Merge update two Debian patches

svn path=/patches/; revision=48

4 files changed, 90 insertions, 28 deletions

diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README
index 27868b4..7f99598 100644
--- a/trunk/2.6.18/00000_README
+++ b/trunk/2.6.18/00000_README
@@ -86,12 +86,6 @@ Patches
     This patch changes the kernel ABI.
     See CVE-2006-5753
 
-30013_reset-pdeathsig-on-suid.patch
-    [SECURITY] Fix potential privilege escalation caused by improper
-    clearing of the child process' pdeath signal.
-    Thanks to Marcel Holtmann for the patch.
-    See CVE-2007-3848
-
 30014_bluetooth-l2cap-hci-info-leaks.patch
     [SECURITY] Fix information leaks in setsockopt() implementations
     See CVE-2007-1353
@@ -206,6 +200,15 @@ Patches
     wait for the device to close, blocking the USB subsystem.
     See CVE-2007-5093
 
+30041_ipv6-disallow-RH0-by-default-2.patch
+    Fix ipv6 rfc conformance issue introduced in 2.6.18.dfsg.1-13 by the
+    fix for CVE-2007-2242. Thanks to Brian Haley for the patch.
+    (closes: Debian #440127)
+
+30042_reset-pdeathsig-on-suid-upstream.patch
+    Update fix for CVE-2007-3848 with the patch accepted upstream
+    (formerly 30013_reset-pdeathsig-on-suid.patch)
+
 50001_make-install.patch
     Handle make install in a semi-sane way that plays nice with
     split domU/dom0 kernels.
diff --git a/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch b/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch
deleted file mode 100644
index 1be66aa..0000000
--- a/trunk/2.6.18/30013_reset-pdeathsig-on-suid.patch
+++ /dev/null
@@ -1,22 +0,0 @@
---- linux-source-2.6.18/fs/exec.c.orig	2006-09-19 21:42:06.000000000 -0600
-+++ linux-source-2.6.18/fs/exec.c	2007-08-10 19:44:43.000000000 -0600
-@@ -887,6 +887,7 @@
- 	    file_permission(bprm->file, MAY_READ) ||
- 	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
- 		suid_keys(current);
-+		current->pdeath_signal = 0;
- 		current->mm->dumpable = suid_dumpable;
- 	}
- 
-@@ -977,8 +978,10 @@
- {
- 	int unsafe;
- 
--	if (bprm->e_uid != current->uid)
-+	if (bprm->e_uid != current->uid) {
- 		suid_keys(current);
-+		current->pdeath_signal = 0;
-+	}
- 	exec_keys(current);
- 
- 	task_lock(current);
diff --git a/trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch b/trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch
new file mode 100644
index 0000000..1923828
--- /dev/null
+++ b/trunk/2.6.18/30041_ipv6-disallow-RH0-by-default-2.patch
@@ -0,0 +1,30 @@
+diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
+index 95a9eb5..6e9822d 100644
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -249,12 +249,6 @@ static int ipv6_rthdr_rcv(struct sk_buff **skbp)
+ 
+ 	hdr = (struct ipv6_rt_hdr *) skb->h.raw;
+ 
+-	if (hdr->type != IPV6_SRCRT_TYPE_0) {
+-		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+-		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
+-		return -1;
+-	}
+-
+ 	if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
+ 	    skb->pkt_type != PACKET_HOST) {
+ 		IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS);
+@@ -273,6 +267,12 @@ looped_back:
+ 		return 1;
+ 	}
+ 
++	if (hdr->type != IPV6_SRCRT_TYPE_0) {
++		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
++		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
++		return -1;
++	}
++
+ 	if (hdr->hdrlen & 0x01) {
+ 		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+ 		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw);
diff --git a/trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch b/trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch
new file mode 100644
index 0000000..3e092c0
--- /dev/null
+++ b/trunk/2.6.18/30042_reset-pdeathsig-on-suid-upstream.patch
@@ -0,0 +1,51 @@
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 17 Aug 2007 19:47:58 +0000 (+0200)
+Subject: Reset current->pdeath_signal on SUID binary execution
+X-Git-Tag: v2.6.23-rc4~134
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
+
+Reset current->pdeath_signal on SUID binary execution
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/exec.c linux-source-2.6.18/fs/exec.c
+--- linux-source-2.6.18.orig/fs/exec.c	2007-09-05 14:11:16.000000000 -0600
++++ linux-source-2.6.18/fs/exec.c	2007-09-05 14:17:02.000000000 -0600
+@@ -883,9 +883,12 @@ int flush_old_exec(struct linux_binprm *
+ 	 */
+ 	current->mm->task_size = TASK_SIZE;
+ 
+-	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
+-	    file_permission(bprm->file, MAY_READ) ||
+-	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
++		suid_keys(current);
++		current->mm->dumpable = suid_dumpable;
++		current->pdeath_signal = 0;
++	} else if (file_permission(bprm->file, MAY_READ) ||
++			(bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+ 		suid_keys(current);
+ 		current->mm->dumpable = suid_dumpable;
+ 	}
+@@ -977,8 +980,10 @@ void compute_creds(struct linux_binprm *
+ {
+ 	int unsafe;
+ 
+-	if (bprm->e_uid != current->uid)
++	if (bprm->e_uid != current->uid) {
+ 		suid_keys(current);
++		current->pdeath_signal = 0;
++	}
+ 	exec_keys(current);
+ 
+ 	task_lock(current);