af_802154,rds: Disable auto-loading as mitigation against local exploits

svn path=/dists/trunk/linux-2.6/; revision=16567

debian/changelog

@@ -12,6 +12,9 @@ linux-2.6 (2.6.36-1~experimental.2) UNRELEASED; urgency=low
     has stalled and is a source of security bugs.
   * Disable Econet protocol.  It is unmaintained upstream, probably broken,
     and of historical interest only.
+  * af_802154,rds: Disable auto-loading as mitigation against local exploits.
+    These protocol modules are not widely used and can be explicitly loaded
+    or aliased on systems where they are wanted.
 
  -- maximilian attems <max@stro.at>  Wed, 31 Oct 2010 13:23:11 +0200
 

debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch

@@ -0,0 +1,34 @@
+From 086fa0c78e77b68ffc83c5b14bfdd425e63f024e Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation.  We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
+not present in the 'lenny' kernel, and seems to receive only sporadic
+maintenance.  Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ieee802154/af_ieee802154.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/ieee802154/af_ieee802154.c b/net/ieee802154/af_ieee802154.c
+index cd949d5..8f49dd5 100644
+--- a/net/ieee802154/af_ieee802154.c
++++ b/net/ieee802154/af_ieee802154.c
+@@ -363,4 +363,4 @@ module_init(af_ieee802154_init);
+ module_exit(af_ieee802154_remove);
+ 
+ MODULE_LICENSE("GPL");
+-MODULE_ALIAS_NETPROTO(PF_IEEE802154);
++/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */
+-- 
+1.7.2.3
+

debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch

@@ -0,0 +1,34 @@
+From 6f9debf7c17b33ab9bb254c6c3cc1480f14d3ec2 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 19 Nov 2010 02:12:48 +0000
+Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits
+
+Recent review has revealed several bugs in obscure protocol
+implementations that can be exploited by local users for denial of
+service or privilege escalation.  We can mitigate the effect of any
+remaining vulnerabilities in such protocols by preventing unprivileged
+users from loading the modules, so that they are only exploitable on
+systems where the administrator has chosen to load the protocol.
+
+The 'rds' protocol is one such protocol that has been found to be
+vulnerable, and which was not present in the 'lenny' kernel.
+Therefore disable auto-loading.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/rds/af_rds.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
+index 98e0538..d8d4525 100644
+--- a/net/rds/af_rds.c
++++ b/net/rds/af_rds.c
+@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets"
+ 		   " v" DRV_VERSION " (" DRV_RELDATE ")");
+ MODULE_VERSION(DRV_VERSION);
+ MODULE_LICENSE("Dual BSD/GPL");
+-MODULE_ALIAS_NETPROTO(PF_RDS);
++/* MODULE_ALIAS_NETPROTO(PF_RDS); */
+-- 
+1.7.2.3
+

debian/patches/series/1~experimental.2

@@ -0,0 +1,2 @@
++ debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
++ debian/rds-Disable-auto-loading-as-mitigation-against-local.patch