From 2c3d70cfcb6105d064465675e106fbdb06beacd17d60ebea00ea2b545febb4bf Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Thu, 8 Nov 2012 13:34:35 +0000 Subject: [PATCH 01/15] - Netlink source address validation allows DoS bugfix for recvfrom check from bnc#761200 OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=37 --- hyper-v.changes | 6 +++ hyper-v.spec | 2 + ...s.hv.hv_kvp_daemon.netlink-spoof-DoS.patch | 43 +++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch diff --git a/hyper-v.changes b/hyper-v.changes index 9949a8e..f3f5091 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de + +- Netlink source address validation allows DoS + bugfix for recvfrom check from bnc#761200 + ------------------------------------------------------------------- Fri Oct 26 17:13:40 CEST 2012 - ohering@suse.de diff --git a/hyper-v.spec b/hyper-v.spec index 6f791cd..1103259 100644 --- a/hyper-v.spec +++ b/hyper-v.spec @@ -55,6 +55,7 @@ Source21: hyper-v.tools.hv.hv_get_dns_info.sh Source22: hyper-v.tools.hv.hv_set_ifconfig.sh Patch0: full-kernel-version.patch Patch1: no-loopback.patch +Patch2: hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{with_kmp} @@ -91,6 +92,7 @@ cp -vL %{S:9} %{hv_kvp_daemon}.h cp -vL %{S:10} %{hv_kvp_daemon}.c %patch0 -p3 %patch1 -p3 +%patch2 -p3 %build sed -i~ '/#include /d' %{hv_kvp_daemon}.c diff --git a/hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch b/hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch new file mode 100644 index 0000000..915308f --- /dev/null +++ b/hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch @@ -0,0 +1,43 @@ +From: Tomas Hozza +Subject: [PATCH] tools: hv: Netlink source address validation allows DoS +Date: Thu, 8 Nov 2012 10:53:29 +0100 +Message-Id: <1352368409-18809-1-git-send-email-thozza@redhat.com> + +The source code without this patch caused hypervkvpd to exit when it processed +a spoofed Netlink packet which has been sent from an untrusted local user. +Now Netlink messages with a non-zero nl_pid source address are ignored +and a warning is printed into the syslog. + +Signed-off-by: Tomas Hozza +--- + tools/hv/hv_kvp_daemon.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c +index 13c2a14..c1d9102 100755 +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -1486,13 +1486,19 @@ int main(void) + len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0, + addr_p, &addr_l); + +- if (len < 0 || addr.nl_pid) { ++ if (len < 0) { + syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s", + addr.nl_pid, errno, strerror(errno)); + close(fd); + return -1; + } + ++ if (addr.nl_pid) { ++ syslog(LOG_WARNING, "Received packet from untrusted pid:%u", ++ addr.nl_pid); ++ continue; ++ } ++ + incoming_msg = (struct nlmsghdr *)kvp_recv_buffer; + incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg); + hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data; +-- +1.7.11.7 + From e9f40f192eaaae3a62651f689cb97c4c7a8fd3348512b7df88a7289afc234358 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Mon, 12 Nov 2012 16:16:00 +0000 Subject: [PATCH 02/15] merge all changes into hv_kvp_daemon.c OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=38 --- full-kernel-version.patch | 60 ----------------- hyper-v.spec | 6 -- hyper-v.tools.hv.hv_kvp_daemon.c | 30 ++++++--- ...s.hv.hv_kvp_daemon.netlink-spoof-DoS.patch | 43 ------------ no-loopback.patch | 67 ------------------- 5 files changed, 22 insertions(+), 184 deletions(-) delete mode 100644 full-kernel-version.patch delete mode 100644 hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch delete mode 100644 no-loopback.patch diff --git a/full-kernel-version.patch b/full-kernel-version.patch deleted file mode 100644 index a555544..0000000 --- a/full-kernel-version.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: "K. Y. Srinivasan" -Subject: [PATCH 1/1] tools: hv: Return the full kernel version -Date: Fri, 12 Oct 2012 16:40:10 -0700 -Message-Id: <1350085210-11108-1-git-send-email-kys@microsoft.com> - -Currently, we are returning the same string for both OSBuildNumber -and OSVersion keys. Return the full uts string for the OSBuild -key since Windows does not impose any restrictions on this. - -Signed-off-by: K. Y. Srinivasan -Reviewed-by: Haiyang Zhang -Reported-by: Claudio Latini ---- - tools/hv/hv_kvp_daemon.c | 9 ++++++--- - 1 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c -index 5959aff..6c7bcb9 100644 ---- a/tools/hv/hv_kvp_daemon.c -+++ b/tools/hv/hv_kvp_daemon.c -@@ -88,6 +88,7 @@ static char *os_major = ""; - static char *os_minor = ""; - static char *processor_arch; - static char *os_build; -+static char *os_version; - static char *lic_version = "Unknown version"; - static struct utsname uts_buf; - -@@ -453,7 +454,9 @@ void kvp_get_os_info(void) - char *p, buf[512]; - - uname(&uts_buf); -- os_build = uts_buf.release; -+ os_version = uts_buf.release; -+ os_build = strdup(uts_buf.release); -+ - os_name = uts_buf.sysname; - processor_arch = uts_buf.machine; - -@@ -462,7 +465,7 @@ void kvp_get_os_info(void) - * string to be of the form: x.y.z - * Strip additional information we may have. - */ -- p = strchr(os_build, '-'); -+ p = strchr(os_version, '-'); - if (p) - *p = '\0'; - -@@ -1649,7 +1652,7 @@ int main(void) - strcpy(key_name, "OSMinorVersion"); - break; - case OSVersion: -- strcpy(key_value, os_build); -+ strcpy(key_value, os_version); - strcpy(key_name, "OSVersion"); - break; - case ProcessorArchitecture: --- -1.7.4.1 - diff --git a/hyper-v.spec b/hyper-v.spec index 1103259..2363e95 100644 --- a/hyper-v.spec +++ b/hyper-v.spec @@ -53,9 +53,6 @@ Source11: hyper-v.init.sh Source20: hyper-v.tools.hv.hv_get_dhcp_info.sh Source21: hyper-v.tools.hv.hv_get_dns_info.sh Source22: hyper-v.tools.hv.hv_set_ifconfig.sh -Patch0: full-kernel-version.patch -Patch1: no-loopback.patch -Patch2: hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{with_kmp} @@ -90,9 +87,6 @@ This package contains the Microsoft Hyper-V drivers. cp -avL %{S:5} kvptest.ps1.txt cp -vL %{S:9} %{hv_kvp_daemon}.h cp -vL %{S:10} %{hv_kvp_daemon}.c -%patch0 -p3 -%patch1 -p3 -%patch2 -p3 %build sed -i~ '/#include /d' %{hv_kvp_daemon}.c diff --git a/hyper-v.tools.hv.hv_kvp_daemon.c b/hyper-v.tools.hv.hv_kvp_daemon.c index 645dab7..7164441 100644 --- a/hyper-v.tools.hv.hv_kvp_daemon.c +++ b/hyper-v.tools.hv.hv_kvp_daemon.c @@ -43,6 +43,7 @@ #include #include #include +#include /* * KVP protocol: The user mode component first registers with the @@ -88,6 +89,7 @@ static char *os_major = ""; static char *os_minor = ""; static char *processor_arch; static char *os_build; +static char *os_version; static char *lic_version = "Unknown version"; static struct utsname uts_buf; @@ -453,7 +455,9 @@ void kvp_get_os_info(void) char *p, buf[512]; uname(&uts_buf); - os_build = uts_buf.release; + os_version = uts_buf.release; + os_build = strdup(uts_buf.release); + os_name = uts_buf.sysname; processor_arch = uts_buf.machine; @@ -462,7 +466,7 @@ void kvp_get_os_info(void) * string to be of the form: x.y.z * Strip additional information we may have. */ - p = strchr(os_build, '-'); + p = strchr(os_version, '-'); if (p) *p = '\0'; @@ -879,7 +883,7 @@ static int kvp_process_ip_address(void *addrp, addr_length = INET6_ADDRSTRLEN; } - if ((length - *offset) < addr_length + 1) + if ((length - *offset) < addr_length + 2) return HV_E_FAIL; if (str == NULL) { strcpy(buffer, "inet_ntop failed\n"); @@ -887,11 +891,13 @@ static int kvp_process_ip_address(void *addrp, } if (*offset == 0) strcpy(buffer, tmp); - else + else { + strcat(buffer, ";"); strcat(buffer, tmp); - strcat(buffer, ";"); + } *offset += strlen(str) + 1; + return 0; } @@ -953,7 +959,9 @@ kvp_get_ip_info(int family, char *if_name, int op, * supported address families; if not we gather info on * the specified address family. */ - if ((family != 0) && (curp->ifa_addr->sa_family != family)) { + if ((((family != 0) && + (curp->ifa_addr->sa_family != family))) || + (curp->ifa_flags & IFF_LOOPBACK)) { curp = curp->ifa_next; continue; } @@ -1478,13 +1486,19 @@ int main(void) len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0, addr_p, &addr_l); - if (len < 0 || addr.nl_pid) { + if (len < 0) { syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s", addr.nl_pid, errno, strerror(errno)); close(fd); return -1; } + if (addr.nl_pid) { + syslog(LOG_WARNING, "Received packet from untrusted pid:%u", + addr.nl_pid); + continue; + } + incoming_msg = (struct nlmsghdr *)kvp_recv_buffer; incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg); hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data; @@ -1649,7 +1663,7 @@ int main(void) strcpy(key_name, "OSMinorVersion"); break; case OSVersion: - strcpy(key_value, os_build); + strcpy(key_value, os_version); strcpy(key_name, "OSVersion"); break; case ProcessorArchitecture: diff --git a/hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch b/hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch deleted file mode 100644 index 915308f..0000000 --- a/hyper-v.tools.hv.hv_kvp_daemon.netlink-spoof-DoS.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Tomas Hozza -Subject: [PATCH] tools: hv: Netlink source address validation allows DoS -Date: Thu, 8 Nov 2012 10:53:29 +0100 -Message-Id: <1352368409-18809-1-git-send-email-thozza@redhat.com> - -The source code without this patch caused hypervkvpd to exit when it processed -a spoofed Netlink packet which has been sent from an untrusted local user. -Now Netlink messages with a non-zero nl_pid source address are ignored -and a warning is printed into the syslog. - -Signed-off-by: Tomas Hozza ---- - tools/hv/hv_kvp_daemon.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c -index 13c2a14..c1d9102 100755 ---- a/tools/hv/hv_kvp_daemon.c -+++ b/tools/hv/hv_kvp_daemon.c -@@ -1486,13 +1486,19 @@ int main(void) - len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0, - addr_p, &addr_l); - -- if (len < 0 || addr.nl_pid) { -+ if (len < 0) { - syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s", - addr.nl_pid, errno, strerror(errno)); - close(fd); - return -1; - } - -+ if (addr.nl_pid) { -+ syslog(LOG_WARNING, "Received packet from untrusted pid:%u", -+ addr.nl_pid); -+ continue; -+ } -+ - incoming_msg = (struct nlmsghdr *)kvp_recv_buffer; - incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg); - hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data; --- -1.7.11.7 - diff --git a/no-loopback.patch b/no-loopback.patch deleted file mode 100644 index 8aade95..0000000 --- a/no-loopback.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: "K. Y. Srinivasan" -Subject: [PATCH 1/1] Tools: hv: Don't return loopback addresses -Date: Fri, 12 Oct 2012 16:41:48 -0700 -Message-Id: <1350085308-11152-1-git-send-email-kys@microsoft.com> - -Don't return loopback addresses and further don't terminate -the IP address strings with a semicolon. This is the current -behavior of Windows guests. - -Signed-off-by: K. Y. Srinivasan -Reviewed-by: Haiyang Zhang -Reported-by: Claudio Latini ---- - tools/hv/hv_kvp_daemon.c | 13 +++++++++---- - 1 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/tools/hv/hv_kvp_daemon.c b/tools/hv/hv_kvp_daemon.c -index 6c7bcb9..13c2a14 100644 ---- a/tools/hv/hv_kvp_daemon.c -+++ b/tools/hv/hv_kvp_daemon.c -@@ -43,6 +43,7 @@ - #include - #include - #include -+#include - - /* - * KVP protocol: The user mode component first registers with the -@@ -882,7 +883,7 @@ static int kvp_process_ip_address(void *addrp, - addr_length = INET6_ADDRSTRLEN; - } - -- if ((length - *offset) < addr_length + 1) -+ if ((length - *offset) < addr_length + 2) - return HV_E_FAIL; - if (str == NULL) { - strcpy(buffer, "inet_ntop failed\n"); -@@ -890,11 +891,13 @@ static int kvp_process_ip_address(void *addrp, - } - if (*offset == 0) - strcpy(buffer, tmp); -- else -+ else { -+ strcat(buffer, ";"); - strcat(buffer, tmp); -- strcat(buffer, ";"); -+ } - - *offset += strlen(str) + 1; -+ - return 0; - } - -@@ -956,7 +959,9 @@ kvp_get_ip_info(int family, char *if_name, int op, - * supported address families; if not we gather info on - * the specified address family. - */ -- if ((family != 0) && (curp->ifa_addr->sa_family != family)) { -+ if ((((family != 0) && -+ (curp->ifa_addr->sa_family != family))) || -+ (curp->ifa_flags & IFF_LOOPBACK)) { - curp = curp->ifa_next; - continue; - } --- -1.7.4.1 - From f8271141f706b5bc410ffabf6994bd778a69d1894fa2e87022d2e1892d1b9329 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Mon, 12 Nov 2012 16:20:02 +0000 Subject: [PATCH 03/15] - remove code to build kmp, it was not enabled because the drivers are now in kernel since a long time. OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=39 --- hyper-v.changes | 6 +++++ hyper-v.spec | 68 ------------------------------------------------- 2 files changed, 6 insertions(+), 68 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index f3f5091..db9976f 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Nov 12 17:18:25 CET 2012 - ohering@suse.de + +- remove code to build kmp, it was not enabled because the + drivers are now in kernel since a long time. + ------------------------------------------------------------------- Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de diff --git a/hyper-v.spec b/hyper-v.spec index 2363e95..00c4530 100644 --- a/hyper-v.spec +++ b/hyper-v.spec @@ -16,21 +16,9 @@ # -%define with_kmp 0 -%define with_modprobe 0 -%if %{with_kmp} -%define with_drivers_in_kmp 0 -%endif %define hv_kvp_daemon hv_kvp_daemon Name: hyper-v -%if %{with_kmp} -BuildRequires: kernel-default-devel -BuildRequires: module-init-tools -%ifarch %ix86 -BuildRequires: kernel-pae-devel -%endif -%endif ExclusiveArch: %ix86 x86_64 PreReq: %insserv_prereq Summary: Microsoft Hyper-V tools @@ -55,33 +43,10 @@ Source21: hyper-v.tools.hv.hv_get_dns_info.sh Source22: hyper-v.tools.hv.hv_set_ifconfig.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if %{with_kmp} -%if %{with_drivers_in_kmp} -%suse_kernel_module_package -n hyper-v um xen -f kmp_filelist -%else -%suse_kernel_module_package -n hyper-v um xen -f kmp_filelist -p hyper-v.supplements.txt -%endif -%endif %description This package contains the Microsoft Hyper-V tools. - - -%if %{with_kmp} - -%package KMP - -Summary: Microsoft Hyper-V drivers -Group: System/Kernel - -%description KMP -This package contains the Microsoft Hyper-V drivers. - - - -%endif - %prep %setup -Tc cp -avL %{S:5} kvptest.ps1.txt @@ -100,31 +65,8 @@ gcc \ -DCN_KVP_IDX=0x9 \ -DCN_KVP_VAL=0x1 \ -o %{hv_kvp_daemon} -%if %{with_kmp} -for flavor in %flavors_to_build; do -%if %{with_drivers_in_kmp} - krel=$(make -s -C %{kernel_source $flavor} kernelrelease) - cp -a /lib/modules/$krel/source/drivers/staging/hv $flavor -%else - rm -rfv $flavor - mkdir -p $flavor - cp %_sourcedir/hyper-v.dummy_ko.c $flavor/hyper-v.suse_kmp_dummy.c - cat > $flavor/Makefile <<-EOF -obj-m += hyper-v.suse_kmp_dummy.o -EOF -%endif - cp %_sourcedir/Module.supported $flavor - make -C %{kernel_source $flavor} modules M=$PWD/$flavor -done -%endif %install -%if %{with_kmp} -export INSTALL_MOD_PATH=$RPM_BUILD_ROOT -for flavor in %flavors_to_build; do - make -C %{kernel_source $flavor} modules_install M=$PWD/$flavor -done -%endif mkdir -p $RPM_BUILD_ROOT/usr/sbin install -m755 %{hv_kvp_daemon} $RPM_BUILD_ROOT/usr/sbin mkdir -p $RPM_BUILD_ROOT/usr/lib/%{name}/bin @@ -135,20 +77,10 @@ chmod 755 $RPM_BUILD_ROOT/usr/lib/%{name}/bin/* mkdir -p $RPM_BUILD_ROOT/etc/init.d install -m755 %{S:11} $RPM_BUILD_ROOT/etc/init.d/%{hv_kvp_daemon} ln -sfvbn ../../etc/init.d/%{hv_kvp_daemon} $RPM_BUILD_ROOT/usr/sbin/rc%{hv_kvp_daemon} -%if %{with_modprobe} -mkdir -p $RPM_BUILD_ROOT/etc/modprobe.d -install -m644 %SOURCE1 $RPM_BUILD_ROOT/etc/modprobe.d/hyperv_pvdrivers.conf -%endif %files %defattr (-,root,root) %doc kvptest.ps1.txt -%if %{with_modprobe} -%if !%{with_kmp} -%dir /etc/modprobe.d -%config /etc/modprobe.d/hyperv_pvdrivers.conf -%endif -%endif /etc/init.d/%{hv_kvp_daemon} /usr/sbin/rc%{hv_kvp_daemon} /usr/sbin/%{hv_kvp_daemon} From 003cb503c195080eae088478daf3c515c50a8d9e08e4c8fb30f1a1121f3bc28d Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Mon, 12 Nov 2012 18:13:21 +0000 Subject: [PATCH 04/15] remove obsolete files from obsolete KMP code OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=40 --- Module.supported | 7 ------- hyper-v.spec | 4 ---- hyperv_pvdrivers.conf | 5 ----- kmp_filelist | 3 --- 4 files changed, 19 deletions(-) delete mode 100644 Module.supported delete mode 100644 hyperv_pvdrivers.conf delete mode 100644 kmp_filelist diff --git a/Module.supported b/Module.supported deleted file mode 100644 index fe6eeaa..0000000 --- a/Module.supported +++ /dev/null @@ -1,7 +0,0 @@ -drivers/staging/hv/hv_blkvsc external -drivers/staging/hv/hv_netvsc external -drivers/staging/hv/hv_storvsc external -drivers/staging/hv/hv_timesource external -drivers/staging/hv/hv_utils external -drivers/staging/hv/hv_vmbus external - diff --git a/hyper-v.spec b/hyper-v.spec index 00c4530..d3d3f1a 100644 --- a/hyper-v.spec +++ b/hyper-v.spec @@ -29,10 +29,6 @@ Supplements: modalias(pci:v00001414d00005353sv*sd*bc*sc*i*) Url: http://www.kernel.org Version: 4 Release: 0 -Source: Module.supported -Source1: hyperv_pvdrivers.conf -Source2: kmp_filelist -Source3: hyper-v.supplements.txt Source4: hyper-v.dummy_ko.c Source5: hyper-v.kvptest.ps1.txt Source9: hyper-v.include.linux.hyperv.h diff --git a/hyperv_pvdrivers.conf b/hyperv_pvdrivers.conf deleted file mode 100644 index 4e4a331..0000000 --- a/hyperv_pvdrivers.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Install HyperV paravirtualized drivers -install ide_core /sbin/modprobe hv_blkvsc 2>&1 ; /sbin/modprobe --ignore-install ide_core - -install ata_piix { /sbin/modprobe hv_blkvsc 2>&1 || /sbin/modprobe --ignore-install ata_piix; } - diff --git a/kmp_filelist b/kmp_filelist deleted file mode 100644 index efd5a65..0000000 --- a/kmp_filelist +++ /dev/null @@ -1,3 +0,0 @@ -%defattr (-,root,root) -/lib/modules/%2-%1 -%config /etc/modprobe.d/hyperv_pvdrivers.conf From f12f870a5f4f4fcdd77e083af93def792820b92b09404ed22052c2ec6b699a7b Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Mon, 12 Nov 2012 18:14:08 +0000 Subject: [PATCH 05/15] remove also hyper-v.supplements.txt OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=41 --- hyper-v.supplements.txt | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 hyper-v.supplements.txt diff --git a/hyper-v.supplements.txt b/hyper-v.supplements.txt deleted file mode 100644 index ea92c9d..0000000 --- a/hyper-v.supplements.txt +++ /dev/null @@ -1,5 +0,0 @@ -# if built without drivers -Supplements: modalias(kernel-default:dmi*:svn*MicrosoftCorporation*:pn*VirtualMachine*:rn*VirtualMachine*:) modalias(kernel-default:pci:v00001414d00005353sv*sd*bc*sc*i*) -# hv drivers were enabled in the middle of the update cycle -# Its Microsoft. It must be a mess. ... -Requires: kernel-%1 >= 2.6.32.27 From 30326c51262b3d2b4cd0dbb0d7e5e1b8ba32bbd99c69d4bf4bc1dcc1e3f77a90 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Tue, 13 Nov 2012 13:56:25 +0000 Subject: [PATCH 06/15] drivers are now in kernel since a long time. [bnc#676890] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=42 --- hyper-v.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hyper-v.changes b/hyper-v.changes index db9976f..cc7d019 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -2,7 +2,7 @@ Mon Nov 12 17:18:25 CET 2012 - ohering@suse.de - remove code to build kmp, it was not enabled because the - drivers are now in kernel since a long time. + drivers are now in kernel since a long time. [bnc#676890] ------------------------------------------------------------------- Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de From dad8c5cef7566a898b92717d07d05e2dfece2adb3a5e44e715a0e6f7536079c9 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Wed, 14 Nov 2012 13:53:26 +0000 Subject: [PATCH 07/15] drop also obsolete hyper-v.dummy_ko.c after kmp removal OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=43 --- hyper-v.dummy_ko.c | 15 --------------- hyper-v.spec | 1 - 2 files changed, 16 deletions(-) delete mode 100644 hyper-v.dummy_ko.c diff --git a/hyper-v.dummy_ko.c b/hyper-v.dummy_ko.c deleted file mode 100644 index cca41a6..0000000 --- a/hyper-v.dummy_ko.c +++ /dev/null @@ -1,15 +0,0 @@ -#include -#include - -static int __init hv_suse_kmp_dummy_init(void) -{ - return 0; -} - -static void __exit hv_suse_kmp_dummy_exit(void) -{ -} - -module_init(hv_suse_kmp_dummy_init); -module_exit(hv_suse_kmp_dummy_exit); -MODULE_LICENSE("GPL"); diff --git a/hyper-v.spec b/hyper-v.spec index d3d3f1a..d359cc8 100644 --- a/hyper-v.spec +++ b/hyper-v.spec @@ -29,7 +29,6 @@ Supplements: modalias(pci:v00001414d00005353sv*sd*bc*sc*i*) Url: http://www.kernel.org Version: 4 Release: 0 -Source4: hyper-v.dummy_ko.c Source5: hyper-v.kvptest.ps1.txt Source9: hyper-v.include.linux.hyperv.h Source10: hyper-v.tools.hv.hv_kvp_daemon.c From 42570cdfd63ee41feda560b82610d9073b14fd8dd0482e561e8e92958bf9afc6 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Thu, 22 Nov 2012 17:16:30 +0000 Subject: [PATCH 08/15] - update hv_get_dhcp_info to work with our ifcfg [bnc#790469] - remove cat usage from hv_get_dns_info - add quoting to hv_set_ifconfig to make it more robust OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=44 --- hyper-v.changes | 7 +++++++ hyper-v.tools.hv.hv_get_dhcp_info.sh | 6 +++--- hyper-v.tools.hv.hv_get_dns_info.sh | 7 +++++-- hyper-v.tools.hv.hv_set_ifconfig.sh | 6 +++--- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index cc7d019..6db6e5f 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Nov 22 18:14:12 CET 2012 - ohering@suse.de + +- update hv_get_dhcp_info to work with our ifcfg [bnc#790469] +- remove cat usage from hv_get_dns_info +- add quoting to hv_set_ifconfig to make it more robust + ------------------------------------------------------------------- Mon Nov 12 17:18:25 CET 2012 - ohering@suse.de diff --git a/hyper-v.tools.hv.hv_get_dhcp_info.sh b/hyper-v.tools.hv.hv_get_dhcp_info.sh index 8d8fc1c..f16e8fc 100644 --- a/hyper-v.tools.hv.hv_get_dhcp_info.sh +++ b/hyper-v.tools.hv.hv_get_dhcp_info.sh @@ -1,6 +1,6 @@ #!/bin/bash -# This example script retrieves the DHCP state of a given interface. +# This script retrieves the DHCP state of a given interface. # In the interest of keeping the KVP daemon code free of distro specific # information; the kvp daemon code invokes this external script to gather # DHCP setting for the specific interface. @@ -16,9 +16,9 @@ # this script can be based on the Network Manager APIs for retrieving DHCP # information. -if_file="/etc/sysconfig/network-scripts/ifcfg-"$1 +if_file="/etc/sysconfig/network/ifcfg-$1" -dhcp=$(grep "dhcp" $if_file 2>/dev/null) +dhcp=$(grep -- '^BOOTPROTO=.*dhcp' "$if_file" 2>/dev/null) if [ "$dhcp" != "" ]; then diff --git a/hyper-v.tools.hv.hv_get_dns_info.sh b/hyper-v.tools.hv.hv_get_dns_info.sh index c02099b..65a0045 100644 --- a/hyper-v.tools.hv.hv_get_dns_info.sh +++ b/hyper-v.tools.hv.hv_get_dns_info.sh @@ -1,6 +1,6 @@ #!/bin/bash -# This example script parses /etc/resolv.conf to retrive DNS information. +# This script parses /etc/resolv.conf to retrive DNS information. # In the interest of keeping the KVP daemon code free of distro specific # information; the kvp daemon code invokes this external script to gather # DNS information. @@ -10,4 +10,7 @@ # this script can be based on the Network Manager APIs for retrieving DNS # entries. -cat /etc/resolv.conf 2>/dev/null | awk '/^nameserver/ { print $2 }' +if test -r /etc/resolv.conf +then + awk -- '/^nameserver/ { print $2 }' /etc/resolv.conf +fi diff --git a/hyper-v.tools.hv.hv_set_ifconfig.sh b/hyper-v.tools.hv.hv_set_ifconfig.sh index 1be68df..3860957 100644 --- a/hyper-v.tools.hv.hv_set_ifconfig.sh +++ b/hyper-v.tools.hv.hv_set_ifconfig.sh @@ -77,7 +77,7 @@ then fi echo "$0: working on network interface ifcfg-${IF_NAME}" -cp -b ${t} /etc/sysconfig/network/ifcfg-${IF_NAME} -ifdown ${IF_NAME} -o hotplug -ifup ${IF_NAME} -o hotplug +cp -b ${t} "/etc/sysconfig/network/ifcfg-${IF_NAME}" +ifdown "${IF_NAME}" -o hotplug +ifup "${IF_NAME}" -o hotplug ) 2>&1 | logger -t "${0##*/}[$PPID / $$]" From aff955d3ed0a9c88584ff0100232f9ef4bcd6f252786c101713ed3ebd46c6f4e Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Fri, 23 Nov 2012 15:01:29 +0000 Subject: [PATCH 09/15] - update hv_set_ifconfig further to work with our ifcfg [bnc#790469] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=45 --- hyper-v.changes | 5 + hyper-v.tools.hv.hv_set_ifconfig.sh | 141 ++++++++++++++++++++++++---- 2 files changed, 127 insertions(+), 19 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index 6db6e5f..2e66669 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Nov 23 15:58:28 CET 2012 - ohering@suse.de + +- update hv_set_ifconfig further to work with our ifcfg [bnc#790469] + ------------------------------------------------------------------- Thu Nov 22 18:14:12 CET 2012 - ohering@suse.de diff --git a/hyper-v.tools.hv.hv_set_ifconfig.sh b/hyper-v.tools.hv.hv_set_ifconfig.sh index 3860957..46ef9c2 100644 --- a/hyper-v.tools.hv.hv_set_ifconfig.sh +++ b/hyper-v.tools.hv.hv_set_ifconfig.sh @@ -41,43 +41,146 @@ then : expect configuration datafile as first argument exit 1 fi -# +# send subshell output to syslog ( +f=/etc/sysconfig/network/scripts/functions +if test -f ${f} +then + . ${f} +else + echo "MISSING ${f}" + exit 1 +fi +# remove known config variables from environment +unset HWADDR unset DHCP unset IF_NAME +unset ${!IPADDR*} +unset ${!NETMASK*} +unset ${!GATEWAY*} +unset ${!IPV6ADDR*} +unset ${!IPV6NETMASK*} +unset ${!IPV6_DEFAULTGW*} +unset ${!DNS*} . "$1" +# if test -z "${IF_NAME}" then echo "Missing IF_NAME= in ${cfg}" exit 1 fi # -t=`mktemp` -if test -z "${t}" -then - exit 1 -fi - +t_ifcfg=`mktemp` +t_ifroute=`mktemp` _exit() { - rm -f "${t}" + rm -f "${t_ifcfg}" "${t_ifroute}" } trap _exit EXIT # -cat >> "${t}" <<_EOF_ -# contents from $0 $* -`cat "${cfg}"` -# -# additional options: -STARTMODE=auto -_EOF_ - -if test "${DHCP}" = "yes" +if test -z "${t_ifcfg}" || test -z "${t_ifroute}" then - echo "BOOTPROTO=dhcp" >> ${t}; + exit 1 +fi +# +# Create ifcfg-* file +( + echo "STARTMODE=auto" + # + if test -n "${HWADDR}" + then + : # ignore HWADDR, it just repeats the existing MAC value + fi + # + if test "${DHCP}" = "yes" + then + echo "BOOTPROTO=dhcp" + fi + # + # loop through all ipv4 adresses + for var in ${!IPADDR*} + do + index=${var#IPADDR} + pfx= + # find corresponding NETMASK variable + eval nm=\$NETMASK${index} + # if specified, calculate prefix + if test -n "${nm}" + then + pfx=`mask2pfxlen "${nm}" 2>/dev/null` + fi + # construct actual value + eval val=\$IPADDR${index} + # append prefix to value + if test -n "${pfx}" + then + val="${val}/${pfx}" + fi + # write config variable + echo "IPADDR${index}='${val}'" + done + # loop through all ipv6 adresses + for var in ${!IPV6ADDR*} + do + index=${var#IPV6ADDR} + pfx= + # find corresponding IPV6NETMASK variable + eval nm=\$IPV6NETMASK${index} + # if specified, calculate prefix + if test -n "${nm}" + then + pfx=`mask2pfxlen "${nm}" 2>/dev/null` + fi + # construct actual value + eval val=\$IPV6ADDR${index} + # append prefix to value + if test -n "${pfx}" + then + val="${val}/${pfx}" + fi + # write config variable + echo "IPV6ADDR${index}='${val}'" + done + +) >> "${t_ifcfg}" + +# Create ifroute-* file +( + if test -n "${GATEWAY}" + then + echo "default $GATEWAY - $IF_NAME" + fi + if test -n "${IPV6_DEFAULTGW}" + then + echo "default $IPV6_DEFAULTGW - $IF_NAME" + fi +) >> "${t_ifroute}" +# Only a single default gateway is supported +unset GATEWAY IPV6_DEFAULTGW +if test -n "${!GATEWAY*}${!IPV6_DEFAULTGW*}" +then + echo "WARNING: multiple gateways not supported: ${!GATEWAY*} ${!IPV6_DEFAULTGW*}" fi +# collect DNS info +_DNS_= +for var in ${!DNS*} +do + eval val=\$${var} + if test -n "${_DNS_}" + then + _DNS_="${_DNS_} ${val}" + else + _DNS_=${val} + fi +done +# echo "$0: working on network interface ifcfg-${IF_NAME}" -cp -b ${t} "/etc/sysconfig/network/ifcfg-${IF_NAME}" +cp -fb ${t_ifcfg} "/etc/sysconfig/network/ifcfg-${IF_NAME}" +cp -fb ${t_ifroute} "/etc/sysconfig/network/ifroute-${IF_NAME}" +if test -n "${_DNS_}" && test -w /etc/sysconfig/network/config +then + sed -i "s@^NETCONFIG_DNS_STATIC_SERVERS=.*@NETCONFIG_DNS_STATIC_SERVERS='$_DNS_'@" /etc/sysconfig/network/config +fi ifdown "${IF_NAME}" -o hotplug ifup "${IF_NAME}" -o hotplug ) 2>&1 | logger -t "${0##*/}[$PPID / $$]" From df043786254f57f7c46c538223dc2d916bdf4a9f2b3d6107d15ae82e05b311f6 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Fri, 23 Nov 2012 19:50:20 +0000 Subject: [PATCH 10/15] more updates - update hv_set_ifconfig further to work with our ifcfg [bnc#790469] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=46 --- hyper-v.changes | 2 +- hyper-v.tools.hv.hv_set_ifconfig.sh | 17 ++++++----------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index 2e66669..1b4665e 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Fri Nov 23 15:58:28 CET 2012 - ohering@suse.de +Fri Nov 23 20:49:31 CET 2012 - ohering@suse.de - update hv_set_ifconfig further to work with our ifcfg [bnc#790469] diff --git a/hyper-v.tools.hv.hv_set_ifconfig.sh b/hyper-v.tools.hv.hv_set_ifconfig.sh index 46ef9c2..15123d1 100644 --- a/hyper-v.tools.hv.hv_set_ifconfig.sh +++ b/hyper-v.tools.hv.hv_set_ifconfig.sh @@ -122,23 +122,17 @@ fi for var in ${!IPV6ADDR*} do index=${var#IPV6ADDR} - pfx= # find corresponding IPV6NETMASK variable - eval nm=\$IPV6NETMASK${index} + eval pfx=\$IPV6NETMASK${index} # if specified, calculate prefix - if test -n "${nm}" + if test -z "${pfx}" then - pfx=`mask2pfxlen "${nm}" 2>/dev/null` + pfx=128 fi # construct actual value eval val=\$IPV6ADDR${index} - # append prefix to value - if test -n "${pfx}" - then - val="${val}/${pfx}" - fi # write config variable - echo "IPV6ADDR${index}='${val}'" + echo "IPADDR${index}='${val}/${pfx}'" done ) >> "${t_ifcfg}" @@ -177,9 +171,10 @@ done echo "$0: working on network interface ifcfg-${IF_NAME}" cp -fb ${t_ifcfg} "/etc/sysconfig/network/ifcfg-${IF_NAME}" cp -fb ${t_ifroute} "/etc/sysconfig/network/ifroute-${IF_NAME}" -if test -n "${_DNS_}" && test -w /etc/sysconfig/network/config +if test -w /etc/sysconfig/network/config then sed -i "s@^NETCONFIG_DNS_STATIC_SERVERS=.*@NETCONFIG_DNS_STATIC_SERVERS='$_DNS_'@" /etc/sysconfig/network/config + netconfig update -m dns fi ifdown "${IF_NAME}" -o hotplug ifup "${IF_NAME}" -o hotplug From 699250925aac593820522e8e9299f680d9039b2b2dd5c7b9e2776e50883d42ac Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Fri, 23 Nov 2012 19:52:43 +0000 Subject: [PATCH 11/15] update comment OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=47 --- hyper-v.tools.hv.hv_set_ifconfig.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hyper-v.tools.hv.hv_set_ifconfig.sh b/hyper-v.tools.hv.hv_set_ifconfig.sh index 15123d1..641fb48 100644 --- a/hyper-v.tools.hv.hv_set_ifconfig.sh +++ b/hyper-v.tools.hv.hv_set_ifconfig.sh @@ -124,7 +124,7 @@ fi index=${var#IPV6ADDR} # find corresponding IPV6NETMASK variable eval pfx=\$IPV6NETMASK${index} - # if specified, calculate prefix + # if not specified, force prefix if test -z "${pfx}" then pfx=128 From d9e9558049bc7c369377f188a5f430ca4fd0e533bb5ee0d70d686b3e30fa615c Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Sun, 25 Nov 2012 16:52:32 +0000 Subject: [PATCH 12/15] remove -o hotplug from ifup/ifdown call [bnc#790469] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=48 --- hyper-v.changes | 2 +- hyper-v.tools.hv.hv_set_ifconfig.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index 1b4665e..4078322 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,5 +1,5 @@ ------------------------------------------------------------------- -Fri Nov 23 20:49:31 CET 2012 - ohering@suse.de +Sun Nov 25 17:50:40 CET 2012 - ohering@suse.de - update hv_set_ifconfig further to work with our ifcfg [bnc#790469] diff --git a/hyper-v.tools.hv.hv_set_ifconfig.sh b/hyper-v.tools.hv.hv_set_ifconfig.sh index 641fb48..5064190 100644 --- a/hyper-v.tools.hv.hv_set_ifconfig.sh +++ b/hyper-v.tools.hv.hv_set_ifconfig.sh @@ -176,6 +176,6 @@ then sed -i "s@^NETCONFIG_DNS_STATIC_SERVERS=.*@NETCONFIG_DNS_STATIC_SERVERS='$_DNS_'@" /etc/sysconfig/network/config netconfig update -m dns fi -ifdown "${IF_NAME}" -o hotplug -ifup "${IF_NAME}" -o hotplug +ifdown "${IF_NAME}" +ifup "${IF_NAME}" ) 2>&1 | logger -t "${0##*/}[$PPID / $$]" From 8480d2a1679f909dd3bfebc42d7937e2f14fdb708c30dd9906bb0103d50f1ecb Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Tue, 27 Nov 2012 10:20:18 +0000 Subject: [PATCH 13/15] - update hv_set_ifconfig, use single index for static ipv4/ipv6 [bnc#790469] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=49 --- hyper-v.changes | 5 +++++ hyper-v.tools.hv.hv_set_ifconfig.sh | 20 ++++++++++++-------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index 4078322..97cadf5 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Nov 27 11:19:32 CET 2012 - ohering@suse.de + +- update hv_set_ifconfig, use single index for static ipv4/ipv6 [bnc#790469] + ------------------------------------------------------------------- Sun Nov 25 17:50:40 CET 2012 - ohering@suse.de diff --git a/hyper-v.tools.hv.hv_set_ifconfig.sh b/hyper-v.tools.hv.hv_set_ifconfig.sh index 5064190..a776d43 100644 --- a/hyper-v.tools.hv.hv_set_ifconfig.sh +++ b/hyper-v.tools.hv.hv_set_ifconfig.sh @@ -95,7 +95,9 @@ fi then echo "BOOTPROTO=dhcp" fi - # + # single index for all ipv4 and ipv6 adresses in final ifcfg file + i=0 + idx="" # loop through all ipv4 adresses for var in ${!IPADDR*} do @@ -108,15 +110,16 @@ fi then pfx=`mask2pfxlen "${nm}" 2>/dev/null` fi + # if not specified, force prefix + if test -z "${pfx}" + then + pfx="32" + fi # construct actual value eval val=\$IPADDR${index} - # append prefix to value - if test -n "${pfx}" - then - val="${val}/${pfx}" - fi # write config variable - echo "IPADDR${index}='${val}'" + echo "IPADDR${idx}='${val}/${pfx}'" + idx="_$((++i))" done # loop through all ipv6 adresses for var in ${!IPV6ADDR*} @@ -132,7 +135,8 @@ fi # construct actual value eval val=\$IPV6ADDR${index} # write config variable - echo "IPADDR${index}='${val}/${pfx}'" + echo "IPADDR${idx}='${val}/${pfx}'" + idx="_$((++i))" done ) >> "${t_ifcfg}" From d674960706b97f9bd52480baa62e982e223f546e9d07fd1aca1210c4f68b1a60 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Wed, 28 Nov 2012 09:26:39 +0000 Subject: [PATCH 14/15] - Netlink source address validation allows DoS [bnc#791605] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=50 --- hyper-v.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hyper-v.changes b/hyper-v.changes index 97cadf5..5c2a44d 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -24,7 +24,7 @@ Mon Nov 12 17:18:25 CET 2012 - ohering@suse.de ------------------------------------------------------------------- Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de -- Netlink source address validation allows DoS +- Netlink source address validation allows DoS [bnc#791605] bugfix for recvfrom check from bnc#761200 ------------------------------------------------------------------- From 7d052ac13f619331a03308a16a173ad10391c3603745e599bcdea6afa47c6dff Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Wed, 28 Nov 2012 13:15:52 +0000 Subject: [PATCH 15/15] - Netlink source address validation allows DoS [bnc#791605, CVE-2012-5532] - check origin of netlink messages, use recvfrom() [bnc#761200, CVE-2012-2669] OBS-URL: https://build.opensuse.org/package/show/Virtualization/hyper-v?expand=0&rev=51 --- hyper-v.changes | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hyper-v.changes b/hyper-v.changes index 5c2a44d..884162e 100644 --- a/hyper-v.changes +++ b/hyper-v.changes @@ -24,7 +24,7 @@ Mon Nov 12 17:18:25 CET 2012 - ohering@suse.de ------------------------------------------------------------------- Thu Nov 8 14:30:05 CET 2012 - ohering@suse.de -- Netlink source address validation allows DoS [bnc#791605] +- Netlink source address validation allows DoS [bnc#791605, CVE-2012-5532] bugfix for recvfrom check from bnc#761200 ------------------------------------------------------------------- @@ -59,7 +59,7 @@ Tue Sep 4 14:55:38 CEST 2012 - ohering@suse.de ------------------------------------------------------------------- Wed May 16 20:44:36 CEST 2012 - ohering@suse.de -- check origin of netlink messages, use recvfrom() [bnc#761200] +- check origin of netlink messages, use recvfrom() [bnc#761200, CVE-2012-2669] ------------------------------------------------------------------- Wed May 2 12:13:03 CEST 2012 - ohering@suse.de