Hello community, here is the log from the commit of package libcgroup1 for openSUSE:11.4 checked in at Mon Mar 14 15:43:24 CET 2011. -------- --- old-versions/11.4/all/libcgroup1/libcgroup1.changes 2010-07-05 22:18:17.000000000 +0200 +++ 11.4/libcgroup1/libcgroup1.changes 2011-03-03 14:27:51.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Feb 28 18:25:33 CET 2011 - jslaby@suse.de + +- verify the sender of netlink messages (bnc#675048, CVE-2011-1022) +- fix buf overflow (bnc#675506, CVE-2011-1006) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libcgroup1 Destination is old-versions/11.4/UPDATES/all/libcgroup1 calling whatdependson for 11.4-i586 New: ---- cgrulesengd-deny-message-forging.patch libcgroup-CVE-2011-1006.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcgroup1.spec ++++++ --- /var/tmp/diff_new_pack.LyK1CQ/_old 2011-03-14 15:43:00.000000000 +0100 +++ /var/tmp/diff_new_pack.LyK1CQ/_new 2011-03-14 15:43:00.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package libcgroup1 (Version 0.36.2) +# spec file for package libcgroup1 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: libcgroup1 Version: 0.36.2 -Release: 2 +Release: 6.<RELEASE2> License: LGPLv2.1 Group: System/Management AutoReqProv: on @@ -31,6 +31,8 @@ Source2: initd_cgred Source3: sysconfig.cgred Source99: baselibs.conf +Patch0: cgrulesengd-deny-message-forging.patch +Patch1: libcgroup-CVE-2011-1006.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gcc-c++ pam-devel pkg-config Requires: insserv pam @@ -69,6 +71,8 @@ %prep %setup -n libcgroup-%{version} +%patch0 -p1 +%patch1 -p1 %build %configure --enable-pam-module-dir=/%{_lib}/security ++++++ cgrulesengd-deny-message-forging.patch ++++++
From 0a59ea5e0b2ce466bfd35c9e700094bf09a0310d Mon Sep 17 00:00:00 2001 From: Nelson Elhage
Date: Thu, 17 Feb 2011 20:55:12 -0500 Subject: cgrulesengd: Ignore netlink messages that don't come from the kernel. References: bnc#675048, CVE-2011-1022
recvfrom() returns the address, it doesn't filter the packet based on the
sender. We need to explicitly check the received address after the call happens.
Signed-off-by: Nelson Elhage
From 5ae8aea1ecd60c439121d3329d8eaabf13d292c1 Mon Sep 17 00:00:00 2001 From: Jan Safranek
Date: Tue, 1 Mar 2011 13:11:35 +0100 Subject: Fix buffer overflow when processing list of controllers from command line (CVE-2011-1006). Git-commit: 5ae8aea1ecd60c439121d3329d8eaabf13d292c1 Patch-mainline: yes References: bnc#675506, CVE-2011-1006
Thanks to Nelson Elhage for reporting this issue.
Signed-off-by: Jan Safranek