Bug#779201: kfreebsd-{8,9}: CVE-2015-1414: DoS via IGMP packet

[Alessandro Ghedini]

On Sun, May 10, 2015 at 09:12:43PM +0100, Steven Chamberlain wrote:
 Dear Security Team,
 
 This bug was reopened because the original fix from upstream was found
 to be incomplete.
 
 Please may I upload to wheezy-security with the attached debdiff,
 replacing the CVE-2015-1414 patch with the new one, and also patching
 CVE-2015-2923 (Debian Bug #782735).

Looks good, go ahead and upload.

Thanks


signature.asc
Description: Digital signature

Bug#779201: kfreebsd-{8,9}: CVE-2015-1414: DoS via IGMP packet

[Steven Chamberlain]

Dear Security Team,

This bug was reopened because the original fix from upstream was found
to be incomplete.

Please may I upload to wheezy-security with the attached debdiff,
replacing the CVE-2015-1414 patch with the new one, and also patching
CVE-2015-2923 (Debian Bug #782735).

I've been running kfreebsd-9 with these patches for some weeks, and
they are applied already to kfreebsd-10 in sid/jessie-kfreebsd.

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2015-02-25 13:13:10.0 +
+++ kfreebsd-9-9.0/debian/changelog 2015-05-10 19:53:49.0 +
@@ -1,3 +1,13 @@
+kfreebsd-9 (9.0-10+deb70.10) wheezy-security; urgency=high
+
+  * Pick SVN r281231 from FreeBSD 9-STABLE to fix:
+- SA-15:04: integer overflow in IGMP protocol (CVE-2015-1414)
+  updated patch from advisory revision 1.1 (Closes: #779201)
+- SA-15:09: Denial of Service with IPv6 Router Advertisements
+  (CVE-2015-2923) (Closes: #782735)
+
+ -- Steven Chamberlain ste...@pyro.eu.org  Thu, 16 Apr 2015 21:45:05 +
+
 kfreebsd-9 (9.0-10+deb70.9) wheezy-security; urgency=medium
 
   * Upstream patch for FreeBSD-SA-15:04.igmp / CVE-2015-1414 (Closes: #779201)
diff -Nru kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch 
kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch
--- kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch   1970-01-01 
00:00:00.0 +
+++ kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch   2015-04-16 
21:44:56.0 +
@@ -0,0 +1,41 @@
+Description:
+ Fix integer overflow in IGMP protocol [SA-15:04] (CVE-2015-1414)
+ .
+ Updated patch from advisory revision 1.1
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc
+Bug-Debian: https://bugs.debian.org/779201
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revisionrevision=281231
+
+--- a/sys/netinet/igmp.c
 b/sys/netinet/igmp.c
+@@ -1532,8 +1532,7 @@
+   case IGMP_VERSION_3: {
+   struct igmpv3 *igmpv3;
+   uint16_t igmpv3len;
+-  uint16_t srclen;
+-  int nsrc;
++  uint16_t nsrc;
+ 
+   IGMPSTAT_INC(igps_rcv_v3_queries);
+   igmpv3 = (struct igmpv3 *)igmp;
+@@ -1541,8 +1540,8 @@
+* Validate length based on source count.
+*/
+   nsrc = ntohs(igmpv3-igmp_numsrc);
+-  srclen = sizeof(struct in_addr) * nsrc;
+-  if (nsrc * sizeof(in_addr_t)  srclen) {
++  if (nsrc * sizeof(in_addr_t) 
++  UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) 
{
+   IGMPSTAT_INC(igps_rcv_tooshort);
+   return;
+   }
+@@ -1551,7 +1550,7 @@
+* this scope.
+*/
+   igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
+-  srclen;
++  sizeof(struct in_addr) * nsrc;
+   if ((m-m_flags  M_EXT ||
+m-m_len  igmpv3len) 
+   (m = m_pullup(m, igmpv3len)) == NULL) {
diff -Nru kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch 
kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch
--- kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch   1970-01-01 
00:00:00.0 +
+++ kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch   2015-04-16 
21:36:56.0 +
@@ -0,0 +1,28 @@
+Description:
+ Fix Denial of Service with IPv6 Router Advertisements [SA-15:09] 
(CVE-2015-2923)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc
+Bug-Debian: https://bugs.debian.org/782735
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revisionrevision=281231
+
+--- a/sys/netinet6/nd6_rtr.c
 b/sys/netinet6/nd6_rtr.c
+@@ -293,8 +293,16 @@
+   }
+   if (nd_ra-nd_ra_retransmit)
+   ndi-retrans = ntohl(nd_ra-nd_ra_retransmit);
+-  if (nd_ra-nd_ra_curhoplimit)
+-  ndi-chlim = nd_ra-nd_ra_curhoplimit;
++  if (nd_ra-nd_ra_curhoplimit) {
++  if (ndi-chlim  nd_ra-nd_ra_curhoplimit)
++  ndi-chlim = nd_ra-nd_ra_curhoplimit;
++  else if (ndi-chlim != nd_ra-nd_ra_curhoplimit) {
++  log(LOG_ERR, RA with a lower CurHopLimit sent from 
++  %s on %s (current = %d, received = %d). 
++  

Bug#779201: kfreebsd-{8,9}: CVE-2015-1414: DoS via IGMP packet

[Christoph Egger]

Moritz Mühlenhoff j...@inutil.org writes:
 For kfreebsd-8 we've skipped previous updates, since it was 
 said -8 were mostly a test kernel. So I don't think it
 makes sense to start with it now? Or did I miss something?

You're right. -9 should be on the way.

  Christoph


signature.asc
Description: PGP signature

Bug#779201: kfreebsd-{8,9}: CVE-2015-1414: DoS via IGMP packet

[Moritz Mühlenhoff]

On Wed, Feb 25, 2015 at 02:27:47PM +0100, Christoph Egger wrote:
 Hi!
 
 I would like to upload to stable security for this kernel crash / DoS
 vulnerability. Patch for -8 is below, -9 is the same modulo version
 numbers.

Please upload for kfreebsd-9.

For kfreebsd-8 we've skipped previous updates, since it was 
said -8 were mostly a test kernel. So I don't think it
makes sense to start with it now? Or did I miss something?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org