summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2018-08-10 15:32:51 +0200
committerMarius Bakke <mbakke@fastmail.com>2018-08-10 15:32:51 +0200
commit7b38f045c04fe69001ff5c2f04486cc51a69ae82 (patch)
treebd839f1f635dc114c84d67c1db09b74f613ec315 /gnu/packages/patches
parent369d15674c8bb251c45a45466031a2da1640df9f (diff)
parent256d5c6e339d59287284bb83f35c594f13bd08f9 (diff)
downloadguix-7b38f045c04fe69001ff5c2f04486cc51a69ae82.tar.gz
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/lxc-CVE-2018-6556.patch116
-rw-r--r--gnu/packages/patches/polkit-drop-test.patch18
-rw-r--r--gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch53
-rw-r--r--gnu/packages/patches/xorg-server-rotate-fb.patch35
4 files changed, 169 insertions, 53 deletions
diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch
new file mode 100644
index 0000000000..7eab7101f1
--- /dev/null
+++ b/gnu/packages/patches/lxc-CVE-2018-6556.patch
@@ -0,0 +1,116 @@
+Fix CVE-2018-6556:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
+https://bugzilla.suse.com/show_bug.cgi?id=988348#c8
+
+Patch copied from upstream source repository:
+
+https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
+
+From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c            | 12 ++++++++++++
+ src/lxc/utils.h            |  5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
+index ec9cd97e0..c5beb6c8d 100644
+--- a/src/lxc/cmd/lxc_user_nic.c
++++ b/src/lxc/cmd/lxc_user_nic.c
+@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
+ 			exit(EXIT_FAILURE);
+ 		}
+ 	} else if (request == LXC_USERNIC_DELETE) {
+-		netns_fd = open(args.pid, O_RDONLY);
++		char opath[LXC_PROC_PID_FD_LEN];
++
++		/* Open the path with O_PATH which will not trigger an actual
++		 * open(). Don't report an errno to the caller to not leak
++		 * information whether the path exists or not.
++		 * When stracing setuid is stripped so this is not a concern
++		 * either.
++		 */
++		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+ 		if (netns_fd < 0) {
+-			usernic_error("Could not open \"%s\": %s\n", args.pid,
+-				      strerror(errno));
++			usernic_error("Failed to open \"%s\"\n", args.pid);
++			exit(EXIT_FAILURE);
++		}
++
++		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
++			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
++		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		/* Now get an fd that we can use in setns() calls. */
++		ret = open(opath, O_RDONLY | O_CLOEXEC);
++		if (ret < 0) {
++			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
++			close(netns_fd);
+ 			exit(EXIT_FAILURE);
+ 		}
++		close(netns_fd);
++		netns_fd = ret;
+ 	}
+ 
+ 	if (!create_db_dir(LXC_USERNIC_DB)) {
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 530b1f81a..3b854e35b 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
+ 	return has_type;
+ }
+ 
++bool fhas_fs_type(int fd, fs_type_magic magic_val)
++{
++	int ret;
++	struct statfs sb;
++
++	ret = fstatfs(fd, &sb);
++	if (ret < 0)
++		return false;
++
++	return is_fs_type(&sb, magic_val);
++}
++
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index 6a0bebded..0805f5d0d 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -95,6 +95,10 @@
+ #define CGROUP2_SUPER_MAGIC 0x63677270
+ #endif
+ 
++#ifndef NSFS_MAGIC
++#define NSFS_MAGIC 0x6e736673
++#endif
++
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+ extern int lxc_make_tmpfile(char *template, bool rm);
diff --git a/gnu/packages/patches/polkit-drop-test.patch b/gnu/packages/patches/polkit-drop-test.patch
deleted file mode 100644
index 2fd0c8bdf6..0000000000
--- a/gnu/packages/patches/polkit-drop-test.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Drop test failing with the following message:
-FAIL: polkitbackendjsauthoritytest
-==================================
-/PolkitBackendJsAuthority/get_admin_identities: Error getting system bus: Could not connect: No such file or directoryError loading /var/run/ConsoleKit/database: Error statting file /var/run/ConsoleKit/database: No such file or directory
-
-
-diff -ru polkit-0.112.old/test/Makefile.in polkit-0.112/test/Makefile.in
---- polkit-0.112.old/test/Makefile.in	2013-07-08 22:52:13.000000000 +0200
-+++ polkit-0.112/test/Makefile.in	2014-11-09 18:43:47.000000000 +0100
-@@ -388,7 +388,7 @@
- top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
- top_srcdir = @top_srcdir@
--SUBDIRS = mocklibc . polkit polkitbackend
-+SUBDIRS = mocklibc . polkit
- AM_CFLAGS = $(GLIB_CFLAGS)
- noinst_LTLIBRARIES = libpolkit-test-helper.la
- libpolkit_test_helper_la_SOURCES = polkittesthelper.c polkittesthelper.h
diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch b/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch
new file mode 100644
index 0000000000..d3d5cbc46a
--- /dev/null
+++ b/gnu/packages/patches/wpa-supplicant-CVE-2018-14526.patch
@@ -0,0 +1,53 @@
+Fix CVE-2018-14526:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14526
+https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+
+Patch downloaded from upstream:
+
+https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
+
+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Sun, 15 Jul 2018 01:25:53 +0200
+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+(CVE-2018-14526)
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;
diff --git a/gnu/packages/patches/xorg-server-rotate-fb.patch b/gnu/packages/patches/xorg-server-rotate-fb.patch
deleted file mode 100644
index f47036b2a7..0000000000
--- a/gnu/packages/patches/xorg-server-rotate-fb.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-commit a85e94a50c94b07574c8701a3ff3c1243f4257f4
-Author: Olivier Fourdan <ofourdan@redhat.com>
-Date:   Fri Jun 15 08:57:12 2018 +0200
-
-    modesetting: use drmmode_bo_import() for rotate_fb
-    
-    drmmode_shadow_allocate() still uses drmModeAddFB() which may fail if
-    the format is not as expected, preventing from using a rotated output.
-    
-    Change it to use the new function drmmode_bo_import() which takes care
-    of calling the drmModeAddFB2() API.
-    
-    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=106715
-    Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-    Tested-by: Tomas Pelka <tpelka@redhat.com>
-    Reviewed-by: Lyude Paul <lyude@redhat.com>
-
-diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
-index 859a21a9d..ec11b3f56 100644
---- a/hw/xfree86/drivers/modesetting/drmmode_display.c
-+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
-@@ -1794,11 +1794,8 @@ drmmode_shadow_allocate(xf86CrtcPtr crtc, int width, int height)
-         return NULL;
-     }
- 
--    ret = drmModeAddFB(drmmode->fd, width, height, crtc->scrn->depth,
--                       drmmode->kbpp,
--                       drmmode_bo_get_pitch(&drmmode_crtc->rotate_bo),
--                       drmmode_bo_get_handle(&drmmode_crtc->rotate_bo),
--                       &drmmode_crtc->rotate_fb_id);
-+    ret = drmmode_bo_import(drmmode, &drmmode_crtc->rotate_bo,
-+                            &drmmode_crtc->rotate_fb_id);
- 
-     if (ret) {
-         ErrorF("failed to add rotate fb\n");