2.6.10-as5
From: Andres Salomon
Date: Wed Feb 23 2005 - 00:09:31 EST
Hi,
Here's 2.6.10-as5. 2.6.10-as4 was never officially announced; it had
issues (note to self; test, *then* tag). Distributors should note that
there is an ABI/API change in this release, due to
114-netfilter_private_queues.patch changing ipv4 related function args.
Modules that use these will most likely need to be rebuilt.
Lots of security fixes in here; it's probably a good idea to upgrade.
If I'm missing any security related stuff, please let me know. I have
been travelling, so my apologies to anyone who hasn't gotten a quick
response from me. I will also be without an internet connection between
Feb 25th and March 5, so don't expect responses between then.
The -as tree is intended to include only security and bugfixes, from
various sources. I do not include hardware driver updates
(specifically, anything that changes how the hardware registers
themselves are probed/poked), large subsystem updates, cleanups, and so
on; only fixes that will not contain regressions. The hope is that
vendors/distributors can use this tree as a base for their kernels. It
is also what I'd want a 2.6.x.y tree to have.
The kernel patches can be grabbed from here:
http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as5/
4c44b02bb9fe6295bb683e364604d74f ChangeLog
72421ac55f99af28e0bae87b948a241e linux-2.6.10-as5.tar.gz
1a9c1a7ec584c67a91c307ce8169f164 patch-2.6.10-as5.gz
Changes from 2.6.10-as3:
2005-02-23 02:58:11 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-131
Summary:
tag 2.6.10-as5
Revision:
linux--dilinger--0--patch-131
modified files:
000-extraversion.patch
2005-02-23 01:53:58 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-130
Summary:
125-netfilter_private_queues_2.patch
Revision:
linux--dilinger--0--patch-130
[SECURITY] Add missing bits needed to make
114-netfilter_private_queues.patch
compile. Patch stolen from ubuntu (mainly to keep the same ABI).
new files:
.arch-ids/125-netfilter_private_queues_2.patch.id
125-netfilter_private_queues_2.patch
2005-02-22 13:55:01 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-129
Summary:
124-setsid_tty_sem_missing_header.patch
Revision:
linux--dilinger--0--patch-129
[SECURITY] 103-setsid_tty_sem_locking_races.patch was missing a
header file,
causing -as4 to not compile.
new files:
.arch-ids/124-setsid_tty_sem_missing_header.patch.id
124-setsid_tty_sem_missing_header.patch
2005-02-22 09:14:25 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-128
Summary:
tag 2.6.10-as4
Revision:
linux--dilinger--0--patch-128
modified files:
000-extraversion.patch
2005-02-22 09:11:15 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-127
Summary:
fix up 123-*.patch
Revision:
linux--dilinger--0--patch-127
Argh, so late, and of course the last patch doesn't apply.
modified files:
123-atm_get_addr_signedness_fix.patch
2005-02-22 09:07:49 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-126
Summary:
123-atm_get_addr_signedness_fix.patch
Revision:
linux--dilinger--0--patch-126
[SECURITY] Fix atm_get_addr()'s usage of its size arg, by making it
unsigned. WDYBTGT3-3 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
new files:
.arch-ids/123-atm_get_addr_signedness_fix.patch.id
123-atm_get_addr_signedness_fix.patch
2005-02-22 09:02:49 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-125
Summary:
122-cpufreq_resume_readd_2.patch
Revision:
linux--dilinger--0--patch-125
[CPUFREQ] Fix a problem w/ 121-cpufreq_resume_readd.patch, where a
return
value was not being checked correctly.
new files:
.arch-ids/122-cpufreq_resume_readd_2.patch.id
122-cpufreq_resume_readd_2.patch
2005-02-22 09:01:53 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-124
Summary:
121-cpufreq_resume_readd.patch
Revision:
linux--dilinger--0--patch-124
[CPUFREQ] Somewhere around 2.6.6, a call to cpufreq_driver->resume()
was
accidentally dropped. Readd it.
new files:
.arch-ids/121-cpufreq_resume_readd.patch.id
121-cpufreq_resume_readd.patch
2005-02-22 09:00:49 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-123
Summary:
120-openpromfs_property_read_fix.patch
Revision:
linux--dilinger--0--patch-123
Fix an oopsable condition in Openpromfs's property_read().
new files:
.arch-ids/120-openpromfs_property_read_fix.patch.id
120-openpromfs_property_read_fix.patch
2005-02-22 08:59:49 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-122
Summary:
119-i2c_viapro_i2cdump_overflow.patch
Revision:
linux--dilinger--0--patch-122
[SECURITY] Fix a very hard to exploit buffer overflow in the
i2c-viapro driver.
new files:
.arch-ids/119-i2c_viapro_i2cdump_overflow.patch.id
119-i2c_viapro_i2cdump_overflow.patch
2005-02-22 08:58:17 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-121
Summary:
118-i2c_sis5595_setup_pci_config_return_checks.patch
Revision:
linux--dilinger--0--patch-121
[I2C] The i2c-sis5595 was forward ported from 2.4, but the calls to
read the pci config registers were never updated for 2.6. As such,
they
are incorrectly handling the results of the function calls.
new files:
.arch-ids/118-i2c_sis5595_setup_pci_config_return_checks.patch.id
118-i2c_sis5595_setup_pci_config_return_checks.patch
2005-02-22 08:57:05 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-120
Summary:
117-reiserfs_file_64bit_size_t_fixes.patch
Revision:
linux--dilinger--0--patch-120
[SECURITY] reiserfs integer fixes; WDYBTGT3-4 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
new files:
.arch-ids/117-reiserfs_file_64bit_size_t_fixes.patch.id
117-reiserfs_file_64bit_size_t_fixes.patch
2005-02-22 08:56:16 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-119
Summary:
116-n_tty_copy_from_read_buf_signedness_fixes.patch
Revision:
linux--dilinger--0--patch-119
[SECURITY] copy_from_read_buf() fix; WDYBTGT3-2 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
No CAN#, yet.
new files:
.arch-ids/116-n_tty_copy_from_read_buf_signedness_fixes.patch.id
116-n_tty_copy_from_read_buf_signedness_fixes.patch
2005-02-22 08:55:03 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-118
Summary:
115-proc_file_read_nbytes_signedness_fix.patch
Revision:
linux--dilinger--0--patch-118
[SECURITY] Heap overflow fix in /proc; WDYBTGT3-1 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
No CAN# assigned yet, afaik.
new files:
.arch-ids/115-proc_file_read_nbytes_signedness_fix.patch.id
115-proc_file_read_nbytes_signedness_fix.patch
2005-02-22 08:52:27 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-117
Summary:
114-netfilter_private_queues.patch
Revision:
linux--dilinger--0--patch-117
[NETFILTER] Amongst netfilter users, skb frag queues were shared.
This could
cause problems. See
http://oss.sgi.com/archives/netdev/2005-01/threads.html#01036 for
more
details.
new files:
.arch-ids/114-netfilter_private_queues.patch.id
114-netfilter_private_queues.patch
2005-02-22 08:42:27 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-116
Summary:
113-ip_fragment_ip_summed_set.patch
Revision:
linux--dilinger--0--patch-116
[IPV4] In ip_fragment(), reset ip_summed field in sub-frags. This
caused
skb header corruption. Nasty stuff.
new files:
.arch-ids/113-ip_fragment_ip_summed_set.patch.id
113-ip_fragment_ip_summed_set.patch
2005-02-22 08:13:39 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-115
Summary:
112-audit_receive_skb_double_negative_return_val.patch
Revision:
linux--dilinger--0--patch-115
audit_receive_skb negates the err it receives from
audit_receive_msg. It
shouldn't do that.
new files:
.arch-ids/112-audit_receive_skb_double_negative_return_val.patch.id
112-audit_receive_skb_double_negative_return_val.patch
2005-02-22 08:03:25 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-114
Summary:
111-security_seclvl_kconfig_dep.patch
Revision:
linux--dilinger--0--patch-114
Add a Kconfig dependency on CRYPTO for SECURITY_SECLVL.
new files:
.arch-ids/111-security_seclvl_kconfig_dep.patch.id
111-security_seclvl_kconfig_dep.patch
2005-02-22 08:02:17 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-113
Summary:
110-load_module_arg_checking.patch
Revision:
linux--dilinger--0--patch-113
If the parsing of module args failed, the module could still be
loaded
successfully. Fix that.
new files:
.arch-ids/110-load_module_arg_checking.patch.id
110-load_module_arg_checking.patch
2005-02-22 07:58:14 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-112
Summary:
109-binfmt_elf_loader_solar_designer_fixes.patch
Revision:
linux--dilinger--0--patch-112
[SECURITY] Fix from Solar Designer; the binfmt_elf load routines are
returning
incorrect values, and are not strict enough in checking the number
of program
headers.
new files:
.arch-ids/109-binfmt_elf_loader_solar_designer_fixes.patch.id
109-binfmt_elf_loader_solar_designer_fixes.patch
2005-02-22 00:43:40 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-111
Summary:
108-xfs_attrmulti_by_handle_limit_mem_alloc.patch
Revision:
linux--dilinger--0--patch-111
[SECURITY] xfs_ioctl(XFS_IOC_ATTRMULTI_BY_HANDLE) calls
xfs_attrmulti_by_handle, which allocates memory based on user input.
This
patch adds a check for a max size of memory to alloc; otherwise, a
user
can potentially DoS the system by exhausting memory. Not sure
whether root
is required to open the vnode device, but to be on the safe side...
new files:
.arch-ids/108-xfs_attrmulti_by_handle_limit_mem_alloc.patch.id
108-xfs_attrmulti_by_handle_limit_mem_alloc.patch
2005-02-22 00:28:46 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-110
Summary:
107-xfs_finish_reclaim_always_inode.patch
Revision:
linux--dilinger--0--patch-110
[XFS] In xfs_finish_reclaim(), xfs_ireclaim() should always be
called (unless
there's some sort of locking problem) before returning.
new files:
.arch-ids/107-xfs_finish_reclaim_always_inode.patch.id
107-xfs_finish_reclaim_always_inode.patch
2005-02-22 00:17:20 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-109
Summary:
106-smbfs_input_validation_and_int_checks.patch
Revision:
linux--dilinger--0--patch-109
[SECURITY] This patch adds various input validation and sanity
checks to
the smbfs driver; fixes include integer underflow checks in
smb_proc_readX_data and smb_recv_trans2.
new files:
.arch-ids/106-smbfs_input_validation_and_int_checks.patch.id
106-smbfs_input_validation_and_int_checks.patch
2005-02-21 08:16:49 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-108
Summary:
105-cmsg_compat_ok_proper_cmsghdr_struct.patch
Revision:
linux--dilinger--0--patch-108
[NET] CMSG_COMPAT_OK() does a sanity check using the size of a
cmsghdr
struct, when it should be using a compat_cmsghdr struct, instead.
This
fixes that.
new files:
.arch-ids/105-cmsg_compat_ok_proper_cmsghdr_struct.patch.id
105-cmsg_compat_ok_proper_cmsghdr_struct.patch
2005-02-21 07:57:18 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-107
Summary:
104-wan_sdla_firmware_cap_sys_rawio_addition.patch
Revision:
linux--dilinger--0--patch-107
[SECURITY] The SDLA driver only checked CAP_NET_ADMIN when doing
firmware
uploads. This patch adds an additional check for CAP_SYS_RAWIO, as
well.
new files:
.arch-ids/104-wan_sdla_firmware_cap_sys_rawio_addition.patch.id
104-wan_sdla_firmware_cap_sys_rawio_addition.patch
2005-02-21 07:52:37 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-106
Summary:
103-setsid_tty_sem_locking_races.patch
Revision:
linux--dilinger--0--patch-106
[SECURITY] CAN-2005-0178; fix races in tty handling in setsid().
This CAN
may have the most useless descriptions ever.
new files:
.arch-ids/103-setsid_tty_sem_locking_races.patch.id
103-setsid_tty_sem_locking_races.patch
2005-02-21 07:35:02 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-105
Summary:
102-cosa_sppp_channel_init_delay_attach.patch
Revision:
linux--dilinger--0--patch-105
Fix buglet in cosa's sppp_channel_init(); do not call sppp_attach()
until
the netdev contains info that sppp_attach needs.
new files:
.arch-ids/102-cosa_sppp_channel_init_delay_attach.patch.id
102-cosa_sppp_channel_init_delay_attach.patch
2005-02-20 06:44:35 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-104
Summary:
101-ppc64_hugetlb_mm_free_pgd_unlock.patch
Revision:
linux--dilinger--0--patch-104
[PPC64] In hugetlb_mm_free_pgd(), mm->page_table_lock is locked, but
never
unlocked in the event of an error. This patch fixes that.
new files:
.arch-ids/101-ppc64_hugetlb_mm_free_pgd_unlock.patch.id
101-ppc64_hugetlb_mm_free_pgd_unlock.patch
2005-02-20 06:41:03 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-103
Summary:
100-nls_ascii_overflow_fix.patch
Revision:
linux--dilinger--0--patch-103
[SECURITY] CAN-2005-0177; fix nls_ascii tables, as they were too
small, and
an attacker could cause an overflow.
new files:
.arch-ids/100-nls_ascii_overflow_fix.patch.id
100-nls_ascii_overflow_fix.patch
2005-02-19 20:27:11 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-102
Summary:
099-jfs_commit_inode_commit_race.patch
Revision:
linux--dilinger--0--patch-102
[JFS] Fix race in jfs_commit_inode(); before actually doing the
commit,
retest to ensure that the inode is both dirty and linked.
new files:
.arch-ids/099-jfs_commit_inode_commit_race.patch.id
099-jfs_commit_inode_commit_race.patch
2005-02-19 20:06:17 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-101
Summary:
098-jffs2_do_mount_fs_init_bad_count.patch
Revision:
linux--dilinger--0--patch-101
[JFFS2] Initialize each eraseblock's bad_count to 0 in
jffs2_do_mount_fs().
Unitialized memory sure is fun, eh?
new files:
.arch-ids/098-jffs2_do_mount_fs_init_bad_count.patch.id
098-jffs2_do_mount_fs_init_bad_count.patch
2005-02-19 19:53:12 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-100
Summary:
097-mtd_s3c2410_nand_inithw_calc_rate_fix.patch
Revision:
linux--dilinger--0--patch-100
[MTD] s3c2410_nand_inithw() was pulling timing information from the
wrong
place, making the timing incorrect. This patch makes it pull the
info from
the right place.
new files:
.arch-ids/097-mtd_s3c2410_nand_inithw_calc_rate_fix.patch.id
097-mtd_s3c2410_nand_inithw_calc_rate_fix.patch
2005-02-19 19:44:21 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-99
Summary:
096-mtd_formatblock_zero_before_assignment.patch
Revision:
linux--dilinger--0--patch-99
[MTD] Inside NFTL_formatblock and INFTL_formatblock, the code was
previously
assigning values to instr, then zero'ing out the values. Instead,
move the
assignment to after the memset.
new files:
.arch-ids/096-mtd_formatblock_zero_before_assignment.patch.id
096-mtd_formatblock_zero_before_assignment.patch
2005-02-19 07:48:31 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-98
Summary:
095-jffs2_build_filesystem_memory_leak.patch
Revision:
linux--dilinger--0--patch-98
[JFFS2] Fix memory leak in jffs2_build_filesystem(), if
jffs2_scan_medium
fails.
new files:
.arch-ids/095-jffs2_build_filesystem_memory_leak.patch.id
095-jffs2_build_filesystem_memory_leak.patch
2005-02-19 06:33:16 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-97
Summary:
094-scsi_device_set_state_missing_oldstate.patch
Revision:
linux--dilinger--0--patch-97
[SCSI] scsi_device_set_state() might be setting a device offline, w/
an
oldstate of BLOCK; that shouldn't be considered an error. Add the
missing
state transition.
new files:
.arch-ids/094-scsi_device_set_state_missing_oldstate.patch.id
094-scsi_device_set_state_missing_oldstate.patch
2005-02-19 04:05:24 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-96
Summary:
093-e1000_eeprom_read_off_by_one.patch
Revision:
linux--dilinger--0--patch-96
The e1000 driver's read_eeprom and write_eeprom functions allowed a
bit to
much data to be read/written; an extra word. Fix that.
new files:
.arch-ids/093-e1000_eeprom_read_off_by_one.patch.id
093-e1000_eeprom_read_off_by_one.patch
2005-02-19 03:57:28 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-95
Summary:
092-net_sched_police_locate_sanity_check_input.patch
Revision:
linux--dilinger--0--patch-95
[NET] Some sanity checks are needed to ensure payloads are the same
size
as the structures they're being copied into. AFAICT, there's no way
for a
malicious user to inject a payload in here (it looks like
police_locate
stuff is called during routing changes by root); however, I can't
say that
I'm too familiar w/ tcf stuff.
new files:
.arch-ids/092-net_sched_police_locate_sanity_check_input.patch.id
092-net_sched_police_locate_sanity_check_input.patch
2005-02-19 03:08:59 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-94
Summary:
091-alsa_emu8000_load_fx_skip_header.patch
Revision:
linux--dilinger--0--patch-94
[ALSA] emu8000's load_fx() loads a userspace blob, and should be
skipping over
the header.
new files:
.arch-ids/091-alsa_emu8000_load_fx_skip_header.patch.id
091-alsa_emu8000_load_fx_skip_header.patch
2005-02-19 02:53:07 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-93
Summary:
090-alsa_midi_emulation_chorus_reverb_swap.patch
Revision:
linux--dilinger--0--patch-93
[ALSA] seq_midi_emul.c had CHORUS_MODE and REVERB_MODE swapped in
sysex().
This patch fixes that.
new files:
.arch-ids/090-alsa_midi_emulation_chorus_reverb_swap.patch.id
090-alsa_midi_emulation_chorus_reverb_swap.patch
2005-02-19 02:44:56 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-92
Summary:
089-i386_acpi_backwards_ifdef.patch
Revision:
linux--dilinger--0--patch-92
[I386] An ACPI related printk is wrapped in an #ifdef that should be
an
#ifndef. Correct that.
new files:
.arch-ids/089-i386_acpi_backwards_ifdef.patch.id
089-i386_acpi_backwards_ifdef.patch
2005-02-19 02:37:34 GMT Andres Salomon <dilinger@xxxxxxxxx> patch-91
Summary:
088-ibmvscsi_event_struct_use_after_free.patch
Revision:
linux--dilinger--0--patch-91
The ibmvscsi driver has paths that free evt_struct, and then proceed
to
use it. That's clearly a no-no in SMP/threaded contexts; once an
evt_struct
is free, something else may grab it. So, this patch:
- moves the free_event_struct() to after usage of the evt_struct
- creates a single path for cleanup
- calls evt_struct->done during cleanup, which is something that
should've been happening.
new files:
.arch-ids/088-ibmvscsi_event_struct_use_after_free.patch.id
088-ibmvscsi_event_struct_use_after_free.patch
--
Andres Salomon <dilinger@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part