series

Dann Frazier Sat, 20 May 2006 00:19:12 -0700

Author: dannf
Date: Sat May 20 07:17:55 2006
New Revision: 6637

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/do_add_counters-race.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3


Log:
* do_add_counters-race.dpatch
  [SECURITY] Fix race condition in the do_add_counters() function in
  netfilter that allows local users with CAP_NET_ADMIN capabilities to
  read kernel memory
  See CVE-2006-0039

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Sat May 20 07:17:55 2006
@@ -72,8 +72,13 @@
     a portion of the floating point state of other processes, possibly exposing
     sensitive information.
     See CVE-2006-1056
+  * do_add_counters-race.dpatch
+    [SECURITY] Fix race condition in the do_add_counters() function in
+    netfilter that allows local users with CAP_NET_ADMIN capabilities to
+    read kernel memory
+    See CVE-2006-0039
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 20 May 2006 00:48:15 -0500
+ -- dann frazier <[EMAIL PROTECTED]>  Sat, 20 May 2006 02:15:22 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/do_add_counters-race.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/do_add_counters-race.dpatch
     Sat May 20 07:17:55 2006
@@ -0,0 +1,58 @@
+Subject: [PATCH] Netfilter: do_add_counters race, possible info leak 
(CVE-2006-0039)
+
+Solar Designer found a race condition in do_add_counters(). The beginning of
+paddc is supposed to be the same as tmp which was sanity-checked above, but it
+might not be the same in reality. In case the integer overflow and/or the race
+condition are triggered, paddc->num_counters might not match the allocation 
size
+for paddc. If the check below (t->private->number != paddc->num_counters)
+nevertheless passes (perhaps this requires the race condition to be triggered),
+IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
+potentially leaking sensitive data (e.g., passwords from host system or from
+another VPS) via counter increments.  This requires CAP_NET_ADMIN.
+
+(rebase of Solar's patch to 2.6.16.16)
+
+Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
+Cc: Solar Designer <[EMAIL PROTECTED]>
+Cc: Kirill Korotaev <[EMAIL PROTECTED]>
+Cc: Patrick McHardy <[EMAIL PROTECTED]>
+---
+
+# backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c 
kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c
+--- kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c   2004-08-14 
00:38:11.000000000 -0500
++++ kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c        2006-05-20 
02:07:36.365885224 -0500
+@@ -1006,7 +1006,7 @@
+               goto free;
+ 
+       write_lock_bh(&t->lock);
+-      if (t->private->number != paddc->num_counters) {
++      if (t->private->number != tmp.num_counters) {
+               ret = -EINVAL;
+               goto unlock_up_free;
+       }
+diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c 
kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c
+--- kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c    2004-08-14 
00:36:32.000000000 -0500
++++ kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c 2006-05-20 
02:08:04.739571768 -0500
+@@ -1197,7 +1197,7 @@
+               goto free;
+ 
+       write_lock_bh(&t->lock);
+-      if (t->private->number != paddc->num_counters) {
++      if (t->private->number != tmp.num_counters) {
+               ret = -EINVAL;
+               goto unlock_up_free;
+       }
+diff -urN kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c 
kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c
+--- kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c   2004-08-14 
00:37:40.000000000 -0500
++++ kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c        2006-05-20 
02:06:39.695500432 -0500
+@@ -1279,7 +1279,7 @@
+               goto free;
+ 
+       write_lock_bh(&t->lock);
+-      if (t->private->number != paddc->num_counters) {
++      if (t->private->number != tmp.num_counters) {
+               ret = -EINVAL;
+               goto unlock_up_free;
+       }

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
   Sat May 20 07:17:55 2006
@@ -19,4 +19,5 @@
 + amd64-fp-reg-leak-dep1.dpatch
 + amd64-fp-reg-leak-dep2.dpatch
 + amd64-fp-reg-leak-dep3.dpatch
-+ amd64-fp-reg-leak.dpatch
\ No newline at end of file
++ amd64-fp-reg-leak.dpatch
++ do_add_counters-race.dpatch

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r6637 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Reply via email to