From 5f6468a5a3c8b8386c3384fbe9373fa378f6dc37 Mon Sep 17 00:00:00 2001
From: Andrew Ross <aross@gentoo.org>
Date: Sat, 27 Jan 2007 07:44:34 +0000
Subject: [PATCH] Security fixes: CVE-2005-4352 (bug #158792), CVE-2006-4572
 (bug #154327),  CVE-2006-5619 (bug #154323), CVE-2006-6056 (bug #158786),
 CVE-2006-6060 (bug #155769) and dvb-core (bug #144870). Package-Manager:
 portage-2.1.1-r2

---
 sys-kernel/xen-sources/ChangeLog              |  14 +-
 sys-kernel/xen-sources/Manifest               |  40 +++-
 .../xen-sources/files/CVE-2005-4352.patch     |  11 ++
 .../xen-sources/files/CVE-2006-4572.patch     | 185 ++++++++++++++++++
 .../xen-sources/files/CVE-2006-5619.patch     |  11 ++
 .../xen-sources/files/CVE-2006-6056.patch     |  61 ++++++
 .../xen-sources/files/CVE-2006-6060.patch     |  40 ++++
 .../files/digest-xen-sources-2.6.16.28-r2     |   9 +
 .../xen-sources/files/dvb-core-ule-sndu.patch |  11 ++
 .../xen-sources-2.6.16.28-r2.ebuild           |  27 +++
 10 files changed, 403 insertions(+), 6 deletions(-)
 create mode 100644 sys-kernel/xen-sources/files/CVE-2005-4352.patch
 create mode 100644 sys-kernel/xen-sources/files/CVE-2006-4572.patch
 create mode 100644 sys-kernel/xen-sources/files/CVE-2006-5619.patch
 create mode 100644 sys-kernel/xen-sources/files/CVE-2006-6056.patch
 create mode 100644 sys-kernel/xen-sources/files/CVE-2006-6060.patch
 create mode 100644 sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2
 create mode 100644 sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch
 create mode 100644 sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild

diff --git a/sys-kernel/xen-sources/ChangeLog b/sys-kernel/xen-sources/ChangeLog
index 32fd570db7d6..2b97d8126ca9 100644
--- a/sys-kernel/xen-sources/ChangeLog
+++ b/sys-kernel/xen-sources/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for sys-kernel/xen-sources
-# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-kernel/xen-sources/ChangeLog,v 1.36 2006/12/16 03:55:01 aross Exp $
+# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/xen-sources/ChangeLog,v 1.37 2007/01/27 07:44:34 aross Exp $
+
+*xen-sources-2.6.16.28-r2 (27 Jan 2007)
+
+  27 Jan 2007; Andrew Ross <aross@gentoo.org> +files/CVE-2005-4352.patch,
+  +files/CVE-2006-4572.patch, +files/CVE-2006-5619.patch,
+  +files/CVE-2006-6056.patch, +files/CVE-2006-6060.patch,
+  +files/dvb-core-ule-sndu.patch, +xen-sources-2.6.16.28-r2.ebuild:
+  Security fixes: CVE-2005-4352 (bug #158792), CVE-2006-4572 (bug #154327),
+  CVE-2006-5619 (bug #154323), CVE-2006-6056 (bug #158786), CVE-2006-6060 (bug
+  #155769) and dvb-core (bug #144870)
 
 *xen-sources-2.6.16.28-r1 (16 Dec 2006)
 
diff --git a/sys-kernel/xen-sources/Manifest b/sys-kernel/xen-sources/Manifest
index 44c3c95465c1..56ba697bf360 100644
--- a/sys-kernel/xen-sources/Manifest
+++ b/sys-kernel/xen-sources/Manifest
@@ -1,3 +1,27 @@
+AUX CVE-2005-4352.patch 391 RMD160 b07dea8156cb170b108120650034b4fcaf1f3077 SHA1 674f939f044d305f1973648420cc24d2e830fc7a SHA256 a4952a6c668cf28254d636e7c40ac8d83caa882bf952bcc0996d8035644318fb
+MD5 47fa422c2de58b41190cd0cbf9964e05 files/CVE-2005-4352.patch 391
+RMD160 b07dea8156cb170b108120650034b4fcaf1f3077 files/CVE-2005-4352.patch 391
+SHA256 a4952a6c668cf28254d636e7c40ac8d83caa882bf952bcc0996d8035644318fb files/CVE-2005-4352.patch 391
+AUX CVE-2006-4572.patch 6223 RMD160 188e61fcf35ecf7ed78532b4eed1403d1e56ed15 SHA1 84fa7d17b7623a0b7641574715f67997cd50c68c SHA256 3869f6a119c922ac96cee82a93ea55adfd72e745f4313dfad784b41448071c19
+MD5 2a988d3d54c2e8512d1119c4570396de files/CVE-2006-4572.patch 6223
+RMD160 188e61fcf35ecf7ed78532b4eed1403d1e56ed15 files/CVE-2006-4572.patch 6223
+SHA256 3869f6a119c922ac96cee82a93ea55adfd72e745f4313dfad784b41448071c19 files/CVE-2006-4572.patch 6223
+AUX CVE-2006-5619.patch 285 RMD160 a0c30a9e43ae478f1c79b0a701857c19752b93c7 SHA1 44cc23ce75be081e15244fcddabc512f106fff40 SHA256 a6a5245f75b03ce4e9368078d8a94f46ede690ab4945ebb7fd0e6164c720765f
+MD5 c5c16a65bbd81c36858aa0542f7707a5 files/CVE-2006-5619.patch 285
+RMD160 a0c30a9e43ae478f1c79b0a701857c19752b93c7 files/CVE-2006-5619.patch 285
+SHA256 a6a5245f75b03ce4e9368078d8a94f46ede690ab4945ebb7fd0e6164c720765f files/CVE-2006-5619.patch 285
+AUX CVE-2006-6056.patch 1945 RMD160 53d08f0519ae52dceb34676bb96db50aae17486c SHA1 24295b88daa088b31c37669d9533d12233887ae4 SHA256 fc4fbfc040645670292e5066d164f13d8fc27780f4eba5dd965a8d52a4651042
+MD5 5e9bbd6326e6aa29e2b9c03171c75d72 files/CVE-2006-6056.patch 1945
+RMD160 53d08f0519ae52dceb34676bb96db50aae17486c files/CVE-2006-6056.patch 1945
+SHA256 fc4fbfc040645670292e5066d164f13d8fc27780f4eba5dd965a8d52a4651042 files/CVE-2006-6056.patch 1945
+AUX CVE-2006-6060.patch 1009 RMD160 cbca5269ae092df03ac4264713b089d5bd21f4ed SHA1 10189c5167ec9f562493d3a8a807b43d40d3bd4a SHA256 e1100a17c22066e783902de9171903ea39c6bcb8749eeced4617f65ff3ac99f1
+MD5 dc98940f230020a2011a70b230354d0f files/CVE-2006-6060.patch 1009
+RMD160 cbca5269ae092df03ac4264713b089d5bd21f4ed files/CVE-2006-6060.patch 1009
+SHA256 e1100a17c22066e783902de9171903ea39c6bcb8749eeced4617f65ff3ac99f1 files/CVE-2006-6060.patch 1009
+AUX dvb-core-ule-sndu.patch 521 RMD160 eb2bf2eda731bb950e7a0193a91da5e1a66026d9 SHA1 f2085d9af6b522c1550368bf4fc62975f443ec28 SHA256 753d0cb8b908ef2dded700ec93ea8356a00f1ffe52f6d969af82f71df2c3cfc2
+MD5 65d3a003106b0562faf7fca509a37f33 files/dvb-core-ule-sndu.patch 521
+RMD160 eb2bf2eda731bb950e7a0193a91da5e1a66026d9 files/dvb-core-ule-sndu.patch 521
+SHA256 753d0cb8b908ef2dded700ec93ea8356a00f1ffe52f6d969af82f71df2c3cfc2 files/dvb-core-ule-sndu.patch 521
 AUX xen-sources-2.6.16.28-CVE-2006-3468.patch 3700 RMD160 6f4f016f1e8586384824803228729490e15478c4 SHA1 8409d2d61224c3ca6c8341baed9de4a0e28bb04b SHA256 235e7d34d6545480e6fa1e1e190860ed2c081d7890bb6532c0aad2d973084fdc
 MD5 07597cf53abbd6bf2a90bba4c514a8fb files/xen-sources-2.6.16.28-CVE-2006-3468.patch 3700
 RMD160 6f4f016f1e8586384824803228729490e15478c4 files/xen-sources-2.6.16.28-CVE-2006-3468.patch 3700
@@ -9,18 +33,23 @@ SHA256 ff0c2e31316fd9f33fea8a40349733ce2e307838b78cf9a2c9a95495e185a855 files/xe
 DIST linux-2.6.16.tar.bz2 40845005 RMD160 af5c2f55733fadd2fdf8b00da55e7b31d516d4e8 SHA1 bef21cd5063a648f33a99a26f4742dd05eb4dca2 SHA256 1200dcc7e60fcdaf68618dba991917a47e41e67099e8b22143976ec972e2cad7
 DIST patch-2.6.16.28.bz2 76693 RMD160 5235c0b5f9665a279f5bf5d42f942cef215e822f SHA1 7b1d450cf300ec6788919e4b5601389e258d28cc SHA256 6b05fd7121a86a5a6cfd0177200259eeb9a3d276a3cb16ba8cf2acdd747fa6be
 DIST xen-3.0.2-src.tgz 4933621 RMD160 34e4431a981891319f8a5ea0c3f604e7d8d7d7af SHA1 b7e797048b516f8b385afd3da9ae2eded1b8033a SHA256 f18ffab16a457fa721d11933c75f8288f6958c88c2669857c7c11d5107ba2951
+DIST xen-sources-2.6.16.28-3.0.2.patch.bz2 467924 RMD160 8b62dc416b08e4ef4a10add18b3287eef856c613 SHA1 56ae78337b7754031aa82cf64b277ff6e320f5a0 SHA256 0f3400e1c877b765fc62453664b80cf2e51002299476d532fe8f6af6db0fdb99
 EBUILD xen-sources-2.6.16.28-r1.ebuild 1617 RMD160 6f916500b3f8b0127d57fced94c8fbbc515e3374 SHA1 7f9f57a0a7b9c0d1c629e7d086bfcef21496e4f9 SHA256 72332a391cff4553dc0f4da8d85f3204b310ab5660d46181f0d3349501bc99d9
 MD5 29d2470766f3717e27ef32f61422fe23 xen-sources-2.6.16.28-r1.ebuild 1617
 RMD160 6f916500b3f8b0127d57fced94c8fbbc515e3374 xen-sources-2.6.16.28-r1.ebuild 1617
 SHA256 72332a391cff4553dc0f4da8d85f3204b310ab5660d46181f0d3349501bc99d9 xen-sources-2.6.16.28-r1.ebuild 1617
+EBUILD xen-sources-2.6.16.28-r2.ebuild 894 RMD160 9806044184bb7196e0f43171b6554d9565cdd4ec SHA1 22f16d46b752b7c0f6488ee1211fbbe09009f18f SHA256 80f0fb0985bdea1416e8f9523680f9809a5373573a9419cf6f4160bb1920c8c1
+MD5 a396b3c7d91c019451119f3e33765041 xen-sources-2.6.16.28-r2.ebuild 894
+RMD160 9806044184bb7196e0f43171b6554d9565cdd4ec xen-sources-2.6.16.28-r2.ebuild 894
+SHA256 80f0fb0985bdea1416e8f9523680f9809a5373573a9419cf6f4160bb1920c8c1 xen-sources-2.6.16.28-r2.ebuild 894
 EBUILD xen-sources-2.6.16.28.ebuild 1612 RMD160 e10fd59aae61b3c1c1d256053c166b47b7f575c7 SHA1 afad39fe7539a2796593edc95be1d498be995ff8 SHA256 1579641cae4d4e6cf4ce1c11f4b860b36d2b01ae81ea2ae64e49eb1decb7804c
 MD5 cdd1574a18b704893fa9dee6e63e59a9 xen-sources-2.6.16.28.ebuild 1612
 RMD160 e10fd59aae61b3c1c1d256053c166b47b7f575c7 xen-sources-2.6.16.28.ebuild 1612
 SHA256 1579641cae4d4e6cf4ce1c11f4b860b36d2b01ae81ea2ae64e49eb1decb7804c xen-sources-2.6.16.28.ebuild 1612
-MISC ChangeLog 6043 RMD160 bbcfb377cc5666cc3ea865e42567c9fdd82a34f9 SHA1 b57d2dadc0f795bb859b7ba0b0daac25ffb82118 SHA256 b0474c2ccd1f27707a3fd06fdf6e2f6e639bee6265b5b9fe7ff469b3ba6c11d3
-MD5 a1197d40eb0160070c369790e263592d ChangeLog 6043
-RMD160 bbcfb377cc5666cc3ea865e42567c9fdd82a34f9 ChangeLog 6043
-SHA256 b0474c2ccd1f27707a3fd06fdf6e2f6e639bee6265b5b9fe7ff469b3ba6c11d3 ChangeLog 6043
+MISC ChangeLog 6536 RMD160 8b62cbeb347332fc0c72503066c7d09b354312b9 SHA1 4bb641adaddbfd5aef8016dbbb4eba3a4f6c3050 SHA256 e433ffda58ef920e34b44083627fc7bf65ee049e925aef9e4fdfc88ff67d3b77
+MD5 33f7e63ab31acfd2092c8e8283add39f ChangeLog 6536
+RMD160 8b62cbeb347332fc0c72503066c7d09b354312b9 ChangeLog 6536
+SHA256 e433ffda58ef920e34b44083627fc7bf65ee049e925aef9e4fdfc88ff67d3b77 ChangeLog 6536
 MISC metadata.xml 156 RMD160 bb062b1ba5554779dcfd0e73baf533ce9fbcdf68 SHA1 e6da014f2004758c7a806592ef9450489eebf593 SHA256 4a030777459245372bda9f7925f3a5ed3ef2b29b77e1a2971f3400ac2059b1e2
 MD5 559b4095659a2a2a489784de8a6ef95e metadata.xml 156
 RMD160 bb062b1ba5554779dcfd0e73baf533ce9fbcdf68 metadata.xml 156
@@ -31,3 +60,6 @@ SHA256 432b14d8eb07be2c7b17c028a5724598eae329997631a5bd3cee8251eec694bb files/di
 MD5 577d28e423cb641a10a19426dd7d4b75 files/digest-xen-sources-2.6.16.28-r1 717
 RMD160 733fddcdf423e30d8e952092cf4d2d2b8ecae621 files/digest-xen-sources-2.6.16.28-r1 717
 SHA256 432b14d8eb07be2c7b17c028a5724598eae329997631a5bd3cee8251eec694bb files/digest-xen-sources-2.6.16.28-r1 717
+MD5 e2dae1c1afad19bc2176f26ce227e357 files/digest-xen-sources-2.6.16.28-r2 774
+RMD160 09ae69cf9d8371ce2c029550634638bc90c97aea files/digest-xen-sources-2.6.16.28-r2 774
+SHA256 762405cda08757f9ac33201f825a9997a64a4aef2daf78afc9890e2a10c520fc files/digest-xen-sources-2.6.16.28-r2 774
diff --git a/sys-kernel/xen-sources/files/CVE-2005-4352.patch b/sys-kernel/xen-sources/files/CVE-2005-4352.patch
new file mode 100644
index 000000000000..427d4cff3c2e
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2005-4352.patch
@@ -0,0 +1,11 @@
+--- security/seclvl.c-original	2007-01-27 14:14:55.000000000 +1100
++++ security/seclvl.c	2007-01-27 14:16:12.000000000 +1100
+@@ -381,6 +381,8 @@
+ 				      current->group_leader->pid);
+ 			return -EPERM;
+ 		}		/* if attempt to decrement time */
++		if (tv->tv_sec > 1924988400)	/* disallow dates after 2030) */
++			return -EPERM;		/* CVE-2005-4352 */
+ 	}			/* if seclvl > 1 */
+ 	return 0;
+ }
diff --git a/sys-kernel/xen-sources/files/CVE-2006-4572.patch b/sys-kernel/xen-sources/files/CVE-2006-4572.patch
new file mode 100644
index 000000000000..df46a7059260
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-4572.patch
@@ -0,0 +1,185 @@
+From: Patrick McHardy <kaber@trash.net>
+Date: Sun, 5 Nov 2006 08:04:23 +0000 (+0100)
+Subject: [NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
+X-Git-Tag: v2.6.16.31-rc1^0~1
+X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.16.y.git;a=commitdiff_plain;h=0ddfcc96928145d6a6425fdd26dad6abfe7f891d;hp=6ac62be885810e1f8390f0c3b9d3ee451d3d3f19
+
+[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)
+
+As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
+to a fragmentation attack causing false negatives on extension header
+matches.
+
+When extension headers occur in the non-first fragment after the fragment
+header (possibly with an incorrect nexthdr value in the fragment header)
+a rule looking for this extension header will never match.
+
+Drop fragments that are at offset 0 and don't contain the final protocol
+header regardless of the ruleset, since this should not happen normally.
+Since all extension headers are before the protocol header this makes sure
+an extension header is either not present or in the first fragment, where
+we can properly parse it.
+
+With help from Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+---
+
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index a3e3da1..e2bb9ac 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1447,6 +1447,9 @@ static void __exit fini(void)
+  * If target header is found, its offset is set in *offset and return protocol
+  * number. Otherwise, return -1.
+  *
++ * If the first fragment doesn't contain the final protocol header or
++ * NEXTHDR_NONE it is considered invalid.
++ *
+  * Note that non-1st fragment is special case that "the protocol number
+  * of last header" is "next header" field in Fragment header. In this case,
+  * *offset is meaningless and fragment offset is stored in *fragoff if fragoff
+@@ -1470,12 +1473,12 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+ 		if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
+ 			if (target < 0)
+ 				break;
+-			return -1;
++			return -ENOENT;
+ 		}
+ 
+ 		hp = skb_header_pointer(skb, start, sizeof(_hdr), &_hdr);
+ 		if (hp == NULL)
+-			return -1;
++			return -EBADMSG;
+ 		if (nexthdr == NEXTHDR_FRAGMENT) {
+ 			unsigned short _frag_off, *fp;
+ 			fp = skb_header_pointer(skb,
+@@ -1484,7 +1487,7 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+ 						sizeof(_frag_off),
+ 						&_frag_off);
+ 			if (fp == NULL)
+-				return -1;
++				return -EBADMSG;
+ 
+ 			_frag_off = ntohs(*fp) & ~0x7;
+ 			if (_frag_off) {
+@@ -1495,7 +1498,7 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+ 						*fragoff = _frag_off;
+ 					return hp->nexthdr;
+ 				}
+-				return -1;
++				return -ENOENT;
+ 			}
+ 			hdrlen = 8;
+ 		} else if (nexthdr == NEXTHDR_AUTH)
+diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
+index 219a303..002b8a1 100644
+--- a/net/ipv6/netfilter/ip6t_ah.c
++++ b/net/ipv6/netfilter/ip6t_ah.c
+@@ -53,9 +53,14 @@ match(const struct sk_buff *skb,
+ 	const struct ip6t_ah *ahinfo = matchinfo;
+ 	unsigned int ptr;
+ 	unsigned int hdrlen = 0;
++	int err;
+ 
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
+ 	if (ah == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_dst.c b/net/ipv6/netfilter/ip6t_dst.c
+index b4c153a..2441228 100644
+--- a/net/ipv6/netfilter/ip6t_dst.c
++++ b/net/ipv6/netfilter/ip6t_dst.c
+@@ -69,13 +69,18 @@ match(const struct sk_buff *skb,
+ 	u8 _opttype, *tp = NULL;
+ 	u8 _optlen, *lp = NULL;
+ 	unsigned int optlen;
++	int err;
+ 
+ #if HOPBYHOP
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL);
+ #else
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL);
+ #endif
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
+ 	if (oh == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
+index 4c14125..185f583 100644
+--- a/net/ipv6/netfilter/ip6t_frag.c
++++ b/net/ipv6/netfilter/ip6t_frag.c
+@@ -51,9 +51,14 @@ match(const struct sk_buff *skb,
+ 	struct frag_hdr _frag, *fh;
+ 	const struct ip6t_frag *fraginfo = matchinfo;
+ 	unsigned int ptr;
++	int err;
+ 
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
+ 	if (fh == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
+index 37a8474..af56eaf 100644
+--- a/net/ipv6/netfilter/ip6t_hbh.c
++++ b/net/ipv6/netfilter/ip6t_hbh.c
+@@ -69,13 +69,18 @@ match(const struct sk_buff *skb,
+ 	u8 _opttype, *tp = NULL;
+ 	u8 _optlen, *lp = NULL;
+ 	unsigned int optlen;
++	int err;
+ 
+ #if HOPBYHOP
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_HOP, NULL);
+ #else
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_DEST, NULL);
+ #endif
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
+ 	if (oh == NULL) {
+diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
+index 8f82476..537b311 100644
+--- a/net/ipv6/netfilter/ip6t_rt.c
++++ b/net/ipv6/netfilter/ip6t_rt.c
+@@ -57,9 +57,14 @@ match(const struct sk_buff *skb,
+ 	unsigned int hdrlen = 0;
+ 	unsigned int ret = 0;
+ 	struct in6_addr *ap, _addr;
++	int err;
+ 
+-	if (ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL) < 0)
++	err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
++	if (err < 0) {
++		if (err != -ENOENT)
++			*hotdrop = 1;
+ 		return 0;
++	}
+ 
+ 	rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
+ 	if (rh == NULL) {
diff --git a/sys-kernel/xen-sources/files/CVE-2006-5619.patch b/sys-kernel/xen-sources/files/CVE-2006-5619.patch
new file mode 100644
index 000000000000..9e7a51122ab2
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-5619.patch
@@ -0,0 +1,11 @@
+--- net/ipv6/ip6_flowlabel.c-original	2007-01-27 15:31:44.000000000 +1100
++++ net/ipv6/ip6_flowlabel.c	2007-01-27 15:32:16.000000000 +1100
+@@ -589,6 +589,8 @@
+ 	while (!fl) {
+ 		if (++state->bucket <= FL_HASH_MASK)
+ 			fl = fl_ht[state->bucket];
++		else
++			break;
+ 	}
+ 	return fl;
+ }
diff --git a/sys-kernel/xen-sources/files/CVE-2006-6056.patch b/sys-kernel/xen-sources/files/CVE-2006-6056.patch
new file mode 100644
index 000000000000..2706315876b2
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-6056.patch
@@ -0,0 +1,61 @@
+From: Eric Sandeen <sandeen@redhat.com>
+Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
+Subject: [PATCH] hfs_fill_super returns success even if no root inode
+X-Git-Tag: v2.6.19
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d6ddf55440833fd9404138026af246c51ebeef22
+
+[PATCH] hfs_fill_super returns success even if no root inode
+
+http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html
+
+mount that image...
+fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended.  mounting read-only.
+hfs: get root inode failed.
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
+ printing eip
+...
+EIP is at superblock_doinit+0x21/0x767
+...
+ [] selinux_sb_kern_mount+0xc/0x4b
+ [] vfs_kern_mount+0x99/0xf6
+ [] do_kern_mount+0x2d/0x3e
+ [] do_mount+0x5fa/0x66d
+ [] sys_mount+0x77/0xae
+ [] syscall_call+0x7/0xb
+DWARF2 unwinder stuck at syscall_call+0x7/0xb
+
+hfs_fill_super() returns success even if
+  root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+or
+  sb->s_root = d_alloc_root(root_inode);
+
+fails.  This superblock finds its way to superblock_doinit() which does:
+
+        struct dentry *root = sb->s_root;
+        struct inode *inode = root->d_inode;
+
+and boom.  Need to make sure the error cases return an error, I think.
+
+[akpm@osdl.org: return -ENOMEM on oom]
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+---
+
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_b
+ 		hfs_find_exit(&fd);
+ 		goto bail_no_root;
+ 	}
++	res = -EINVAL;
+ 	root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+ 	hfs_find_exit(&fd);
+ 	if (!root_inode)
+ 		goto bail_no_root;
+ 
++	res = -ENOMEM;
+ 	sb->s_root = d_alloc_root(root_inode);
+ 	if (!sb->s_root)
+ 		goto bail_iput;
diff --git a/sys-kernel/xen-sources/files/CVE-2006-6060.patch b/sys-kernel/xen-sources/files/CVE-2006-6060.patch
new file mode 100644
index 000000000000..8d5eebcb0e77
--- /dev/null
+++ b/sys-kernel/xen-sources/files/CVE-2006-6060.patch
@@ -0,0 +1,40 @@
+--- fs/buffer.c-original	2007-01-27 14:46:34.000000000 +1100
++++ fs/buffer.c	2007-01-27 14:51:17.000000000 +1100
+@@ -1179,6 +1179,19 @@
+ 	} while ((size << sizebits) < PAGE_SIZE);
+ 
+ 	index = block >> sizebits;
++	/*
++	* Check for a block which wants to lie outside our maximum possible
++	* pagecache index.  (this comparison is done using sector_t types).
++	*/
++	if (unlikely(index != block >> sizebits)) {
++		char b[BDEVNAME_SIZE];
++
++		printk(KERN_ERR "%s: requested out-of-range block %llu for "
++			"device %s\n",
++			__FUNCTION__, (unsigned long long)block,
++			bdevname(bdev, b));
++		return -EIO;
++	}
+ 	block = index << sizebits;
+ 
+ 	/* Create a page with the proper size buffers.. */
+@@ -1207,12 +1220,16 @@
+ 
+ 	for (;;) {
+ 		struct buffer_head * bh;
++		int ret;
+ 
+ 		bh = __find_get_block(bdev, block, size);
+ 		if (bh)
+ 			return bh;
+ 
+-		if (!grow_buffers(bdev, block, size))
++		ret = grow_buffers(bdev, block, size);
++		if (ret < 0)
++			return NULL;
++		if (ret == 0)
+ 			free_more_memory();
+ 	}
+ }
diff --git a/sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2 b/sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2
new file mode 100644
index 000000000000..6a6c82f3e63c
--- /dev/null
+++ b/sys-kernel/xen-sources/files/digest-xen-sources-2.6.16.28-r2
@@ -0,0 +1,9 @@
+MD5 9a91b2719949ff0856b40bc467fd47be linux-2.6.16.tar.bz2 40845005
+RMD160 af5c2f55733fadd2fdf8b00da55e7b31d516d4e8 linux-2.6.16.tar.bz2 40845005
+SHA256 1200dcc7e60fcdaf68618dba991917a47e41e67099e8b22143976ec972e2cad7 linux-2.6.16.tar.bz2 40845005
+MD5 736e7d741c0650c320c2b37bf6de3c0b patch-2.6.16.28.bz2 76693
+RMD160 5235c0b5f9665a279f5bf5d42f942cef215e822f patch-2.6.16.28.bz2 76693
+SHA256 6b05fd7121a86a5a6cfd0177200259eeb9a3d276a3cb16ba8cf2acdd747fa6be patch-2.6.16.28.bz2 76693
+MD5 9a7d359557c1dbc887a1a54c015589f7 xen-sources-2.6.16.28-3.0.2.patch.bz2 467924
+RMD160 8b62dc416b08e4ef4a10add18b3287eef856c613 xen-sources-2.6.16.28-3.0.2.patch.bz2 467924
+SHA256 0f3400e1c877b765fc62453664b80cf2e51002299476d532fe8f6af6db0fdb99 xen-sources-2.6.16.28-3.0.2.patch.bz2 467924
diff --git a/sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch b/sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch
new file mode 100644
index 000000000000..ed0494dd3991
--- /dev/null
+++ b/sys-kernel/xen-sources/files/dvb-core-ule-sndu.patch
@@ -0,0 +1,11 @@
+--- drivers/media/dvb/dvb-core/dvb_net.c-original	2007-01-27 10:27:13.000000000 +1100
++++ drivers/media/dvb/dvb-core/dvb_net.c	2007-01-27 10:27:55.000000000 +1100
+@@ -492,7 +492,7 @@
+ 				} else
+ 					priv->ule_dbit = 0;
+ 
+-				if (priv->ule_sndu_len > 32763) {
++				if (priv->ule_sndu_len > 32763 || priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
+ 					printk(KERN_WARNING "%lu: Invalid ULE SNDU length %u. "
+ 					       "Resyncing.\n", priv->ts_count, priv->ule_sndu_len);
+ 					priv->ule_sndu_len = 0;
diff --git a/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild b/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild
new file mode 100644
index 000000000000..8a6228e6df17
--- /dev/null
+++ b/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild
@@ -0,0 +1,27 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-kernel/xen-sources/xen-sources-2.6.16.28-r2.ebuild,v 1.1 2007/01/27 07:44:34 aross Exp $
+
+ETYPE="sources"
+inherit kernel-2 eutils
+detect_arch
+detect_version
+
+XEN_VERSION="3.0.2"
+XEN_URI="mirror://gentoo/${P}-${XEN_VERSION}.patch.bz2"
+
+DESCRIPTION="Linux kernel ${OKV} with Xen ${XEN_VERSION}"
+HOMEPAGE="http://kernel.org http://www.xensource.com/xen/xen/"
+SRC_URI="${KERNEL_URI} ${ARCH_URI} ${XEN_URI}"
+
+KEYWORDS="~x86 ~amd64"
+
+UNIPATCH_LIST="${DISTDIR}/${XEN_URI##*/}
+	${FILESDIR}/${P}-CVE-2006-3468.patch
+	${FILESDIR}/${P}-CVE-2006-6333.patch
+	${FILESDIR}/CVE-2005-4352.patch
+	${FILESDIR}/CVE-2006-4572.patch
+	${FILESDIR}/CVE-2006-5619.patch
+	${FILESDIR}/CVE-2006-6056.patch
+	${FILESDIR}/CVE-2006-6060.patch
+	${FILESDIR}/dvb-core-ule-sndu.patch"
-- 
2.26.2