Author: dannf Date: Sat May 20 07:17:55 2006 New Revision: 6637 Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/do_add_counters-race.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log: * do_add_counters-race.dpatch [SECURITY] Fix race condition in the do_add_counters() function in netfilter that allows local users with CAP_NET_ADMIN capabilities to read kernel memory See CVE-2006-0039 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat May 20 07:17:55 2006 @@ -72,8 +72,13 @@ a portion of the floating point state of other processes, possibly exposing sensitive information. See CVE-2006-1056 + * do_add_counters-race.dpatch + [SECURITY] Fix race condition in the do_add_counters() function in + netfilter that allows local users with CAP_NET_ADMIN capabilities to + read kernel memory + See CVE-2006-0039 - -- dann frazier <[EMAIL PROTECTED]> Sat, 20 May 2006 00:48:15 -0500 + -- dann frazier <[EMAIL PROTECTED]> Sat, 20 May 2006 02:15:22 -0500 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/do_add_counters-race.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/do_add_counters-race.dpatch Sat May 20 07:17:55 2006 @@ -0,0 +1,58 @@ +Subject: [PATCH] Netfilter: do_add_counters race, possible info leak (CVE-2006-0039) + +Solar Designer found a race condition in do_add_counters(). The beginning of +paddc is supposed to be the same as tmp which was sanity-checked above, but it +might not be the same in reality. In case the integer overflow and/or the race +condition are triggered, paddc->num_counters might not match the allocation size +for paddc. If the check below (t->private->number != paddc->num_counters) +nevertheless passes (perhaps this requires the race condition to be triggered), +IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size, +potentially leaking sensitive data (e.g., passwords from host system or from +another VPS) via counter increments. This requires CAP_NET_ADMIN. + +(rebase of Solar's patch to 2.6.16.16) + +Signed-off-by: Chris Wright <[EMAIL PROTECTED]> +Cc: Solar Designer <[EMAIL PROTECTED]> +Cc: Kirill Korotaev <[EMAIL PROTECTED]> +Cc: Patrick McHardy <[EMAIL PROTECTED]> +--- + +# backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c +--- kernel-source-2.6.8.orig/net/ipv4/netfilter/arp_tables.c 2004-08-14 00:38:11.000000000 -0500 ++++ kernel-source-2.6.8/net/ipv4/netfilter/arp_tables.c 2006-05-20 02:07:36.365885224 -0500 +@@ -1006,7 +1006,7 @@ + goto free; + + write_lock_bh(&t->lock); +- if (t->private->number != paddc->num_counters) { ++ if (t->private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +diff -urN kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c +--- kernel-source-2.6.8.orig/net/ipv4/netfilter/ip_tables.c 2004-08-14 00:36:32.000000000 -0500 ++++ kernel-source-2.6.8/net/ipv4/netfilter/ip_tables.c 2006-05-20 02:08:04.739571768 -0500 +@@ -1197,7 +1197,7 @@ + goto free; + + write_lock_bh(&t->lock); +- if (t->private->number != paddc->num_counters) { ++ if (t->private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } +diff -urN kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c +--- kernel-source-2.6.8.orig/net/ipv6/netfilter/ip6_tables.c 2004-08-14 00:37:40.000000000 -0500 ++++ kernel-source-2.6.8/net/ipv6/netfilter/ip6_tables.c 2006-05-20 02:06:39.695500432 -0500 +@@ -1279,7 +1279,7 @@ + goto free; + + write_lock_bh(&t->lock); +- if (t->private->number != paddc->num_counters) { ++ if (t->private->number != tmp.num_counters) { + ret = -EINVAL; + goto unlock_up_free; + } Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Sat May 20 07:17:55 2006 @@ -19,4 +19,5 @@ + amd64-fp-reg-leak-dep1.dpatch + amd64-fp-reg-leak-dep2.dpatch + amd64-fp-reg-leak-dep3.dpatch -+ amd64-fp-reg-leak.dpatch \ No newline at end of file ++ amd64-fp-reg-leak.dpatch ++ do_add_counters-race.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes