Author: dannf Date: Sun Feb 17 18:30:58 2008 New Revision: 10564 Log: 266_ipv4-fib_props-out-of-bounds.diff
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Sun Feb 17 18:30:58 2008 @@ -24,6 +24,7 @@ [SECURITY] Fix information leaks in setsockopt() implementations See CVE-2007-1353 * 246_dn_fib-out-of-bounds.diff + 266_ipv4-fib_props-out-of-bounds.diff [SECURITY] Fix out of bounds condition in dn_fib_props[] See CVE-2007-2172 * 247_reset-pdeathsig-on-suid.diff @@ -87,7 +88,7 @@ fails on the subarchitecture See CVE-2007-6694 - -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 15:12:16 -0700 + -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 15:15:55 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff Sun Feb 17 18:30:58 2008 @@ -0,0 +1,38 @@ +commit 230c62b9e7000cfb407a079a21ad0f077f164b21 +Author: Willy Tarreau <[EMAIL PROTECTED]> +Date: Sat Apr 14 17:44:03 2007 +0200 + + [IPv4] fib: Fix out of bound access of fib_props[] + + Backported from 2.6. Bug found and fixed by Thomas Graf : + + Fixes a typo which caused fib_props[] to have the wrong size + and makes sure the value used to index the array which is + provided by userspace via netlink is checked to avoid out of + bound access. + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index afdf4bb..b930371 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -83,7 +83,7 @@ static struct + { + int error; + u8 scope; +-} fib_props[RTA_MAX+1] = { ++} fib_props[RTN_MAX+1] = { + { 0, RT_SCOPE_NOWHERE}, /* RTN_UNSPEC */ + { 0, RT_SCOPE_UNIVERSE}, /* RTN_UNICAST */ + { 0, RT_SCOPE_HOST}, /* RTN_LOCAL */ +@@ -431,6 +431,11 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta, + const int nhs = 1; + #endif + ++ if (r->rtm_type > RTN_MAX) { ++ err = -EINVAL; ++ goto errout; ++ } ++ + /* Fast check to catch the most weird cases */ + if (fib_props[r->rtm_type].scope > r->rtm_scope) + goto err_inval; Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Sun Feb 17 18:30:58 2008 @@ -25,3 +25,4 @@ + 263_usb-pwc-disconnect-block.diff + 264_mmap-VM_DONTEXPAND.diff + 265_powerpc-chrp-null-deref.diff ++ 266_ipv4-fib_props-out-of-bounds.diff _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes