diff options
author | Matthias Schwarzott <zzam@gentoo.org> | 2009-04-16 08:58:23 +0000 |
---|---|---|
committer | Matthias Schwarzott <zzam@gentoo.org> | 2009-04-16 08:58:23 +0000 |
commit | e873a2eca5cc1ba3438f57bebd763f98e11b5bc8 (patch) | |
tree | a51a289f5100451ece7e3cc0a70a3227820c4d14 /sys-fs/udev/files | |
parent | block old freetype:1, they collide, bug #266186 (diff) | |
download | historical-e873a2eca5cc1ba3438f57bebd763f98e11b5bc8.tar.gz historical-e873a2eca5cc1ba3438f57bebd763f98e11b5bc8.tar.bz2 historical-e873a2eca5cc1ba3438f57bebd763f98e11b5bc8.zip |
Fix Bug #266290. CVE-2009-1185 and CVE-2009-1186
Package-Manager: portage-2.1.6.11/cvs/Linux i686
Diffstat (limited to 'sys-fs/udev/files')
-rw-r--r-- | sys-fs/udev/files/udev-124-encoding-overflow.patch | 13 | ||||
-rw-r--r-- | sys-fs/udev/files/udev-124-netlink-owner-check.patch | 39 |
2 files changed, 52 insertions, 0 deletions
diff --git a/sys-fs/udev/files/udev-124-encoding-overflow.patch b/sys-fs/udev/files/udev-124-encoding-overflow.patch new file mode 100644 index 000000000000..1a60142b8689 --- /dev/null +++ b/sys-fs/udev/files/udev-124-encoding-overflow.patch @@ -0,0 +1,13 @@ +diff --git a/udev_utils_string.c b/udev_utils_string.c +index e3dc137..0995da5 100644 +--- a/udev_utils_string.c ++++ b/udev_utils_string.c +@@ -52,7 +52,7 @@ void remove_trailing_chars(char *path, char c) + + size_t path_encode(char *s, size_t len) + { +- char t[(len * 3)+1]; ++ char t[(len * 4)+1]; + size_t i, j; + + t[0] = '\0'; diff --git a/sys-fs/udev/files/udev-124-netlink-owner-check.patch b/sys-fs/udev/files/udev-124-netlink-owner-check.patch new file mode 100644 index 000000000000..4159637e8da5 --- /dev/null +++ b/sys-fs/udev/files/udev-124-netlink-owner-check.patch @@ -0,0 +1,39 @@ +diff -ruNp udev-124~/udevd.c udev-124/udevd.c +--- udev-124~/udevd.c 2008-06-11 22:24:30.000000000 -0700 ++++ udev-124/udevd.c 2009-04-08 16:30:06.000000000 -0700 +@@ -753,16 +753,34 @@ static struct udevd_uevent_msg *get_netl + struct udevd_uevent_msg *msg; + int bufpos; + ssize_t size; ++ struct sockaddr_nl snl; ++ struct msghdr smsg; ++ struct iovec iov; + static char buffer[UEVENT_BUFFER_SIZE+512]; + char *pos; + +- size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0); ++ iov.iov_base = buffer; ++ iov.iov_len = sizeof(buffer); ++ ++ memset(&smsg, 0x00, sizeof(struct msghdr)); ++ smsg.msg_name = &snl; ++ smsg.msg_namelen = sizeof(struct sockaddr_nl); ++ smsg.msg_iov = &iov; ++ smsg.msg_iovlen = 1; ++ ++ size = recvmsg(uevent_netlink_sock, &smsg, 0); + if (size < 0) { + if (errno != EINTR) + err("unable to receive kernel netlink message: %s\n", strerror(errno)); + return NULL; + } + ++ if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) { ++ info("ignored netlink message from invalid group/sender %d/%d\n", ++ snl.nl_groups, snl.nl_pid); ++ return NULL; ++ } ++ + if ((size_t)size > sizeof(buffer)-1) + size = sizeof(buffer)-1; + buffer[size] = '\0'; |