Author: dannf Date: Mon May 29 07:01:37 2006 New Revision: 6753 Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/221_netfilter-do_replace-overflow.diff - copied, changed from r6738, /dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
Log: * 221_netfilter-do_replace-overflow.diff [SECURITY] Fix buffer overflow in netfilter do_replace which can could be triggered by users with CAP_NET_ADMIN rights. See CVE-2006-0038 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon May 29 07:01:37 2006 @@ -57,8 +57,12 @@ [SECURITY] Fix a bound checking error (remote DoS) in the SCTP parameter checking code See CVE-2006-1858 + * 221_netfilter-do_replace-overflow.diff + [SECURITY] Fix buffer overflow in netfilter do_replace which can could + be triggered by users with CAP_NET_ADMIN rights. + See CVE-2006-0038 - -- dann frazier <[EMAIL PROTECTED]> Sat, 20 May 2006 11:54:19 -0500 + -- dann frazier <[EMAIL PROTECTED]> Mon, 29 May 2006 00:57:31 -0600 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high Copied: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/221_netfilter-do_replace-overflow.diff (from r6738, /dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch) ============================================================================== --- /dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/netfilter-do_replace-overflow.dpatch (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/221_netfilter-do_replace-overflow.diff Mon May 29 07:01:37 2006 @@ -24,29 +24,12 @@ Signed-off-by: David S. Miller <[EMAIL PROTECTED]> --- -backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> +backported to Debian's 2.4.27 by dann frazier <[EMAIL PROTECTED]> -diff -urN kernel-source-2.6.8.orig/net/bridge/netfilter/ebtables.c kernel-source-2.6.8/net/bridge/netfilter/ebtables.c ---- kernel-source-2.6.8.orig/net/bridge/netfilter/ebtables.c 2006-02-08 23:55:59.000000000 -0600 -+++ kernel-source-2.6.8/net/bridge/netfilter/ebtables.c 2006-05-16 01:00:10.000000000 -0500 -@@ -925,6 +925,13 @@ - BUGPRINT("Entries_size never zero\n"); - return -EINVAL; - } -+ /* overflow check */ -+ if (tmp.nentries >= ((INT_MAX - sizeof(struct ebt_table_info)) / NR_CPUS - -+ SMP_CACHE_BYTES) / sizeof(struct ebt_counter)) -+ return -ENOMEM; -+ if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter)) -+ return -ENOMEM; -+ - countersize = COUNTER_OFFSET(tmp.nentries) * NR_CPUS; - newinfo = (struct ebt_table_info *) - vmalloc(sizeof(struct ebt_table_info) + countersize); -diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c ---- kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c 2004-08-14 00:38:11.000000000 -0500 -+++ kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c 2006-05-16 00:57:13.000000000 -0500 -@@ -882,6 +882,13 @@ +diff -urN linux-2.4.orig/net/ipv4/netfilter/arp_tables.c linux-2.4/net/ipv4/netfilter/arp_tables.c +--- linux-2.4.orig/net/ipv4/netfilter/arp_tables.c 2006-05-28 23:41:18.852972000 -0600 ++++ linux-2.4/net/ipv4/netfilter/arp_tables.c 2006-05-29 00:55:00.171430224 -0600 +@@ -875,6 +875,13 @@ if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages) return -ENOMEM; @@ -58,12 +41,12 @@ + return -ENOMEM; + newinfo = vmalloc(sizeof(struct arpt_table_info) - + SMP_ALIGN(tmp.size) * NR_CPUS); + + SMP_ALIGN(tmp.size) * smp_num_cpus); if (!newinfo) -diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c ---- kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c 2004-08-14 00:36:32.000000000 -0500 -+++ kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c 2006-05-16 00:55:13.000000000 -0500 -@@ -1059,6 +1059,13 @@ +diff -urN linux-2.4.orig/net/ipv4/netfilter/ip_tables.c linux-2.4/net/ipv4/netfilter/ip_tables.c +--- linux-2.4.orig/net/ipv4/netfilter/ip_tables.c 2006-05-28 23:41:18.853971000 -0600 ++++ linux-2.4/net/ipv4/netfilter/ip_tables.c 2006-05-29 00:55:00.172430094 -0600 +@@ -1066,6 +1066,13 @@ if (len != sizeof(tmp) + tmp.size) return -ENOPROTOOPT; @@ -77,10 +60,10 @@ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages) return -ENOMEM; -diff -urN kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c ---- kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c 2004-08-14 00:37:40.000000000 -0500 -+++ kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c 2006-05-16 01:01:24.000000000 -0500 -@@ -1146,6 +1146,13 @@ +diff -urN linux-2.4.orig/net/ipv6/netfilter/ip6_tables.c linux-2.4/net/ipv6/netfilter/ip6_tables.c +--- linux-2.4.orig/net/ipv6/netfilter/ip6_tables.c 2006-05-28 23:41:18.854971000 -0600 ++++ linux-2.4/net/ipv6/netfilter/ip6_tables.c 2006-05-29 00:55:00.173429964 -0600 +@@ -1151,6 +1151,13 @@ if ((SMP_ALIGN(tmp.size) >> PAGE_SHIFT) + 2 > num_physpages) return -ENOMEM; @@ -92,5 +75,5 @@ + return -ENOMEM; + newinfo = vmalloc(sizeof(struct ip6t_table_info) - + SMP_ALIGN(tmp.size) * NR_CPUS); + + SMP_ALIGN(tmp.size) * smp_num_cpus); if (!newinfo) Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3 Mon May 29 07:01:37 2006 @@ -12,3 +12,4 @@ + 218_do_add_counters-race.diff + 219_sctp-hb-ack-overflow.diff + 220_sctp-param-bound-checks.diff ++ 221_netfilter-do_replace-overflow.diff _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes