debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

dccp: Disable auto-loading as mitigation against local exploits

This commit is contained in:
Ben Hutchings 2017-02-16 19:11:26 +00:00
parent 10f2dad569
commit 8cf3230524
3 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -246,6 +246,7 @@ linux (4.9.10-1) UNRELEASED; urgency=medium
* pegasus: Use heap buffers for all register access (Closes: #852556)
* test-patches: Use the pkg.linux.notools build profile
* test-patches: Set default number of jobs to number of available processors
* dccp: Disable auto-loading as mitigation against local exploits
[ Roger Shimizu ]
* [armel] ARM: dts: orion5x-lschl: Fix model name

41
debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch vendored Normal file
View File

@ -0,0 +1,41 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 16 Feb 2017 19:09:17 +0000
Subject: dccp: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.
The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit);
* values directly, Also cover the case where the protocol is not specified,
* i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP
*/
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol");
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit);
* values directly, Also cover the case where the protocol is not specified,
* i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP
*/
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6);
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6);
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */
+/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>");
MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol");

1
debian/patches/series vendored
View File

@ -29,6 +29,7 @@ features/all/aufs4/aufs4-standalone.patch
debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
debian/fs-enable-link-security-restrictions-by-default.patch
# Set various features runtime-disabled by default