Author: dannf
Date: Sun Feb 17 18:30:58 2008
New Revision: 10564
Log:
266_ipv4-fib_props-out-of-bounds.diff
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Sun Feb 17 18:30:58 2008
@@ -24,6 +24,7 @@
[SECURITY] Fix information leaks in setsockopt() implementations
See CVE-2007-1353
* 246_dn_fib-out-of-bounds.diff
+ 266_ipv4-fib_props-out-of-bounds.diff
[SECURITY] Fix out of bounds condition in dn_fib_props[]
See CVE-2007-2172
* 247_reset-pdeathsig-on-suid.diff
@@ -87,7 +88,7 @@
fails on the subarchitecture
See CVE-2007-6694
- -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 15:12:16 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Thu, 14 Feb 2008 15:15:55 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/266_ipv4-fib_props-out-of-bounds.diff
Sun Feb 17 18:30:58 2008
@@ -0,0 +1,38 @@
+commit 230c62b9e7000cfb407a079a21ad0f077f164b21
+Author: Willy Tarreau <[EMAIL PROTECTED]>
+Date: Sat Apr 14 17:44:03 2007 +0200
+
+ [IPv4] fib: Fix out of bound access of fib_props[]
+
+ Backported from 2.6. Bug found and fixed by Thomas Graf :
+
+ Fixes a typo which caused fib_props[] to have the wrong size
+ and makes sure the value used to index the array which is
+ provided by userspace via netlink is checked to avoid out of
+ bound access.
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index afdf4bb..b930371 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -83,7 +83,7 @@ static struct
+ {
+ int error;
+ u8 scope;
+-} fib_props[RTA_MAX+1] = {
++} fib_props[RTN_MAX+1] = {
+ { 0, RT_SCOPE_NOWHERE}, /* RTN_UNSPEC */
+ { 0, RT_SCOPE_UNIVERSE}, /* RTN_UNICAST */
+ { 0, RT_SCOPE_HOST}, /* RTN_LOCAL */
+@@ -431,6 +431,11 @@ fib_create_info(const struct rtmsg *r, struct kern_rta
*rta,
+ const int nhs = 1;
+ #endif
+
++ if (r->rtm_type > RTN_MAX) {
++ err = -EINVAL;
++ goto errout;
++ }
++
+ /* Fast check to catch the most weird cases */
+ if (fib_props[r->rtm_type].scope > r->rtm_scope)
+ goto err_inval;
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Sun Feb 17 18:30:58 2008
@@ -25,3 +25,4 @@
+ 263_usb-pwc-disconnect-block.diff
+ 264_mmap-VM_DONTEXPAND.diff
+ 265_powerpc-chrp-null-deref.diff
++ 266_ipv4-fib_props-out-of-bounds.diff
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
