diff options
Diffstat (limited to 'debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch')
| -rw-r--r-- | debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch new file mode 100644 index 000000000..83583184e --- /dev/null +++ b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch @@ -0,0 +1,41 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Thu, 16 Feb 2017 19:09:17 +0000 +Subject: dccp: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +We can mitigate the effect of vulnerabilities in obscure protocols by +preventing unprivileged users from loading the modules, so that they +are only exploitable on systems where the administrator has chosen to +load the protocol. + +The 'dccp' protocol is not actively maintained or widely used. +Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit); + * values directly, Also cover the case where the protocol is not specified, + * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */ ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>"); + MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol"); +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit); + * values directly, Also cover the case where the protocol is not specified, + * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */ ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>"); + MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol"); |