series

Dann Frazier Mon, 29 May 2006 00:03:28 -0700

Author: dannf
Date: Mon May 29 07:01:37 2006
New Revision: 6753

Added:
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/221_netfilter-do_replace-overflow.diff
      - copied, changed from r6738, 
/dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch
Modified:
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3


Log:
* 221_netfilter-do_replace-overflow.diff
  [SECURITY] Fix buffer overflow in netfilter do_replace which can could
  be triggered by users with CAP_NET_ADMIN rights.
  See CVE-2006-0038

Modified: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
 (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
 Mon May 29 07:01:37 2006
@@ -57,8 +57,12 @@
     [SECURITY] Fix a bound checking error (remote DoS) in the SCTP parameter
     checking code
     See CVE-2006-1858
+  * 221_netfilter-do_replace-overflow.diff
+    [SECURITY] Fix buffer overflow in netfilter do_replace which can could
+    be triggered by users with CAP_NET_ADMIN rights.
+    See CVE-2006-0038
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 20 May 2006 11:54:19 -0500
+ -- dann frazier <[EMAIL PROTECTED]>  Mon, 29 May 2006 00:57:31 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Copied: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/221_netfilter-do_replace-overflow.diff
 (from r6738, 
/dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch)
==============================================================================
--- 
/dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch
   (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/221_netfilter-do_replace-overflow.diff
    Mon May 29 07:01:37 2006
@@ -24,29 +24,12 @@
 Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
 ---
 
-backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+backported to Debian's 2.4.27 by dann frazier <[EMAIL PROTECTED]>
 
-diff -urN kernel-source-2.6.8.orig/net/bridge/netfilter/ebtables.c 
kernel-source-2.6.8/net/bridge/netfilter/ebtables.c
---- kernel-source-2.6.8.orig/net/bridge/netfilter/ebtables.c   2006-02-08 
23:55:59.000000000 -0600
-+++ kernel-source-2.6.8/net/bridge/netfilter/ebtables.c        2006-05-16 
01:00:10.000000000 -0500
-@@ -925,6 +925,13 @@
-               BUGPRINT("Entries_size never zero\n");
-               return -EINVAL;
-       }
-+      /* overflow check */
-+      if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / 
NR_CPUS -
-+                      SMP_CACHE_BYTES) / sizeof(struct ebt_counter))
-+              return -ENOMEM;
-+      if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
-+              return -ENOMEM;
-+
-       countersize = COUNTER_OFFSET(tmp.nentries) * NR_CPUS;
-       newinfo = (struct ebt_table_info *)
-          vmalloc(sizeof(struct ebt_table_info) + countersize);
-diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c 
kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c
---- kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c   2004-08-14 
00:38:11.000000000 -0500
-+++ kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c        2006-05-16 
00:57:13.000000000 -0500
-@@ -882,6 +882,13 @@
+diff -urN linux-2.4.orig/net/ipv4/netfilter/arp_tables.c 
linux-2.4/net/ipv4/netfilter/arp_tables.c
+--- linux-2.4.orig/net/ipv4/netfilter/arp_tables.c     2006-05-28 
23:41:18.852972000 -0600
++++ linux-2.4/net/ipv4/netfilter/arp_tables.c  2006-05-29 00:55:00.171430224 
-0600
+@@ -875,6 +875,13 @@
        if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
                return -ENOMEM;
  
@@ -58,12 +41,12 @@
 +              return -ENOMEM;
 +
        newinfo = vmalloc(sizeof(struct arpt_table_info)
-                         + SMP_ALIGN(tmp.size) * NR_CPUS);
+                         + SMP_ALIGN(tmp.size) * smp_num_cpus);
        if (!newinfo)
-diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c 
kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c
---- kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c    2004-08-14 
00:36:32.000000000 -0500
-+++ kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c 2006-05-16 
00:55:13.000000000 -0500
-@@ -1059,6 +1059,13 @@
+diff -urN linux-2.4.orig/net/ipv4/netfilter/ip_tables.c 
linux-2.4/net/ipv4/netfilter/ip_tables.c
+--- linux-2.4.orig/net/ipv4/netfilter/ip_tables.c      2006-05-28 
23:41:18.853971000 -0600
++++ linux-2.4/net/ipv4/netfilter/ip_tables.c   2006-05-29 00:55:00.172430094 
-0600
+@@ -1066,6 +1066,13 @@
        if (len != sizeof(tmp) + tmp.size)
                return -ENOPROTOOPT;
  
@@ -77,10 +60,10 @@
        /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
        if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
                return -ENOMEM;
-diff -urN kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c 
kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c
---- kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c   2004-08-14 
00:37:40.000000000 -0500
-+++ kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c        2006-05-16 
01:01:24.000000000 -0500
-@@ -1146,6 +1146,13 @@
+diff -urN linux-2.4.orig/net/ipv6/netfilter/ip6_tables.c 
linux-2.4/net/ipv6/netfilter/ip6_tables.c
+--- linux-2.4.orig/net/ipv6/netfilter/ip6_tables.c     2006-05-28 
23:41:18.854971000 -0600
++++ linux-2.4/net/ipv6/netfilter/ip6_tables.c  2006-05-29 00:55:00.173429964 
-0600
+@@ -1151,6 +1151,13 @@
        if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages)
                return -ENOMEM;
  
@@ -92,5 +75,5 @@
 +              return -ENOMEM;
 +
        newinfo = vmalloc(sizeof(struct ip6t_table_info)
-                         + SMP_ALIGN(tmp.size) * NR_CPUS);
+                         + SMP_ALIGN(tmp.size) * smp_num_cpus);
        if (!newinfo)

Modified: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
    (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
    Mon May 29 07:01:37 2006
@@ -12,3 +12,4 @@
 + 218_do_add_counters-race.diff
 + 219_sctp-hb-ack-overflow.diff
 + 220_sctp-param-bound-checks.diff
++ 221_netfilter-do_replace-overflow.diff

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r6753 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Reply via email to