From: Nicolas Thill <nico@openwrt.org>
Date: Fri, 24 Apr 2009 02:29:34 +0000 (+0000)
Subject: [CVE-2009-1185] fix local privilege escalation in udev (even if we don't currently... 
X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fsvn-archive%2Farchive.git;a=commitdiff_plain;h=ab91055ff92bfa056ad21d5dc1dfde274da6f962

[CVE-2009-1185] fix local privilege escalation in udev (even if we don't currently use udevd)


SVN-Revision: 15370
---

diff --git a/package/udev/Makefile b/package/udev/Makefile
index c611f9cc4a..be25da0e65 100644
--- a/package/udev/Makefile
+++ b/package/udev/Makefile
@@ -1,5 +1,5 @@
 # 
-# Copyright (C) 2006-2008 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=udev
 PKG_VERSION:=106
-PKG_RELEASE:=1
+PKG_RELEASE:=1.1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@KERNEL/linux/utils/kernel/hotplug/
diff --git a/package/udev/patches/901-cve-2009-1185.patch b/package/udev/patches/901-cve-2009-1185.patch
new file mode 100644
index 0000000000..6e9919df6b
--- /dev/null
+++ b/package/udev/patches/901-cve-2009-1185.patch
@@ -0,0 +1,40 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
+
+--- a/udevd.c
++++ b/udevd.c
+@@ -734,16 +734,34 @@ static struct udevd_uevent_msg *get_netl
+ 	struct udevd_uevent_msg *msg;
+ 	int bufpos;
+ 	ssize_t size;
++	struct sockaddr_nl snl;
++	struct msghdr smsg;
++	struct iovec iov;
+ 	static char buffer[UEVENT_BUFFER_SIZE+512];
+ 	char *pos;
+ 
+-	size = recv(uevent_netlink_sock, &buffer, sizeof(buffer), 0);
++	iov.iov_base = buffer;
++	iov.iov_len = sizeof(buffer);
++
++	memset(&smsg, 0x00, sizeof(struct msghdr));
++	smsg.msg_name = &snl;
++	smsg.msg_namelen = sizeof(struct sockaddr_nl);
++	smsg.msg_iov = &iov;
++	smsg.msg_iovlen = 1;
++
++	size = recvmsg(uevent_netlink_sock, &smsg, 0);
+ 	if (size <  0) {
+ 		if (errno != EINTR)
+ 			err("unable to receive kernel netlink message: %s", strerror(errno));
+ 		return NULL;
+ 	}
+ 
++	if ((snl.nl_groups != 1) || (snl.nl_pid != 0)) {
++		info("ignored netlink message from invalid group/sender %d/%d\n",
++		     snl.nl_groups, snl.nl_pid);
++		return NULL;
++	}
++
+ 	if ((size_t)size > sizeof(buffer)-1)
+ 		size = sizeof(buffer)-1;
+ 	buffer[size] = '\0';