diff --git a/debian/changelog b/debian/changelog index 09b49fd0b..09735458d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -95,6 +95,55 @@ linux-2.6 (3.2~rc4-1~experimental.1) experimental; urgency=low -- Ben Hutchings Sat, 03 Dec 2011 23:07:41 +0000 +linux-2.6 (3.1.8-2) unstable; urgency=high + + * igmp: Avoid zero delay when receiving odd mixture of IGMP queries + (Closes: #654876) (CVE-2012-0207) + + -- Ben Hutchings Tue, 10 Jan 2012 00:14:39 +0000 + +linux-2.6 (3.1.8-1) unstable; urgency=low + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1.7 + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1.8 + - Revert "clockevents: Set noop handler in clockevents_exchange_device()", + included in stable update 3.1.5 (Closes: #653398) + - cfq-iosched: fix cfq_cic_link() race condition + - binary_sysctl(): fix memory leak + - cgroups: fix a css_set not found bug in cgroup_attach_proc + - iwlwifi: allow to switch to HT40 if not associated (Closes: #653423) + - futex: Fix uninterruptible loop due to gate_area + - drm/radeon/kms: bail on BTC parts if MC ucode is missing + - [sparc] sparc64: Fix masking and shifting in VIS fpcmp emulation. + - llc: llc_cmsg_rcv was getting called after sk_eat_skb. + - ipv4: reintroduce route cache garbage collector + - Revert "rtc: Disable the alarm in the hardware" (Closes: #652869) + + [ Ben Hutchings ] + * snapshot: Implement compat_ioctl (Closes: #502816) + * drm/radeon: flush read cache for gtt with fence on r6xx and newer GPU + (Closes: #646376) + * rtc: Fix alarm rollover when day or month is out-of-range (Closes: #646429) + * l2tp: ensure sk->dst is still valid (Closes: #652503) + * Update Russian debconf template translations (Yuri Kozlov) + (Closes: #653716) + * v4l2-ioctl: integer overflow in video_usercopy() + * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127) + * [x86] KVM: Prevent starting PIT timers in the absence of irqchip support + (CVE-2011-4622) + + [ Jonathan Nieder ] + * prerm: Print an error message when aborting removal of the running + kernel (Closes: #601962) + + [ Aurelien Jarno ] + * [sh4] Remove core-modules udeb as it is empty. + * [sh4/sh7751r] Disable CONFIG_RTS7751R2D_1. Support for this board + implies IRQless IDE, which causes data corruption. + + -- Ben Hutchings Sun, 08 Jan 2012 16:31:16 +0000 + linux-2.6 (3.1.6-1) unstable; urgency=low * New upstream stable update: diff --git a/debian/config/sh4/config.sh7751r b/debian/config/sh4/config.sh7751r index 816faca65..1a6029910 100644 --- a/debian/config/sh4/config.sh7751r +++ b/debian/config/sh4/config.sh7751r @@ -17,7 +17,6 @@ CONFIG_SH_RTS7751R2D=y ## file: arch/sh/boards/mach-r2d/Kconfig ## CONFIG_RTS7751R2D_PLUS=y -CONFIG_RTS7751R2D_1=y ## ## file: arch/sh/Kconfig.cpu diff --git a/debian/installer/sh4/modules/sh4-sh7751r/core-modules b/debian/installer/sh4/modules/sh4-sh7751r/core-modules deleted file mode 100644 index f05d06298..000000000 --- a/debian/installer/sh4/modules/sh4-sh7751r/core-modules +++ /dev/null @@ -1 +0,0 @@ -#include diff --git a/debian/installer/sh4/modules/sh4-sh7785lcr/core-modules b/debian/installer/sh4/modules/sh4-sh7785lcr/core-modules deleted file mode 100644 index f05d06298..000000000 --- a/debian/installer/sh4/modules/sh4-sh7785lcr/core-modules +++ /dev/null @@ -1 +0,0 @@ -#include diff --git a/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch b/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch new file mode 100644 index 000000000..fb7829f4e --- /dev/null +++ b/debian/patches/bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch @@ -0,0 +1,51 @@ +Subject: [media] V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy() +From: Dan Carpenter +Date: Thu Jan 5 02:27:57 2012 -0300 + +If ctrls->count is too high the multiplication could overflow and +array_size would be lower than expected. Mauro and Hans Verkuil +suggested that we cap it at 1024. That comes from the maximum +number of controls with lots of room for expantion. + +$ grep V4L2_CID include/linux/videodev2.h | wc -l +211 + +Cc: stable +Signed-off-by: Dan Carpenter +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/video/v4l2-ioctl.c | 4 ++++ + include/linux/videodev2.h | 1 + + 2 files changed, 5 insertions(+), 0 deletions(-) + +--- + +http://git.linuxtv.org/media_tree.git?a=commitdiff;h=6c06108be53ca5e94d8b0e93883d534dd9079646 + +diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c +index e1da8fc..639abee 100644 +--- a/drivers/media/video/v4l2-ioctl.c ++++ b/drivers/media/video/v4l2-ioctl.c +@@ -2226,6 +2226,10 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size, + struct v4l2_ext_controls *ctrls = parg; + + if (ctrls->count != 0) { ++ if (ctrls->count > V4L2_CID_MAX_CTRLS) { ++ ret = -EINVAL; ++ break; ++ } + *user_ptr = (void __user *)ctrls->controls; + *kernel_ptr = (void *)&ctrls->controls; + *array_size = sizeof(struct v4l2_ext_control) +diff --git a/include/linux/videodev2.h b/include/linux/videodev2.h +index 6bfaa76..b2e1331 100644 +--- a/include/linux/videodev2.h ++++ b/include/linux/videodev2.h +@@ -1132,6 +1132,7 @@ struct v4l2_querymenu { + #define V4L2_CTRL_FLAG_NEXT_CTRL 0x80000000 + + /* User-class control IDs defined by V4L2 */ ++#define V4L2_CID_MAX_CTRLS 1024 + #define V4L2_CID_BASE (V4L2_CTRL_CLASS_USER | 0x900) + #define V4L2_CID_USER_BASE V4L2_CID_BASE + /* IDs reserved for driver specific controls */ diff --git a/debian/patches/bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch b/debian/patches/bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch new file mode 100644 index 000000000..ec6f80500 --- /dev/null +++ b/debian/patches/bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch @@ -0,0 +1,39 @@ +From: Ben Hutchings +Date: Thu, 29 Dec 2011 14:38:52 +0100 +Subject: [PATCH] rtc: Fix alarm rollover when day or month is out-of-range + +Commit f44f7f96a20af16f6f12e1c995576d6becf5f57b ('RTC: Initialize +kernel state from RTC') introduced a potential infinite loop. If an +alarm time contains a wildcard month and an invalid day (> 31), or a +wildcard year and an invalid month (>= 12), the loop searching for the +next matching date will never terminate. Treat the invalid values as +wildcards. + +References: http://bugs.debian.org/646429 +References: http://bugs.debian.org/653331 +Signed-off-by: Ben Hutchings +--- + drivers/rtc/interface.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/interface.c b/drivers/rtc/interface.c +index 3d9d2b9..f79ff34 100644 +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -227,11 +227,11 @@ int __rtc_read_alarm(struct rtc_device *rtc, struct rtc_wkalrm *alarm) + alarm->time.tm_hour = now.tm_hour; + + /* For simplicity, only support date rollover for now */ +- if (alarm->time.tm_mday == -1) { ++ if (alarm->time.tm_mday < 1 || alarm->time.tm_mday > 31) { + alarm->time.tm_mday = now.tm_mday; + missing = day; + } +- if (alarm->time.tm_mon == -1) { ++ if ((unsigned)alarm->time.tm_mon >= 12) { + alarm->time.tm_mon = now.tm_mon; + if (missing == none) + missing = month; +-- +1.7.7.3 + diff --git a/debian/patches/bugfix/all/snapshot-Implement-compat_ioctl.patch b/debian/patches/bugfix/all/snapshot-Implement-compat_ioctl.patch new file mode 100644 index 000000000..5a9ea1fb7 --- /dev/null +++ b/debian/patches/bugfix/all/snapshot-Implement-compat_ioctl.patch @@ -0,0 +1,102 @@ +From: Ben Hutchings +Date: Tue, 27 Dec 2011 20:42:09 +0100 +Subject: [PATCH] snapshot: Implement compat_ioctl + +References: http://bugs.debian.org/502816 +Signed-off-by: Ben Hutchings +--- + kernel/power/user.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 64 insertions(+), 0 deletions(-) + +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 6d8f535..d86e5a7 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -464,6 +465,66 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, + return error; + } + ++#ifdef CONFIG_COMPAT ++ ++struct compat_resume_swap_area { ++ compat_loff_t offset; ++ u32 dev; ++} __packed; ++ ++static long ++snapshot_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ++{ ++ BUILD_BUG_ON(sizeof(loff_t) != sizeof(compat_loff_t)); ++ ++ switch (cmd) { ++ case SNAPSHOT_GET_IMAGE_SIZE: ++ case SNAPSHOT_AVAIL_SWAP_SIZE: ++ case SNAPSHOT_ALLOC_SWAP_PAGE: { ++ compat_loff_t __user *uoffset = compat_ptr(arg); ++ loff_t offset; ++ mm_segment_t old_fs; ++ int err; ++ ++ old_fs = get_fs(); ++ set_fs(KERNEL_DS); ++ err = snapshot_ioctl(file, cmd, (unsigned long) &offset); ++ set_fs(old_fs); ++ if (!err && put_user(offset, uoffset)) ++ err = -EFAULT; ++ return err; ++ } ++ ++ case SNAPSHOT_CREATE_IMAGE: ++ return snapshot_ioctl(file, cmd, ++ (unsigned long) compat_ptr(arg)); ++ ++ case SNAPSHOT_SET_SWAP_AREA: { ++ struct compat_resume_swap_area __user *u_swap_area = ++ compat_ptr(arg); ++ struct resume_swap_area swap_area; ++ mm_segment_t old_fs; ++ int err; ++ ++ err = get_user(swap_area.offset, &u_swap_area->offset); ++ err |= get_user(swap_area.dev, &u_swap_area->dev); ++ if (err) ++ return -EFAULT; ++ old_fs = get_fs(); ++ set_fs(KERNEL_DS); ++ err = snapshot_ioctl(file, SNAPSHOT_SET_SWAP_AREA, ++ (unsigned long) &swap_area); ++ set_fs(old_fs); ++ return err; ++ } ++ ++ default: ++ return snapshot_ioctl(file, cmd, arg); ++ } ++} ++ ++#endif /* CONFIG_COMPAT */ ++ + static const struct file_operations snapshot_fops = { + .open = snapshot_open, + .release = snapshot_release, +@@ -471,6 +532,9 @@ static const struct file_operations snapshot_fops = { + .write = snapshot_write, + .llseek = no_llseek, + .unlocked_ioctl = snapshot_ioctl, ++#ifdef CONFIG_COMPAT ++ .compat_ioctl = snapshot_compat_ioctl, ++#endif + }; + + static struct miscdevice snapshot_device = { +-- +1.7.7.3 + diff --git a/debian/patches/series/base b/debian/patches/series/base index 46e0db3ae..168c26e98 100644 --- a/debian/patches/series/base +++ b/debian/patches/series/base @@ -58,6 +58,9 @@ + bugfix/all/cpu-Do-not-return-errors-from-cpu_dev_init-which-wil.patch + bugfix/all/cpu-Register-a-generic-CPU-device-on-architectures-t.patch + debian/x86-memtest-WARN-if-bad-RAM-found.patch ++ bugfix/all/snapshot-Implement-compat_ioctl.patch ++ bugfix/all/rtc-Fix-alarm-rollover-when-day-or-month-is-out-of-r.patch ++ bugfix/all/media-V4L-DVB-v4l2-ioctl-integer-overflow-in-video_usercopy.patch + debian/ARM-Remove-use-of-possibly-undefined-BUILD_BUG_ON-in.patch + bugfix/arm/ARM-ixp4xx-gpiolib-support.patch + bugfix/arm/ARM-topdown-mmap.patch diff --git a/debian/po/ru.po b/debian/po/ru.po index e9a7891af..3689975ca 100644 --- a/debian/po/ru.po +++ b/debian/po/ru.po @@ -2,38 +2,23 @@ # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the linux-2.6 package. # -# Yuri Kozlov , 2010. +# Yuri Kozlov , 2010, 2011. msgid "" msgstr "" -"Project-Id-Version: linux-2.6 2.6.32-18\n" +"Project-Id-Version: linux-2.6 3.1.6-1\n" "Report-Msgid-Bugs-To: linux-2.6@packages.debian.org\n" -"POT-Creation-Date: 2010-07-25 10:32+0200\n" -"PO-Revision-Date: 2010-08-01 17:11+0400\n" +"POT-Creation-Date: 2011-07-04 04:24+0100\n" +"PO-Revision-Date: 2011-12-30 18:35+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" +"Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Language: ru\n" "X-Generator: Lokalize 1.0\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" -#. Type: error -#. Description -#: ../linux-base.templates:8001 ../templates/temp.image.plain/templates:5001 -msgid "" -"If the boot loader needs to be updated whenever a new kernel is installed, " -"the boot loader package should install a script in /etc/kernel/postinst.d. " -"Alternately, you can specify the command to update the boot loader by " -"setting the 'postinst_hook' variable in /etc/kernel-img.conf." -msgstr "" -"Если системный загрузчик требует обновления после установки нового ядра, " -"то пакет системного загрузчика должен устанавливать сценарий в каталог " -"/etc/kernel/postinst.d. Или же вы можете задать команду обновления " -"системного загрузчика, указав её в переменной postinst_hook в файле " -"/etc/kernel-img.conf." - #. Type: boolean #. Description #: ../templates/temp.image.plain/templates:2001 @@ -144,17 +129,20 @@ msgstr "" #. Type: error #. Description #: ../templates/temp.image.plain/templates:5001 -#| msgid "Boot loader configuration check needed" -msgid "Boot loader configuration must be updated" -msgstr "Требуется обновление настроек системного загрузчика" +msgid "Ramdisk configuration must be updated" +msgstr "Требуется обновление настроек Ramdisk" #. Type: error #. Description #: ../templates/temp.image.plain/templates:5001 msgid "" -"Kernel packages no longer update a default boot loader. You should remove " -"'do_bootloader = yes' from /etc/kernel-img.conf." +"Kernel packages will no longer run a specific ramdisk creator. The ramdisk " +"creator package must install a script in /etc/kernel/postinst.d, and you " +"should remove the line beginning 'ramdisk =' from /etc/kernel-img.conf." msgstr "" -"Пакеты ядра больше не обновляют системный загрузчик по умолчанию. " -"Вы должны удалить строку \"do_bootloader = yes\" из файла " -"/etc/kernel-img.conf." +"Пакеты с ядрами больше не запускают какую-то определённую программу для " +"создания " +"ramdisk. Пакет с программой для создания ramdisk " +"должен устанавливать сценарий в /etc/kernel/postinst.d, а вы должны удалить " +"строку, " +"начинающуюся с «ramdisk =» из файла /etc/kernel-img.conf." diff --git a/debian/templates/temp.image.plain/prerm b/debian/templates/temp.image.plain/prerm index 51b3bf029..1a3db34f0 100755 --- a/debian/templates/temp.image.plain/prerm +++ b/debian/templates/temp.image.plain/prerm @@ -109,6 +109,7 @@ if ($running eq $version) { die "Error retreiving answer for $question: $answer" if $ret; if ($answer =~ /^(y|t)/i) { + print STDERR "Aborting removal of running kernel image.\n"; exit 1; #Operation not permitted } else {