diff --git a/debian/changelog b/debian/changelog index 6e2dbb7e7..16b4133ef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,9 +12,9 @@ linux-2.6 (2.6.36-1~experimental.2) UNRELEASED; urgency=low has stalled and is a source of security bugs. * Disable Econet protocol. It is unmaintained upstream, probably broken, and of historical interest only. - * af_802154,rds: Disable auto-loading as mitigation against local exploits. - These protocol modules are not widely used and can be explicitly loaded - or aliased on systems where they are wanted. + * af_802154,decnet,rds: Disable auto-loading as mitigation against local + exploits. These protocol modules are not widely used and can be + explicitly loaded or aliased on systems where they are wanted. -- maximilian attems Wed, 31 Oct 2010 13:23:11 +0200 diff --git a/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch b/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch new file mode 100644 index 000000000..6ac83ab43 --- /dev/null +++ b/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch @@ -0,0 +1,37 @@ +From 0061a6e7c7e5fef1d257cb2c2d9180f655ea5c1a Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sat, 20 Nov 2010 02:24:55 +0000 +Subject: [PATCH] decnet: Disable auto-loading as mitigation against local exploits + +Recent review has revealed several bugs in obscure protocol +implementations that can be exploited by local users for denial of +service or privilege escalation. We can mitigate the effect of any +remaining vulnerabilities in such protocols by preventing unprivileged +users from loading the modules, so that they are only exploitable on +systems where the administrator has chosen to load the protocol. + +The 'decnet' protocol is unmaintained and of mostly historical +interest, and the user-space support package 'dnet-common' loads the +module explicitly. Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings +--- + net/decnet/af_decnet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index 7a58c87..ed9e2b0 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -2358,7 +2358,7 @@ void dn_unregister_sysctl(void); + MODULE_DESCRIPTION("The Linux DECnet Network Protocol"); + MODULE_AUTHOR("Linux DECnet Project Team"); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_DECnet); ++/* MODULE_ALIAS_NETPROTO(PF_DECnet); */ + + static char banner[] __initdata = KERN_INFO "NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n"; + +-- +1.7.2.3 + diff --git a/debian/patches/series/1~experimental.2 b/debian/patches/series/1~experimental.2 index 728d2e774..dba498237 100644 --- a/debian/patches/series/1~experimental.2 +++ b/debian/patches/series/1~experimental.2 @@ -1,2 +1,3 @@ + debian/af_802154-Disable-auto-loading-as-mitigation-against.patch + debian/rds-Disable-auto-loading-as-mitigation-against-local.patch ++ debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch