af_802154,rds: Disable auto-loading as mitigation against local exploits
svn path=/dists/trunk/linux-2.6/; revision=16567
This commit is contained in:
parent
2244987c29
commit
3e286908b1
|
@ -12,6 +12,9 @@ linux-2.6 (2.6.36-1~experimental.2) UNRELEASED; urgency=low
|
|||
has stalled and is a source of security bugs.
|
||||
* Disable Econet protocol. It is unmaintained upstream, probably broken,
|
||||
and of historical interest only.
|
||||
* af_802154,rds: Disable auto-loading as mitigation against local exploits.
|
||||
These protocol modules are not widely used and can be explicitly loaded
|
||||
or aliased on systems where they are wanted.
|
||||
|
||||
-- maximilian attems <max@stro.at> Wed, 31 Oct 2010 13:23:11 +0200
|
||||
|
||||
|
|
34
debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
vendored
Normal file
34
debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From 086fa0c78e77b68ffc83c5b14bfdd425e63f024e Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Fri, 19 Nov 2010 02:12:48 +0000
|
||||
Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
|
||||
|
||||
Recent review has revealed several bugs in obscure protocol
|
||||
implementations that can be exploited by local users for denial of
|
||||
service or privilege escalation. We can mitigate the effect of any
|
||||
remaining vulnerabilities in such protocols by preventing unprivileged
|
||||
users from loading the modules, so that they are only exploitable on
|
||||
systems where the administrator has chosen to load the protocol.
|
||||
|
||||
The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
|
||||
not present in the 'lenny' kernel, and seems to receive only sporadic
|
||||
maintenance. Therefore disable auto-loading.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
net/ieee802154/af_ieee802154.c | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/net/ieee802154/af_ieee802154.c b/net/ieee802154/af_ieee802154.c
|
||||
index cd949d5..8f49dd5 100644
|
||||
--- a/net/ieee802154/af_ieee802154.c
|
||||
+++ b/net/ieee802154/af_ieee802154.c
|
||||
@@ -363,4 +363,4 @@ module_init(af_ieee802154_init);
|
||||
module_exit(af_ieee802154_remove);
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
|
||||
+/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */
|
||||
--
|
||||
1.7.2.3
|
||||
|
34
debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
vendored
Normal file
34
debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From 6f9debf7c17b33ab9bb254c6c3cc1480f14d3ec2 Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Fri, 19 Nov 2010 02:12:48 +0000
|
||||
Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
|
||||
|
||||
Recent review has revealed several bugs in obscure protocol
|
||||
implementations that can be exploited by local users for denial of
|
||||
service or privilege escalation. We can mitigate the effect of any
|
||||
remaining vulnerabilities in such protocols by preventing unprivileged
|
||||
users from loading the modules, so that they are only exploitable on
|
||||
systems where the administrator has chosen to load the protocol.
|
||||
|
||||
The 'rds' protocol is one such protocol that has been found to be
|
||||
vulnerable, and which was not present in the 'lenny' kernel.
|
||||
Therefore disable auto-loading.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
net/rds/af_rds.c | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
|
||||
index 98e0538..d8d4525 100644
|
||||
--- a/net/rds/af_rds.c
|
||||
+++ b/net/rds/af_rds.c
|
||||
@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets"
|
||||
" v" DRV_VERSION " (" DRV_RELDATE ")");
|
||||
MODULE_VERSION(DRV_VERSION);
|
||||
MODULE_LICENSE("Dual BSD/GPL");
|
||||
-MODULE_ALIAS_NETPROTO(PF_RDS);
|
||||
+/* MODULE_ALIAS_NETPROTO(PF_RDS); */
|
||||
--
|
||||
1.7.2.3
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
+ debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
|
||||
+ debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
|
Loading…
Reference in New Issue