fix local privilege escalation in udev (even if we don't currently use udevd)

author Nicolas Thill <nico@openwrt.org>

Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)

committer Nicolas Thill <nico@openwrt.org>

Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
author Nicolas Thill <nico@openwrt.org>
Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
committer Nicolas Thill <nico@openwrt.org>
Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
diff --git a/package/udev/Makefile b/package/udev/Makefile

index c611f9cc4a1d2b6d48e728502ff563d5981f9ded..be25da0e65d5e79eca5e7578675432ae776c48e3 100644 (file)
--- a/package/udev/Makefile
+++ b/package/udev/Makefile
@@ -1,5 +1,5 @@
  # 
-# Copyright (C) 2006-2008 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
  #
  # This is free software, licensed under the GNU General Public License v2.
  # See /LICENSE for more information.
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
  
  PKG_NAME:=udev
  PKG_VERSION:=106
-PKG_RELEASE:=1
+PKG_RELEASE:=1.1
  
  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
  PKG_SOURCE_URL:=@KERNEL/linux/utils/kernel/hotplug/
diff --git a/package/udev/patches/901-cve-2009-1185.patch b/package/udev/patches/901-cve-2009-1185.patch

new file mode 100644 (file)

index 0000000..6e9919d
--- /dev/null
+++ b/package/udev/patches/901-cve-2009-1185.patch
@@ -0,0 +1,40 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
+
+--- a/udevd.c
++++ b/udevd.c
+@@ -734,16 +734,34 @@ static struct udevd_uevent_msg *get_netl
+       struct udevd_uevent_msg *msg;
+       int bufpos;
+       ssize_t size;
++      struct sockaddr_nl snl;
++      struct msghdr smsg;
++      struct iovec iov;
+       static char buffer[UEVENT_BUFFER_SIZE+512];
+       char *pos;
+ 
+-      size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0);
++      iov.iov_base = buffer;
++      iov.iov_len = sizeof(buffer);
++
++      memset(&smsg, 0x00, sizeof(struct msghdr));
++      smsg.msg_name = &snl;
++      smsg.msg_namelen = sizeof(struct sockaddr_nl);
++      smsg.msg_iov = &iov;
++      smsg.msg_iovlen = 1;
++
++      size = recvmsg(uevent_netlink_sock, &smsg, 0);
+       if (size <  0) {
+               if (errno != EINTR)
+                       err("unable to receive kernel netlink message: %s", strerror(errno));
+               return NULL;
+       }
+ 
++      if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
++              info("ignored netlink message from invalid group/sender %d/%d\n",
++                   snl.nl_groups, snl.nl_pid);
++              return NULL;
++      }
++
+       if ((size_t)size > sizeof(buffer)-1)
+               size = sizeof(buffer)-1;
+       buffer[size] = '\0';
author	Nicolas Thill <nico@openwrt.org>
	Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
committer	Nicolas Thill <nico@openwrt.org>
	Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
package/udev/Makefile		patch \| blob \| history
package/udev/patches/901-cve-2009-1185.patch	[new file with mode: 0644]	patch \| blob