out-of-range block %llu for "
++			"device %s\n",
++			__FUNCTION__, (unsigned long long)block,
++			bdevname(bdev, b));
++		return -EIO;
++	}
+ 	block = index << sizebits;
+ 
+ 	/* Create a page with the proper size buffers.. */
+@@ -1207,12 +1220,16 @@
+ 
+ 	for (;;) {
+ 		struct buffer_head * bh;
++		int ret;
+ 
+ 		bh = __find_get_block(bdev, block, size);
+ 		if (bh)
+ 			return bh;
+ 
+-		if (!grow_buffers(bdev, block, size))
++		ret = grow_buffers(bdev, block, size);
++		if (ret < 0)
++			return NULL;
++		if (ret == 0)
+ 			free_more_memory();
+ 	}
+ }
diff --git a/sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2 b/sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2
new file mode 100644
index 000000000000..6a6c82f3e63c
--- /dev/null
+++ b/sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2
@@ -0,0 +1,9 @@
+MD5 9a91b2719949ff0856b40bc467fd47be linux-2.6.16.tar.bz2 40845005
+RMD160 af5c2f55733fadd2fdf8b00da55e7b31d516d4e8 linux-2.6.16.tar.bz2 40845005
+SHA256 1200dcc7e60fcdaf68618dba991917a47e41e67099e8b22143976ec972e2cad7 linux-2.6.16.tar.bz2 40845005
+MD5 736e7d741c0650c320c2b37bf6de3c0b patch-2.6.16.28.bz2 76693
+RMD160 5235c0b5f9665a279f5bf5d42f942cef215e822f patch-2.6.16.28.bz2 76693
+SHA256 6b05fd7121a86a5a6cfd0177200259eeb9a3d276a3cb16ba8cf2acdd747fa6be patch-2.6.16.28.bz2 76693
+MD5 9a7d359557c1dbc887a1a54c015589f7 xen-sources-2.6.16.28-3.0.2.patch.bz2 467924
+RMD160 8b62dc416b08e4ef4a10add18b3287eef856c613 xen-sources-2.6.16.28-3.0.2.patch.bz2 467924
+SHA256 0f3400e1c877b765fc62453664b80cf2e51002299476d532fe8f6af6db0fdb99 xen-sources-2.6.16.28-3.0.2.patch.bz2 467924
diff --git a/sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch b/sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch
new file mode 100644
index 000000000000..ed0494dd3991
--- /dev/null
+++ b/sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch
@@ -0,0 +1,11 @@
+--- drivers/media/dvb/dvb-core/dvb_net.c-original	2007-01-27 10:27:13.000000000 +1100
++++ drivers/media/dvb/dvb-core/dvb_net.c	2007-01-27 10:27:55.000000000 +1100
+@@ -492,7 +492,7 @@
+ 				} else
+ 					priv->ule_dbit = 0;
+ 
+-				if (priv->ule_sndu_len > 32763) {
++				if (priv->ule_sndu_len > 32763 || priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
+ 					printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
+ 					       "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
+ 					priv->ule_sndu_len = 0;
diff --git a/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild b/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild
new file mode 100644
index 000000000000..8a6228e6df17
--- /dev/null
+++ b/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild
@@ -0,0 +1,27 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild,v 1.1 2007/01/27 07:44:34 aross Exp $
+
+ETYPE="sources"
+inherit kernel-2 eutils
+detect_arch
+detect_version
+
+XEN_VERSION="3.0.2"
+XEN_URI="mirror://gentoo/${P}-${XEN_VERSION}.patch.bz2"
+
+DESCRIPTION="Linux kernel ${OKV} with Xen ${XEN_VERSION}"
+HOMEPAGE="http://kernel.org http://www.xensource.com/xen/xen/"
+SRC_URI="${KERNEL_URI} ${ARCH_URI} ${XEN_URI}"
+
+KEYWORDS="~x86 ~amd64"
+
+UNIPATCH_LIST="${DISTDIR}/${XEN_URI##*/}
+	${FILESDIR}/${P}-CVE-2006-3468.patch
+	${FILESDIR}/${P}-CVE-2006-6333.patch
+	${FILESDIR}/CVE-2005-4352.patch
+	${FILESDIR}/CVE-2006-4572.patch
+	${FILESDIR}/CVE-2006-5619.patch
+	${FILESDIR}/CVE-2006-6056.patch
+	${FILESDIR}/CVE-2006-6060.patch
+	${FILESDIR}/dvb-core-ule-sndu.patch"