--- libcgroup-0.36.2.orig/debian/libpam-cgroup.install +++ libcgroup-0.36.2/debian/libpam-cgroup.install @@ -0,0 +1 @@ +lib/security/pam_cgroup.so --- libcgroup-0.36.2.orig/debian/cgroup-bin.docs +++ libcgroup-0.36.2/debian/cgroup-bin.docs @@ -0,0 +1,2 @@ +README +README_daemon --- libcgroup-0.36.2.orig/debian/changelog +++ libcgroup-0.36.2/debian/changelog @@ -0,0 +1,119 @@ +libcgroup (0.36.2-3+squeeze1build0.10.10.1) maverick-security; urgency=low + + * fake sync from Debian + + -- Jamie Strandboge Mon, 21 Mar 2011 07:56:55 -0500 + +libcgroup (0.36.2-3+squeeze1) stable-security; urgency=low + + * [0cdfa74] Backport upstream fix for CVE-2011-1006 + * [d5d5690] Backport upstream fix for CVE-2011-1022 + + -- Jon Bernard Thu, 03 Mar 2011 20:37:17 -0500 + +libcgroup (0.36.2-3) unstable; urgency=low + + * [a1bd2b] Add device controller to the default configuration + (LP: #607849) - thanks to Serge Hallyn + + -- Jon Bernard Sun, 25 Jul 2010 16:51:29 -0400 + +libcgroup (0.36.2-2) unstable; urgency=low + + * [ae0921] Replace sysconfig with default in cgconfig initscript patch + (Closes: #588494) + * [412460] Fix config file reference in cgred initscript patch + * [3822c1] Update cgred default configuration file + * [17fdaf] Add cgconfig default configuration file + * [577ac2] Bump standards version to 3.9.0, no changes necessary + * [f28c7d] Fix typo in copyright file + * [14244b] Remove redundant reference to BSD license in copyright file + + -- Jon Bernard Sun, 18 Jul 2010 09:41:48 -0400 + +libcgroup (0.36.2-1) unstable; urgency=low + + * [df1c38] Imported Upstream version 0.36.2 + * [afe1f0] Remove cgdelete manpage, included upstream + * [afecca] Remove lscgroup manpage, included upstream + * [e68c9a] Remove lssubsys manpage, included upstream + * [54f5da] Fix install override to handle changed location of pam + module + + -- Jon Bernard Wed, 23 Jun 2010 14:16:40 -0400 + +libcgroup (0.36.1-2) unstable; urgency=low + + * [8a9de6] Install shared object and symlinks in /lib (Closes: #583513) + + -- Jon Bernard Thu, 27 May 2010 20:13:39 -0400 + +libcgroup (0.36.1-1) unstable; urgency=low + + * [d1d65a] Add Vcs fields to debian/control + * [2ca672] Exclude release candidates from debian/watch + * [36e728] Imported Upstream version 0.36.1 + * [41bdfa] Remove missing-includes patch, included upstream + + -- Jon Bernard Fri, 21 May 2010 15:54:53 -0400 + +libcgroup (0.36-1) unstable; urgency=low + + * [be0275] Fix typo in debian/watch + * [1db135] Imported Upstream version 0.36 (Closes: #582440) + * [63e1bd] Remove cgget manpage, included upstream + * [66f232] Remove manpages patch, included upstream + * [5ab7ce] Remove pkg-config patch, included upstream + * [47ea10] Remove sa_restorer patch, included upstream + * [124d53] Add patch for missing includes, fixes build + + -- Jon Bernard Thu, 20 May 2010 15:57:47 -0400 + +libcgroup (0.35-3) unstable; urgency=low + + * [b5eb1b] Drop .la files (Closes: #579812) + * [c9f683] Backport libcgroup.pc pkg-config file from upstream + (Closes: #579753) + + -- Jon Bernard Mon, 03 May 2010 11:01:18 -0400 + +libcgroup (0.35-2) unstable; urgency=low + + * Use memset to initialize sigaction struct (Closes: #549581) + + -- Jon Bernard Mon, 08 Mar 2010 14:28:53 -0500 + +libcgroup (0.35-1) unstable; urgency=low + + * Imported Upstream version 0.35 + * Remove manpage for cgclear, included upstream + * Remove obsolete debian patches + * Add missing manpages from upstream + * Update debian/watch to support new upstream versioning scheme + * Run autoreconf before configure + * Stop removing RPATH from certain files, fixed upstream + * Remove chrpath and docbook-to-man from build dependencies + * Bump standards version to 3.8.4, no changes necessary + * Remove redundant section definition for libcgroup1 + * debian/libcgroup1.install: replace hardcoded version with wildcard + * debian/libcgroup1.install: include .la file in libcgroup1 + * debian/cgroup-bin.manpages: update installed manpages + * Update manpages patch to escape hyphens + * Depend on 'cgconfig' in cgred initscript (Closes: #549480) + * Refresh cgconfig initscript patch + * Include patch tags on vendor patches (DEP3) + + -- Jon Bernard Fri, 05 Mar 2010 14:49:56 -0500 + +libcgroup (0.34-2) unstable; urgency=low + + * Fix initscript dependencies (Closes: #549480) - thanks to Petter + Reinholdtsen + + -- Jon Bernard Wed, 28 Oct 2009 14:31:34 -0400 + +libcgroup (0.34-1) unstable; urgency=low + + * Initial release (Closes: #536167) + + -- Jon Bernard Tue, 08 Sep 2009 22:40:43 -0400 --- libcgroup-0.36.2.orig/debian/cgroup-bin.cgconfig.default +++ libcgroup-0.36.2/debian/cgroup-bin.cgconfig.default @@ -0,0 +1,12 @@ +# Service cgconfig can create a default group in all mounted hierarchies and +# move all processes there on boot. If no default rule is specified in +# /etc/cgrules.conf, the default group is named '/sysdefault'. +# This automatically created group(s) can be useful e.g. when using 'cpu' +# controller to limit cpu.shares of this default group and allowing some more +# important group take most of the CPU. +# +# By default, create these groups: +CREATE_DEFAULT=yes + +# Uncomment following line to disable creation of the default group on startup: +# CREATE_DEFAULT=no --- libcgroup-0.36.2.orig/debian/control +++ libcgroup-0.36.2/debian/control @@ -0,0 +1,57 @@ +Source: libcgroup +Priority: extra +Maintainer: Jon Bernard +Build-Depends: debhelper (>= 7.0.50~), quilt (>= 0.46-7), autoconf, automake, libtool, bison, flex, libpam0g-dev +Standards-Version: 3.9.0 +Section: libs +Vcs-Git: git://git.debian.org/git/collab-maint/libcgroup.git +Vcs-Browser: http://git.debian.org/?p=collab-maint/libcgroup.git;a=summary +Homepage: http://sourceforge.net/projects/libcg/ + +Package: libcgroup-dev +Section: libdevel +Architecture: any +Depends: ${misc:Depends}, libcgroup1 (= ${binary:Version}) +Description: Development libraries to develop applications that utilize control groups + Control Groups provide a mechanism for aggregating/partitioning sets of tasks, + and all their future children, into hierarchical groups with specialized + behaviour. + . + It provides API to create/delete and modify cgroup nodes. It will also in the + future allow creation of persistent configuration for control groups and + provide scripts to manage that configuration. + +Package: libcgroup1 +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: A library to control and monitor control groups + Control Groups provide a mechanism for aggregating/partitioning sets of tasks, + and all their future children, into hierarchical groups with specialized + behaviour. + . + This library allows applications to manipulate, control, administrate and + monitor control groups and the associated controllers. + +Package: libpam-cgroup +Section: admin +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: A PAM module to move a user session into a cgroup + Control Groups provide a mechanism for aggregating/partitioning sets of tasks, + and all their future children, into hierarchical groups with specialized + behaviour. + . + This PAM module will move a user session into an existing cgroup by attempting + to match uid and gid against the defined cgroup rules configuration. + +Package: cgroup-bin +Section: admin +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Tools to control and monitor control groups + Control Groups provide a mechanism for aggregating/partitioning sets of tasks, + and all their future children, into hierarchical groups with specialized + behaviour. + . + These tools help manipulate, control, administrate and monitor control groups + and the associated controllers. --- libcgroup-0.36.2.orig/debian/README.source +++ libcgroup-0.36.2/debian/README.source @@ -0,0 +1,57 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To configure quilt to use debian/patches instead of patches, you want +either to export QUILT_PATCHES=debian/patches in your environment +or use this snippet in your ~/.quiltrc: + + for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do + if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then + export QUILT_PATCHES=debian/patches + fi + done + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + + quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + + quilt new + +where is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + + quilt add + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + + quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + + quilt import -P /path/to/patch + quilt push -a + +(add -p 0 to quilt import if needed). as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + + quilt delete + +You may need to run quilt pop -a to unapply patches first before running +this command. --- libcgroup-0.36.2.orig/debian/rules +++ libcgroup-0.36.2/debian/rules @@ -0,0 +1,20 @@ +#!/usr/bin/make -f +%: + dh --with quilt $@ + +override_dh_auto_configure: + autoreconf --install --force + dh_auto_configure -- --libdir /lib + +override_dh_installinit: + cp scripts/init.d/cgconfig debian/cgroup-bin.cgconfig.init + cp scripts/init.d/cgred debian/cgroup-bin.cgred.init + dh_installinit --name cgconfig + dh_installinit --name cgred + +override_dh_install: + mv debian/tmp/lib/security/pam_cgroup.so.0.0.0 debian/tmp/lib/security/pam_cgroup.so + dh_install + +override_dh_makeshlibs: + dh_makeshlibs -X pam_cgroup.so --- libcgroup-0.36.2.orig/debian/libcgroup1.install +++ libcgroup-0.36.2/debian/libcgroup1.install @@ -0,0 +1 @@ +lib/libcgroup.so.* --- libcgroup-0.36.2.orig/debian/copyright +++ libcgroup-0.36.2/debian/copyright @@ -0,0 +1,121 @@ +This package was debianized by Jon Bernard on +Wed, 12 Aug 2009 15:44:52 -0400. + +It was downloaded from http://downloads.sourceforge.net/sourceforge/libcg/ + +Upstream Authors: + + Dhaval Giani + Balbir Singh + +Copyright: + + Copyright (C) 2007-2009 IBM Corporation + Copyright (C) 2008-2009 RedHat Inc. + +License: + + This package is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or (at + your option) any later version. + + This package is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public + License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this package; if not, write to the Free Software Foundation, + Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU Lesser General Public License +version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'. + +`src/parse.h' and `src/parse.c' are: + + Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006 + Free Software Foundation, Inc. + +License: + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the Free + Software Foundation; either version 2, or (at your option) any later + version. + + This program is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., 51 + Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + + As a special exception, you may create a larger work that contains part or + all of the Bison parser skeleton and distribute that work under terms of + your choice, so long as that work isn't itself a parser generator using the + skeleton or a modified version thereof as a parser skeleton. + Alternatively, if you modify or redistribute the parser skeleton itself, + you may (at your option) remove this special exception, which will cause + the skeleton and the resulting Bison output files to be licensed under the + GNU General Public License without this special exception. + + This special exception was added by the Free Software Foundation in version + 2.2 of Bison. + +These files are autogenerated by bison at build-time. As a result of the bison +exception, the upstream authors wish to release these works under the GNU +Lesser General Public License version 2.1. + +On Debian systems, the complete text of the GNU Lesser General Public License +version 2.1 can be found in `/usr/share/common-licenses/LGPL-2.1'. + +`src/pam/pam_cgroup.c' is: + + Copyright (C) 2008 Vivek Goyal + Copyright (C) 1996-1997 Cristian Gafton + +License: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + 1. Redistributions of source code must retain the above copyright notice, + and the entire permission notice in its entirety, including the + disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + ALTERNATIVELY, this product may be distributed under the terms of the GNU + Public License, in which case the provisions of the GPL are required + INSTEAD OF the above restrictions. (This clause is necessary due to a + potential bad interaction between the GPL and the restrictions contained in + a BSD-style copyright.) + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +As a result of the dual license, the upstream authors wish to release this work +under the GNU General Public License version 2. + +On Debian systems, the complete text of the GNU General Public License +version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +The Debian packaging is: + + Copyright (C) 2009 Jon Bernard + +and is licensed under the GPL version 3, see +`/usr/share/common-licenses/GPL-3'. --- libcgroup-0.36.2.orig/debian/libcgroup-dev.install +++ libcgroup-0.36.2/debian/libcgroup-dev.install @@ -0,0 +1,3 @@ +usr/include +lib/libcgroup.so +lib/pkgconfig/libcgroup.pc /usr/lib/pkgconfig --- libcgroup-0.36.2.orig/debian/watch +++ libcgroup-0.36.2/debian/watch @@ -0,0 +1,3 @@ +version=3 + +http://sf.net/libcg/libcgroup-(?:v)?([\d\.]+)\.tar\.gz --- libcgroup-0.36.2.orig/debian/cgroup-bin.install +++ libcgroup-0.36.2/debian/cgroup-bin.install @@ -0,0 +1,5 @@ +usr/bin +usr/sbin +usr/share/man +samples/cgconfig.conf /etc +samples/cgrules.conf /etc --- libcgroup-0.36.2.orig/debian/cgroup-bin.cgred.default +++ libcgroup-0.36.2/debian/cgroup-bin.cgred.default @@ -0,0 +1,21 @@ +# /etc/default/cgred - CGroup Rules Engine Daemon configuration file +# +# The four options listed below (CONFIG_FILE, LOG_FILE, NODAEMON, LOG) are +# the only valid ones. Defining anything else in this file will cause the +# CGroup Rules Engine program to fail. So, don't do it. + +# The pathname to the configuration file for CGroup Rules Engine +CONFIG_FILE="/etc/cgrules.conf" + +# Uncomment the following line to log to specified file instead of syslog +#LOG_FILE="/var/log/cgrulesengd.log" + +# Uncomment the second line to run CGroup Rules Engine in non-daemon mode +NODAEMON="" +#NODAEMON="--nodaemon" + +# Uncomment the second line to disable logging for CGroup Rules Engine +# Uncomment the third line to enable more verbose logging. +LOG="" +#LOG="--nolog" +#LOG="-v" --- libcgroup-0.36.2.orig/debian/clean +++ libcgroup-0.36.2/debian/clean @@ -0,0 +1,2 @@ +debian/cgroup-bin.cgconfig.init +debian/cgroup-bin.cgred.init --- libcgroup-0.36.2.orig/debian/compat +++ libcgroup-0.36.2/debian/compat @@ -0,0 +1 @@ +7 --- libcgroup-0.36.2.orig/debian/patches/cgred-initscript.diff +++ libcgroup-0.36.2/debian/patches/cgred-initscript.diff @@ -0,0 +1,90 @@ +# Description: Remove RedHat specific file paths and fix LSB headers +# Author: Jon Bernard + +--- a/scripts/init.d/cgred.in ++++ b/scripts/init.d/cgred.in +@@ -22,11 +22,11 @@ + # pidfile: /var/run/cgred.pid + # + ### BEGIN INIT INFO +-# Provides: cgrulesengd +-# Required-Start: $local_fs $syslog $cgconfig +-# Required-Stop: $local_fs $syslog +-# Should-Start: +-# Should-Stop: ++# Provides: cgred ++# Required-Start: $remote_fs $syslog cgconfig ++# Required-Stop: $remote_fs $syslog ++# Default-Start: 2 3 4 5 ++# Default-Stop: 0 1 6 + # Short-Description: start and stop the cgroups rules engine daemon + # Description: CGroup Rules Engine is a tool for automatically using \ + # cgroups to classify processes +@@ -39,12 +39,11 @@ CGRED_BIN=$sbindir/cgrulesengd + [ -x $CGRED_BIN ] || exit 1 + + # Source function library & LSB routines +-. /etc/rc.d/init.d/functions + . /lib/lsb/init-functions + + # Read in configuration options. +-if [ -f "/etc/sysconfig/cgred.conf" ] ; then +- . /etc/sysconfig/cgred.conf ++if [ -f "/etc/default/cgred" ] ; then ++ . /etc/default/cgred + OPTIONS="$NODAEMON $LOG" + if [ -n "$LOG_FILE" ]; then + OPTIONS="$OPTIONS --log-file=$LOG_FILE" +@@ -63,14 +62,14 @@ RETVAL=0 + start() + { + echo $"Starting CGroup Rules Engine Daemon..." +- if [ -f "/var/lock/subsys/$servicename" ] ; then ++ if [ -f "/var/lock/$servicename" ] ; then + log_failure_msg "$servicename is already running with PID `cat ${pidfile}`" + return 1 + fi +- daemon --check $servicename --pidfile $pidfile $CGRED_BIN $OPTIONS ++ start_daemon -p $pidfile $CGRED_BIN $OPTIONS + RETVAL=$? + echo +- [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$servicename ++ [ $RETVAL -eq 0 ] && touch /var/lock/$servicename + echo "`pidof $processname`" > $pidfile + } + +@@ -81,7 +80,7 @@ stop() + RETVAL=$? + echo + if [ $RETVAL -eq 0 ] ; then +- rm -f /var/lock/subsys/$servicename ++ rm -f /var/lock/$servicename + rm -f $pidfile + fi + log_success_msg +@@ -96,21 +95,21 @@ case "$1" in + stop + ;; + status) +- status -p $pidfile $processname ++ status_of_proc -p $pidfile $processname + RETVAL=$? + ;; +- restart) ++ restart|force-reload) + stop + start + ;; + condrestart) +- if [ -f /var/lock/subsys/$servicename ] ; then ++ if [ -f /var/lock/$servicename ] ; then + stop + start + fi + ;; + reload|flash) +- if [ -f /var/lock/subsys/$servicename ] ; then ++ if [ -f /var/lock/$servicename ] ; then + echo $"Reloading rules configuration..." + kill -s 12 `cat ${pidfile}` + RETVAL=$? --- libcgroup-0.36.2.orig/debian/patches/series +++ libcgroup-0.36.2/debian/patches/series @@ -0,0 +1,5 @@ +cgconfig-initscript.diff +cgred-initscript.diff +cgconfig-config.diff +CVE-2011-1006.diff +CVE-2011-1022.diff --- libcgroup-0.36.2.orig/debian/patches/cgconfig-config.diff +++ libcgroup-0.36.2/debian/patches/cgconfig-config.diff @@ -0,0 +1,18 @@ +# Description: Use reasonable default settings at installation +# Author: Jon Bernard + +--- a/samples/cgconfig.conf ++++ b/samples/cgconfig.conf +@@ -42,7 +42,8 @@ + # } + #} + # +-#mount { +-# cpu = /mnt/cgroups/cpu; +-# cpuacct = /mnt/cgroups/cpuacct; +-#} ++mount { ++ cpu = /mnt/cgroups/cpu; ++ cpuacct = /mnt/cgroups/cpuacct; ++ devices = /mnt/cgroups/devices; ++} --- libcgroup-0.36.2.orig/debian/patches/CVE-2011-1006.diff +++ libcgroup-0.36.2/debian/patches/CVE-2011-1006.diff @@ -0,0 +1,58 @@ +From: Nelson Elhage +Date: Thu, 17 Feb 2011 20:55:11 -0500 +Subject: cgrulesengd: Improve handling of out-of-memory. +To: libcg-devel@lists.sourceforge.net + +Don't leak the old array if the allocation fails, and don't touch num_allocation +if the allocation fails. + +Signed-off-by: Nelson Elhage +--- + src/daemon/cgrulesengd.c | 20 ++++++++++++-------- + 1 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c +index 1cf84ae..d78687c 100644 +--- a/src/daemon/cgrulesengd.c ++++ b/src/daemon/cgrulesengd.c +@@ -161,13 +161,15 @@ static int cgre_store_parent_info(pid_t pid) + uptime_ns = ((__u64)tp.tv_sec * 1000 * 1000 * 1000 ) + tp.tv_nsec; + + if (array_pi.index >= array_pi.num_allocation) { +- array_pi.num_allocation += NUM_PER_REALLOCATIOM; +- array_pi.parent_info = realloc(array_pi.parent_info, +- sizeof(info) * array_pi.num_allocation); +- if (!array_pi.parent_info) { ++ int alloc = array_pi.num_allocation + NUM_PER_REALLOCATIOM; ++ void *new_array = realloc(array_pi.parent_info, ++ sizeof(info) * alloc); ++ if (!new_array) { + flog(LOG_WARNING, "Failed to allocate memory"); + return 1; + } ++ array_pi.parent_info = new_array; ++ array_pi.num_allocation = alloc; + } + info = calloc(1, sizeof(struct parent_info)); + if (!info) { +@@ -246,13 +248,15 @@ static int cgre_store_unchanged_process(pid_t pid, int flags) + return 0; + } + if (array_unch.index >= array_unch.num_allocation) { +- array_unch.num_allocation += NUM_PER_REALLOCATIOM; +- array_unch.proc = realloc(array_unch.proc, +- sizeof(unchanged_pid_t) * array_unch.num_allocation); +- if (!array_unch.proc) { ++ int alloc = array_unch.num_allocation + NUM_PER_REALLOCATIOM; ++ void *new_array = realloc(array_unch.proc, ++ sizeof(unchanged_pid_t) * alloc); ++ if (!new_array) { + flog(LOG_WARNING, "Failed to allocate memory"); + return 1; + } ++ array_unch.proc = new_array; ++ array_unch.num_allocation = alloc; + } + array_unch.proc[array_unch.index].pid = pid; + array_unch.proc[array_unch.index].flags = flags; +-- --- libcgroup-0.36.2.orig/debian/patches/CVE-2011-1022.diff +++ libcgroup-0.36.2/debian/patches/CVE-2011-1022.diff @@ -0,0 +1,47 @@ +From: Nelson Elhage +Date: Thu, 17 Feb 2011 20:55:12 -0500 +Subject: cgrulesengd: Ignore netlink messages that don't come from the kernel. +To: libcg-devel@lists.sourceforge.net + +recvfrom() returns the address, it doesn't filter the packet based on the +sender. We need to explicitly check the received address after the call happens. + +Signed-off-by: Nelson Elhage +--- + src/daemon/cgrulesengd.c | 11 ++++------- + 1 files changed, 4 insertions(+), 7 deletions(-) + +diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c +index c65908a..1cf84ae 100644 +--- a/src/daemon/cgrulesengd.c ++++ b/src/daemon/cgrulesengd.c +@@ -481,17 +481,10 @@ static int cgre_receive_netlink_msg(int sk_nl) + struct sockaddr_nl from_nla; + socklen_t from_nla_len; + struct nlmsghdr *nlh; +- struct sockaddr_nl kern_nla; + struct cn_msg *cn_hdr; + +- kern_nla.nl_family = AF_NETLINK; +- kern_nla.nl_groups = CN_IDX_PROC; +- kern_nla.nl_pid = 1; +- kern_nla.nl_pad = 0; +- + memset(buff, 0, sizeof(buff)); + from_nla_len = sizeof(from_nla); +- memcpy(&from_nla, &kern_nla, sizeof(from_nla)); + recv_len = recvfrom(sk_nl, buff, sizeof(buff), 0, + (struct sockaddr *)&from_nla, &from_nla_len); + if (recv_len == ENOBUFS) { +@@ -501,6 +494,10 @@ static int cgre_receive_netlink_msg(int sk_nl) + if (recv_len < 1) + return 0; + ++ if (from_nla.nl_groups != CN_IDX_PROC ++ || from_nla.nl_pid != 0) ++ return 0; ++ + nlh = (struct nlmsghdr *)buff; + while (NLMSG_OK(nlh, recv_len)) { + cn_hdr = NLMSG_DATA(nlh); +-- --- libcgroup-0.36.2.orig/debian/patches/cgconfig-initscript.diff +++ libcgroup-0.36.2/debian/patches/cgconfig-initscript.diff @@ -0,0 +1,88 @@ +# Description: Remove RedHat specific file paths and fix LSB headers +# Author: Jon Bernard + +--- a/scripts/init.d/cgconfig.in ++++ b/scripts/init.d/cgconfig.in +@@ -21,10 +21,10 @@ + + ### BEGIN INIT INFO + # Provides: cgconfig +-# Required-Start: +-# Required-Stop: +-# Should-Start: +-# Should-Stop: ++# Required-Start: $remote_fs $syslog ++# Required-Stop: $remote_fs $syslog ++# Default-Start: 2 3 4 5 ++# Default-Stop: 0 1 6 + # Short-Description: start and stop the WLM configuration + # Description: This script allows us to create a default configuration + ### END INIT INFO +@@ -48,8 +48,8 @@ servicename=cgconfig + + # read the config + CREATE_DEFAULT=yes +-if [ -e /etc/sysconfig/cgconfig ]; then +- . /etc/sysconfig/cgconfig ++if [ -e /etc/default/cgconfig ]; then ++ . /etc/default/cgconfig + fi + + create_default_groups() { +@@ -104,7 +104,7 @@ create_default_groups() { + + start() { + echo -n "Starting cgconfig service: " +- if [ -f /var/lock/subsys/$servicename ] ++ if [ -f /var/lock/$servicename ] + then + log_warning_msg "lock file already exists" + return +@@ -125,11 +125,11 @@ start() { + create_default_groups + fi + +- touch /var/lock/subsys/$servicename ++ touch /var/lock/$servicename + retval=$? + if [ $retval -ne 0 ] + then +- log_failure_msg "Failed to touch " /var/lock/subsys/$servicename ++ log_failure_msg "Failed to touch " /var/lock/$servicename + return $retval + fi + log_success_msg +@@ -139,7 +139,7 @@ start() { + stop() { + echo -n "Stopping cgconfig service: " + cgclear +- rm -f /var/lock/subsys/$servicename ++ rm -f /var/lock/$servicename + log_success_msg + } + +@@ -174,7 +174,7 @@ case $1 in + common + start; + ;; +- 'restart') ++ 'restart'|'force-reload') + common + stop + start +@@ -185,13 +185,13 @@ case $1 in + start + ;; + 'condrestart') +- if [ -f /var/lock/subsys/$servicename ] ; then ++ if [ -f /var/lock/$servicename ] ; then + stop + start + fi + ;; + 'status') +- if [ -f /var/lock/subsys/$servicename ] ; then ++ if [ -f /var/lock/$servicename ] ; then + echo "Running" + else + echo "Stopped"