[CVE-2009-1185] fix local privilege escalation in udev (even if we don't currently...
authorNicolas Thill <nico@openwrt.org>
Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
committerNicolas Thill <nico@openwrt.org>
Fri, 24 Apr 2009 02:29:34 +0000 (02:29 +0000)
SVN-Revision: 15370

package/udev/Makefile
package/udev/patches/901-cve-2009-1185.patch [new file with mode: 0644]

index c611f9c..be25da0 100644 (file)
@@ -1,5 +1,5 @@
 # 
-# Copyright (C) 2006-2008 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=udev
 PKG_VERSION:=106
-PKG_RELEASE:=1
+PKG_RELEASE:=1.1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@KERNEL/linux/utils/kernel/hotplug/
diff --git a/package/udev/patches/901-cve-2009-1185.patch b/package/udev/patches/901-cve-2009-1185.patch
new file mode 100644 (file)
index 0000000..6e9919d
--- /dev/null
@@ -0,0 +1,40 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
+
+--- a/udevd.c
++++ b/udevd.c
+@@ -734,16 +734,34 @@ static struct udevd_uevent_msg *get_netl
+       struct udevd_uevent_msg *msg;
+       int bufpos;
+       ssize_t size;
++      struct sockaddr_nl snl;
++      struct msghdr smsg;
++      struct iovec iov;
+       static char buffer[UEVENT_BUFFER_SIZE+512];
+       char *pos;
+-      size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0);
++      iov.iov_base = buffer;
++      iov.iov_len = sizeof(buffer);
++
++      memset(&smsg, 0x00, sizeof(struct msghdr));
++      smsg.msg_name = &snl;
++      smsg.msg_namelen = sizeof(struct sockaddr_nl);
++      smsg.msg_iov = &iov;
++      smsg.msg_iovlen = 1;
++
++      size = recvmsg(uevent_netlink_sock, &smsg, 0);
+       if (size <  0) {
+               if (errno != EINTR)
+                       err("unable to receive kernel netlink message: %s", strerror(errno));
+               return NULL;
+       }
++      if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
++              info("ignored netlink message from invalid group/sender %d/%d\n",
++                   snl.nl_groups, snl.nl_pid);
++              return NULL;
++      }
++
+       if ((size_t)size > sizeof(buffer)-1)
+               size = sizeof(buffer)-1;
+       buffer[size] = '\0';