summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Schwarzott <zzam@gentoo.org>2009-04-16 08:58:23 +0000
committerMatthias Schwarzott <zzam@gentoo.org>2009-04-16 08:58:23 +0000
commite873a2eca5cc1ba3438f57bebd763f98e11b5bc8 (patch)
treea51a289f5100451ece7e3cc0a70a3227820c4d14 /sys-fs/udev/files
parentblock old freetype:1, they collide, bug #266186 (diff)
downloadhistorical-e873a2eca5cc1ba3438f57bebd763f98e11b5bc8.tar.gz
historical-e873a2eca5cc1ba3438f57bebd763f98e11b5bc8.tar.bz2
historical-e873a2eca5cc1ba3438f57bebd763f98e11b5bc8.zip
Fix Bug #266290. CVE-2009-1185 and CVE-2009-1186
Package-Manager: portage-2.1.6.11/cvs/Linux i686
Diffstat (limited to 'sys-fs/udev/files')
-rw-r--r--sys-fs/udev/files/udev-124-encoding-overflow.patch13
-rw-r--r--sys-fs/udev/files/udev-124-netlink-owner-check.patch39
2 files changed, 52 insertions, 0 deletions
diff --git a/sys-fs/udev/files/udev-124-encoding-overflow.patch b/sys-fs/udev/files/udev-124-encoding-overflow.patch
new file mode 100644
index 000000000000..1a60142b8689
--- /dev/null
+++ b/sys-fs/udev/files/udev-124-encoding-overflow.patch
@@ -0,0 +1,13 @@
+diff --git a/udev_utils_string.c b/udev_utils_string.c
+index e3dc137..0995da5 100644
+--- a/udev_utils_string.c
++++ b/udev_utils_string.c
+@@ -52,7 +52,7 @@ void remove_trailing_chars(char *path, char c)
+
+ size_t path_encode(char *s, size_t len)
+ {
+- char t[(len * 3)+1];
++ char t[(len * 4)+1];
+ size_t i, j;
+
+ t[0] = '\0';
diff --git a/sys-fs/udev/files/udev-124-netlink-owner-check.patch b/sys-fs/udev/files/udev-124-netlink-owner-check.patch
new file mode 100644
index 000000000000..4159637e8da5
--- /dev/null
+++ b/sys-fs/udev/files/udev-124-netlink-owner-check.patch
@@ -0,0 +1,39 @@
+diff -ruNp udev-124~/udevd.c udev-124/udevd.c
+--- udev-124~/udevd.c 2008-06-11 22:24:30.000000000 -0700
++++ udev-124/udevd.c 2009-04-08 16:30:06.000000000 -0700
+@@ -753,16 +753,34 @@ static struct udevd_uevent_msg *get_netl
+ struct udevd_uevent_msg *msg;
+ int bufpos;
+ ssize_t size;
++ struct sockaddr_nl snl;
++ struct msghdr smsg;
++ struct iovec iov;
+ static char buffer[UEVENT_BUFFER_SIZE+512];
+ char *pos;
+
+- size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0);
++ iov.iov_base = buffer;
++ iov.iov_len = sizeof(buffer);
++
++ memset(&smsg, 0x00, sizeof(struct msghdr));
++ smsg.msg_name = &snl;
++ smsg.msg_namelen = sizeof(struct sockaddr_nl);
++ smsg.msg_iov = &iov;
++ smsg.msg_iovlen = 1;
++
++ size = recvmsg(uevent_netlink_sock, &smsg, 0);
+ if (size < 0) {
+ if (errno != EINTR)
+ err("unable to receive kernel netlink message: %s\n", strerror(errno));
+ return NULL;
+ }
+
++ if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
++ info("ignored netlink message from invalid group/sender %d/%d\n",
++ snl.nl_groups, snl.nl_pid);
++ return NULL;
++ }
++
+ if ((size_t)size > sizeof(buffer)-1)
+ size = sizeof(buffer)-1;
+ buffer[size] = '\0';