Linux v3.9.5

iscsi-target-fix-heap-buffer-overflow-on-error.patch

@@ -1,63 +0,0 @@
-From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Thu, 23 May 2013 17:32:17 +0000
-Subject: iscsi-target: fix heap buffer overflow on error
-
-If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
-error response packet, generated by iscsi_add_notunderstood_response(),
-would still attempt to copy the entire key into the packet, overflowing
-the structure on the heap.
-
-Remote preauthentication kernel memory corruption was possible if a
-target was configured and listening on the network.
-
-CVE-2013-2850
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
----
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
-index c2185fc..e382221 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.c
-+++ b/drivers/target/iscsi/iscsi_target_parameters.c
-@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
- 	}
- 	INIT_LIST_HEAD(&extra_response->er_list);
- 
--	strncpy(extra_response->key, key, strlen(key) + 1);
--	strncpy(extra_response->value, NOTUNDERSTOOD,
--			strlen(NOTUNDERSTOOD) + 1);
-+	strlcpy(extra_response->key, key, sizeof(extra_response->key));
-+	strlcpy(extra_response->value, NOTUNDERSTOOD,
-+		sizeof(extra_response->value));
- 
- 	list_add_tail(&extra_response->er_list,
- 			&param_list->extra_response_list);
-@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
- 
- 		if (phase & PHASE_SECURITY) {
- 			if (iscsi_check_for_auth_key(key) > 0) {
--				char *tmpptr = key + strlen(key);
--				*tmpptr = '=';
- 				kfree(tmpbuf);
- 				return 1;
- 			}
-diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
-index 915b067..a47046a 100644
---- a/drivers/target/iscsi/iscsi_target_parameters.h
-+++ b/drivers/target/iscsi/iscsi_target_parameters.h
-@@ -1,8 +1,10 @@
- #ifndef ISCSI_PARAMETERS_H
- #define ISCSI_PARAMETERS_H
- 
-+#include <scsi/iscsi_proto.h>
-+
- struct iscsi_extra_response {
--	char key[64];
-+	char key[KEY_MAXLEN];
- 	char value[32];
- 	struct list_head er_list;
- } ____cacheline_aligned;
---
-cgit v0.9.2

iwlwifi-dvm-fix-memset.patch

@@ -1,39 +0,0 @@
-From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
-
-In 63b77bf489881747c5118476918cc8c29378ee63
-
-	iwlwifi: dvm: don't send zeroed LQ cmd
-
-I tried to avoid to send zeroed LQ cmd, but I made a (very)
-stupid mistake in the memcmp.
-Since this patch has been ported to stable, the fix should
-go to stable too.
-
-This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58341
-
-Change-Id: I0af4b3fdd537a1f674e85eb02dc0f5b5ac1ee7ac
-Cc: stable@vger.kernel.org
-Reported-by: Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>
-Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
----
-Josh, this fix ugly -stable 3.8, 3.9 regression, please apply.
-
- drivers/net/wireless/iwlwifi/dvm/sta.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/iwlwifi/dvm/sta.c b/drivers/net/wireless/iwlwifi/dvm/sta.c
-index 5175368..8212097 100644
---- a/drivers/net/wireless/iwlwifi/dvm/sta.c
-+++ b/drivers/net/wireless/iwlwifi/dvm/sta.c
-@@ -735,7 +735,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx)
- 					memcpy(&lq, priv->stations[i].lq,
- 					       sizeof(struct iwl_link_quality_cmd));
- 
--				if (!memcmp(&lq, &zero_lq, sizeof(lq)))
-+				if (memcmp(&lq, &zero_lq, sizeof(lq)))
- 					send_lq = true;
- 			}
- 			spin_unlock_bh(&priv->sta_lock);
--- 
-1.7.10.4
-

kernel.spec

@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 303
+%global baserelease 300
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -74,7 +74,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -760,17 +760,12 @@ Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
 Patch25027: powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch
 Patch25029: powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch
 
-Patch25022: iwlwifi-dvm-fix-memset.patch
-
 #rhbz 964367
 Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
 
 #rhbz 948262
 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
 
-#CVE-2013-2850 rhbz 968036 969272
-Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
-
 #rhbz 964335
 Patch25026: Modify-UEFI-anti-bricking-code.patch
 
@@ -1498,17 +1493,12 @@ ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch
 ApplyPatch powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch
 ApplyPatch powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch
 
-ApplyPatch iwlwifi-dvm-fix-memset.patch
-
 #rhbz 964367
 ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
 
 #rhbz 948262
 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
 
-#CVE-2013-2850 rhbz 968036 969272
-ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
-
 #rhbz 964335
 ApplyPatch Modify-UEFI-anti-bricking-code.patch
 
@@ -2357,6 +2347,9 @@ fi
 # and build.
 
 %changelog
+* Mon Jun 10 2013 Josh Boyer <jwboyer@redhat.com>
+- Linux v3.9.5
+
 * Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
 - CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
 - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)

sources

@@ -1,2 +1,2 @@
 4348c9b6b2eb3144d601e87c19d5d909  linux-3.9.tar.xz
-922c4553299e6692a28761d3032fc012  patch-3.9.4.xz
+aa22187ae5cd482a69097e9e59244491  patch-3.9.5.xz