Linux v4.12.6

0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch

@@ -1,54 +0,0 @@
-From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
-From: Sabrina Dubroca <sd@queasysnail.net>
-Date: Wed, 19 Jul 2017 22:28:55 +0200
-Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
-
-In some cases, offset can overflow and can cause an infinite loop in
-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
-
-This problem has been here since before the beginning of git history.
-
-Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv6/output_core.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
-index e9065b8..abb2c30 100644
---- a/net/ipv6/output_core.c
-+++ b/net/ipv6/output_core.c
-@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
-
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
--	u16 offset = sizeof(struct ipv6hdr);
-+	unsigned int offset = sizeof(struct ipv6hdr);
- 	unsigned int packet_len = skb_tail_pointer(skb) -
- 		skb_network_header(skb);
- 	int found_rhdr = 0;
-@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- 	while (offset <= packet_len) {
- 		struct ipv6_opt_hdr *exthdr;
-+		unsigned int len;
-
- 		switch (**nexthdr) {
-
-@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
-
- 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- 						 offset);
--		offset += ipv6_optlen(exthdr);
-+		len = ipv6_optlen(exthdr);
-+		if (len + offset >= IPV6_MAXPLEN)
-+			return -EINVAL;
-+		offset += len;
- 		*nexthdr = &exthdr->nexthdr;
- 	}
-
--- 
-2.9.4
-

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -665,9 +665,6 @@ Patch615: 0015-i2c-cht-wc-Add-Intel-Cherry-Trail-Whiskey-Cove-SMBUS.patch
 # Small workaround patches for issues with a more comprehensive fix in -next
 Patch616: 0016-Input-silead-Do-not-try-to-directly-access-the-GPIO-.patch
 
-# CVE-2017-7542 rhbz 1473649 1473650
-Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
-
 # rhbz 1431375
 Patch703: HID-rmi-Make-sure-the-HID-device-is-opened-on-resume.patch
 Patch704: input-rmi4-remove-the-need-for-artifical-IRQ.patch
@@ -2254,6 +2251,9 @@ fi
 #
 #
 %changelog
+* Fri Aug 11 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.6-200
+- Linux v4.12.6
+
 * Mon Aug 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.5-200
 - Linux v4.12.5 rebase
 - Fixes CVE-2017-7533 (rhbz 1468283 1478086)

sources

@@ -1,3 +1,3 @@
 SHA512 (perf-man-4.12.tar.gz) = 4d3bbda1f520dba0007c351af46f45085fe4842074eb2e01aee736fd369df595f8f72ed6c1192715f1120bf3353279777f9dca1178fe93bffe5be2de700d409c
 SHA512 (linux-4.12.tar.xz) = 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728
-SHA512 (patch-4.12.5.xz) = b9e74f148a0bd76df8c52e6384933b9eddd8477c713b14389a34655538abab70ffa70e99b504a60d0adf1937c771d9bb3879511e6c3666c345d490848eb4f113
+SHA512 (patch-4.12.6.xz) = 78d480b3ad51028c129b1e3d63e3179f754bc8ab9987aa8e5815b105c8cb270c88673babee4124431861f769bc6f42c848391b065f7a3e02bec9b6a5290e2836