From b930873422e3a3f44e254f3fa6c8d6e2f5232973 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 11 Dec 2015 07:37:18 -0500
Subject: [PATCH] Linux v4.3.2

---
 X.509-Fix-the-time-validation-ver-3.patch | 79 -----------------------
 kernel.spec                               |  8 +--
 sources                                   |  2 +-
 3 files changed, 5 insertions(+), 84 deletions(-)
 delete mode 100644 X.509-Fix-the-time-validation-ver-3.patch

diff --git a/X.509-Fix-the-time-validation-ver-3.patch b/X.509-Fix-the-time-validation-ver-3.patch
deleted file mode 100644
index a4056d878..000000000
--- a/X.509-Fix-the-time-validation-ver-3.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 5cfd0a0f7cbc6bc9833b8a1bb5acb6056c9c53d9 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Thu, 12 Nov 2015 11:38:40 +0000
-Subject: [PATCH] X.509: Fix the time validation [ver #3]
-
-This fixes CVE-2015-5327.  It affects kernels from 4.3-rc1 onwards.
-
-Fix the X.509 time validation to use month number-1 when looking up the
-number of days in that month.  Also put the month number validation before
-doing the lookup so as not to risk overrunning the array.
-
-This can be tested by doing the following:
-
-cat <<EOF | openssl x509 -outform DER | keyctl padd asymmetric "" @s
------BEGIN CERTIFICATE-----
-MIIDbjCCAlagAwIBAgIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV
-BAoMCGxvY2FsLWNhMRQwEgYDVQQDDAtzaWduaW5nIGtleTAeFw0xNTA5MDEyMTMw
-MThaFw0xNjA4MzEyMTMwMThaMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQwEgYDVQQD
-DAtzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrn
-crcMfMeG67nagX4+m02Xk9rkmsMKI5XTUxbikROe7GSUVJ27sPVPZp4mgzoWlvhh
-jfK8CC/qhEhwep8Pgg4EJZyWOjhZb7R97ckGvLIoUC6IO3FC2ZnR7WtmWDgo2Jcj
-VlXwJdHhKU1VZwulh81O61N8IBKqz2r/kDhIWiicUCUkI/Do/RMRfKAoDBcSh86m
-gOeIAGfq62vbiZhVsX5dOE8Oo2TK5weAvwUIOR7OuGBl5AqwFlPnXQolewiHzKry
-THg9e44HfzG4Mi6wUvcJxVaQT1h5SrKD779Z5+8+wf1JLaooetcEUArvWyuxCU59
-qxA4lsTjBwl4cmEki+cCAwEAAaOBmDCBlTAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
-AwIHgDAdBgNVHQ4EFgQUyND/eKUis7ep/hXMJ8iZMdUhI+IwWQYDVR0jBFIwUIAU
-yND/eKUis7ep/hXMJ8iZMdUhI+KhLaQrMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQw
-EgYDVQQDDAtzaWduaW5nIGtleYIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAA4IB
-AQAMqm1N1yD5pimUELLhT5eO2lRdGUfTozljRxc7e2QT3RLk2TtGhg65JFFN6eml
-XS58AEPVcAsSLDlR6WpOpOLB2giM0+fV/eYFHHmh22yqTJl4YgkdUwyzPdCHNOZL
-hmSKeY9xliHb6PNrNWWtZwhYYvRaO2DX4GXOMR0Oa2O4vaYu6/qGlZOZv3U6qZLY
-wwHEJSrqeBDyMuwN+eANHpoSpiBzD77S4e+7hUDJnql4j6xzJ65+nWJ89fCrQypR
-4sN5R3aGeIh3QAQUIKpHilwek0CtEaYERgc5m+jGyKSc1rezJW62hWRTaitOc+d5
-G5hh+9YpnYcxQHEKnZ7rFNKJ
------END CERTIFICATE-----
-EOF
-
-If the patch works, the above should emit a key ID from the new key being
-accepted; without the patch, it will give a bad message error.
-
-Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Acked-by: David Woodhouse <David.Woodhouse@intel.com>
----
- crypto/asymmetric_keys/x509_cert_parser.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
-index af71878dc15b..ddde54c45ff7 100644
---- a/crypto/asymmetric_keys/x509_cert_parser.c
-+++ b/crypto/asymmetric_keys/x509_cert_parser.c
-@@ -531,7 +531,11 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
- 	if (*p != 'Z')
- 		goto unsupported_time;
- 
--	mon_len = month_lengths[mon];
-+	if (year < 1970 ||
-+	    mon < 1 || mon > 12)
-+		goto invalid_time;
-+
-+	mon_len = month_lengths[mon - 1];
- 	if (mon == 2) {
- 		if (year % 4 == 0) {
- 			mon_len = 29;
-@@ -543,9 +547,7 @@ int x509_decode_time(time64_t *_t,  size_t hdrlen,
- 		}
- 	}
- 
--	if (year < 1970 ||
--	    mon < 1 || mon > 12 ||
--	    day < 1 || day > mon_len ||
-+	if (day < 1 || day > mon_len ||
- 	    hour < 0 || hour > 23 ||
- 	    min < 0 || min > 59 ||
- 	    sec < 0 || sec > 59)
--- 
-2.4.3
-
diff --git a/kernel.spec b/kernel.spec
index be7ca86f7..979f051c9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -52,7 +52,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 1
+%define stable_update 2
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -604,9 +604,6 @@ Patch552: megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch
 #rhbz 1275490
 Patch553: ideapad-laptop-Add-Lenovo-Yoga-900-to-no_hw_rfkill-d.patch
 
-#CVE-2015-5327
-Patch554: X.509-Fix-the-time-validation-ver-3.patch
-
 #rhbz 1279189
 Patch556: netfilter-ipset-Fix-extension-alignment.patch
 Patch557: netfilter-ipset-Fix-hash-type-expiration.patch
@@ -2076,6 +2073,9 @@ fi
 #
 # 
 %changelog
+* Fri Dec 11 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- Linux v4.3.2
+
 * Thu Dec 10 2015 Laura Abbott <labbott@redhat.com>
 - Ignore errors from scsi_dh_add_device (rhbz 1288687)
 
diff --git a/sources b/sources
index 085c8f7f8..074099c45 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 58b35794eee3b6d52ce7be39357801e7  linux-4.3.tar.xz
 7c516c9528b9f9aac0136944b0200b7e  perf-man-4.3.tar.gz
-6c2dcd8d314f687f317b44820151dd92  patch-4.3.1.xz
+3a465c7cf55ec9dbf2d72d9292aa5fde  patch-4.3.2.xz