decnet: Disable auto-loading as mitigation against local exploits
svn path=/dists/trunk/linux-2.6/; revision=16571
This commit is contained in:
Ben Hutchings
parent
3e286908b1
commit
e4482ffd21
|
|
@ -12,9 +12,9 @@ linux-2.6 (2.6.36-1~experimental.2) UNRELEASED; urgency=low
|
|||
has stalled and is a source of security bugs.
|
||||
* Disable Econet protocol. It is unmaintained upstream, probably broken,
|
||||
and of historical interest only.
|
||||
* af_802154,rds: Disable auto-loading as mitigation against local exploits.
|
||||
These protocol modules are not widely used and can be explicitly loaded
|
||||
or aliased on systems where they are wanted.
|
||||
* af_802154,decnet,rds: Disable auto-loading as mitigation against local
|
||||
exploits. These protocol modules are not widely used and can be
|
||||
explicitly loaded or aliased on systems where they are wanted.
|
||||
|
||||
-- maximilian attems <max@stro.at> Wed, 31 Oct 2010 13:23:11 +0200
|
||||
|
||||
|
|
|
|||
37
debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
vendored
Normal file
37
debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
vendored
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
From 0061a6e7c7e5fef1d257cb2c2d9180f655ea5c1a Mon Sep 17 00:00:00 2001
|
||||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sat, 20 Nov 2010 02:24:55 +0000
|
||||
Subject: [PATCH] decnet: Disable auto-loading as mitigation against local exploits
|
||||
|
||||
Recent review has revealed several bugs in obscure protocol
|
||||
implementations that can be exploited by local users for denial of
|
||||
service or privilege escalation. We can mitigate the effect of any
|
||||
remaining vulnerabilities in such protocols by preventing unprivileged
|
||||
users from loading the modules, so that they are only exploitable on
|
||||
systems where the administrator has chosen to load the protocol.
|
||||
|
||||
The 'decnet' protocol is unmaintained and of mostly historical
|
||||
interest, and the user-space support package 'dnet-common' loads the
|
||||
module explicitly. Therefore disable auto-loading.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
net/decnet/af_decnet.c | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
|
||||
index 7a58c87..ed9e2b0 100644
|
||||
--- a/net/decnet/af_decnet.c
|
||||
+++ b/net/decnet/af_decnet.c
|
||||
@@ -2358,7 +2358,7 @@ void dn_unregister_sysctl(void);
|
||||
MODULE_DESCRIPTION("The Linux DECnet Network Protocol");
|
||||
MODULE_AUTHOR("Linux DECnet Project Team");
|
||||
MODULE_LICENSE("GPL");
|
||||
-MODULE_ALIAS_NETPROTO(PF_DECnet);
|
||||
+/* MODULE_ALIAS_NETPROTO(PF_DECnet); */
|
||||
|
||||
static char banner[] __initdata = KERN_INFO "NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n";
|
||||
|
||||
--
|
||||
1.7.2.3
|
||||
|
||||
|
|
@ -1,2 +1,3 @@
|
|||
+ debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
|
||||
+ debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
|
||||
+ debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue