diff --git a/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/iscsi-target-fix-heap-buffer-overflow-on-error.patch deleted file mode 100644 index 7b368122d..000000000 --- a/iscsi-target-fix-heap-buffer-overflow-on-error.patch +++ /dev/null @@ -1,63 +0,0 @@ -From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Thu, 23 May 2013 17:32:17 +0000 -Subject: iscsi-target: fix heap buffer overflow on error - -If a key was larger than 64 bytes, as checked by iscsi_check_key(), the -error response packet, generated by iscsi_add_notunderstood_response(), -would still attempt to copy the entire key into the packet, overflowing -the structure on the heap. - -Remote preauthentication kernel memory corruption was possible if a -target was configured and listening on the network. - -CVE-2013-2850 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Nicholas Bellinger ---- -diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c -index c2185fc..e382221 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.c -+++ b/drivers/target/iscsi/iscsi_target_parameters.c -@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( - } - INIT_LIST_HEAD(&extra_response->er_list); - -- strncpy(extra_response->key, key, strlen(key) + 1); -- strncpy(extra_response->value, NOTUNDERSTOOD, -- strlen(NOTUNDERSTOOD) + 1); -+ strlcpy(extra_response->key, key, sizeof(extra_response->key)); -+ strlcpy(extra_response->value, NOTUNDERSTOOD, -+ sizeof(extra_response->value)); - - list_add_tail(&extra_response->er_list, - ¶m_list->extra_response_list); -@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( - - if (phase & PHASE_SECURITY) { - if (iscsi_check_for_auth_key(key) > 0) { -- char *tmpptr = key + strlen(key); -- *tmpptr = '='; - kfree(tmpbuf); - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h -index 915b067..a47046a 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.h -+++ b/drivers/target/iscsi/iscsi_target_parameters.h -@@ -1,8 +1,10 @@ - #ifndef ISCSI_PARAMETERS_H - #define ISCSI_PARAMETERS_H - -+#include -+ - struct iscsi_extra_response { -- char key[64]; -+ char key[KEY_MAXLEN]; - char value[32]; - struct list_head er_list; - } ____cacheline_aligned; --- -cgit v0.9.2 diff --git a/iwlwifi-dvm-fix-memset.patch b/iwlwifi-dvm-fix-memset.patch deleted file mode 100644 index ef063f2a9..000000000 --- a/iwlwifi-dvm-fix-memset.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Emmanuel Grumbach - -In 63b77bf489881747c5118476918cc8c29378ee63 - - iwlwifi: dvm: don't send zeroed LQ cmd - -I tried to avoid to send zeroed LQ cmd, but I made a (very) -stupid mistake in the memcmp. -Since this patch has been ported to stable, the fix should -go to stable too. - -This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58341 - -Change-Id: I0af4b3fdd537a1f674e85eb02dc0f5b5ac1ee7ac -Cc: stable@vger.kernel.org -Reported-by: Hinnerk van Bruinehsen -Signed-off-by: Emmanuel Grumbach ---- -Josh, this fix ugly -stable 3.8, 3.9 regression, please apply. - - drivers/net/wireless/iwlwifi/dvm/sta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/iwlwifi/dvm/sta.c b/drivers/net/wireless/iwlwifi/dvm/sta.c -index 5175368..8212097 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/sta.c -+++ b/drivers/net/wireless/iwlwifi/dvm/sta.c -@@ -735,7 +735,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx) - memcpy(&lq, priv->stations[i].lq, - sizeof(struct iwl_link_quality_cmd)); - -- if (!memcmp(&lq, &zero_lq, sizeof(lq))) -+ if (memcmp(&lq, &zero_lq, sizeof(lq))) - send_lq = true; - } - spin_unlock_bh(&priv->sta_lock); --- -1.7.10.4 - diff --git a/kernel.spec b/kernel.spec index 5eee24a5f..d3cf47ec0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 102 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -66,7 +66,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -737,17 +737,12 @@ Patch25001: i7300_edac_single_mode_fixup.patch #rhbz 927469 Patch25007: fix-child-thread-introspection.patch -Patch25022: iwlwifi-dvm-fix-memset.patch - #rhbz 964367 Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#CVE-2013-2850 rhbz 968036 969272 -Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch - #rhbz 964335 Patch25026: Modify-UEFI-anti-bricking-code.patch @@ -1457,17 +1452,12 @@ ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -ApplyPatch iwlwifi-dvm-fix-memset.patch - #rhbz 964367 ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#CVE-2013-2850 rhbz 968036 969272 -ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch - #rhbz 964335 ApplyPatch Modify-UEFI-anti-bricking-code.patch @@ -2337,6 +2327,9 @@ fi # '-' | | # '-' %changelog +* Mon Jun 10 2013 Josh Boyer +- Linux v3.9.5 + * Fri Jun 07 2013 Josh Boyer - CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662) - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) diff --git a/sources b/sources index 50d708523..2e345eb6b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -922c4553299e6692a28761d3032fc012 patch-3.9.4.xz +aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz