Dear Security Team,
This bug was reopened because the original fix from upstream was found
to be incomplete.
Please may I upload to wheezy-security with the attached debdiff,
replacing the CVE-2015-1414 patch with the new one, and also patching
CVE-2015-2923 (Debian Bug #782735).
I've been running kfreebsd-9 with these patches for some weeks, and
they are applied already to kfreebsd-10 in sid/jessie-kfreebsd.
Thanks,
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog
--- kfreebsd-9-9.0/debian/changelog 2015-02-25 13:13:10.0 +
+++ kfreebsd-9-9.0/debian/changelog 2015-05-10 19:53:49.0 +
@@ -1,3 +1,13 @@
+kfreebsd-9 (9.0-10+deb70.10) wheezy-security; urgency=high
+
+ * Pick SVN r281231 from FreeBSD 9-STABLE to fix:
+- SA-15:04: integer overflow in IGMP protocol (CVE-2015-1414)
+ updated patch from advisory revision 1.1 (Closes: #779201)
+- SA-15:09: Denial of Service with IPv6 Router Advertisements
+ (CVE-2015-2923) (Closes: #782735)
+
+ -- Steven Chamberlain ste...@pyro.eu.org Thu, 16 Apr 2015 21:45:05 +
+
kfreebsd-9 (9.0-10+deb70.9) wheezy-security; urgency=medium
* Upstream patch for FreeBSD-SA-15:04.igmp / CVE-2015-1414 (Closes: #779201)
diff -Nru kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch
kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch
--- kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch 1970-01-01
00:00:00.0 +
+++ kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch 2015-04-16
21:44:56.0 +
@@ -0,0 +1,41 @@
+Description:
+ Fix integer overflow in IGMP protocol [SA-15:04] (CVE-2015-1414)
+ .
+ Updated patch from advisory revision 1.1
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc
+Bug-Debian: https://bugs.debian.org/779201
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revisionrevision=281231
+
+--- a/sys/netinet/igmp.c
b/sys/netinet/igmp.c
+@@ -1532,8 +1532,7 @@
+ case IGMP_VERSION_3: {
+ struct igmpv3 *igmpv3;
+ uint16_t igmpv3len;
+- uint16_t srclen;
+- int nsrc;
++ uint16_t nsrc;
+
+ IGMPSTAT_INC(igps_rcv_v3_queries);
+ igmpv3 = (struct igmpv3 *)igmp;
+@@ -1541,8 +1540,8 @@
+* Validate length based on source count.
+*/
+ nsrc = ntohs(igmpv3-igmp_numsrc);
+- srclen = sizeof(struct in_addr) * nsrc;
+- if (nsrc * sizeof(in_addr_t) srclen) {
++ if (nsrc * sizeof(in_addr_t)
++ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN)
{
+ IGMPSTAT_INC(igps_rcv_tooshort);
+ return;
+ }
+@@ -1551,7 +1550,7 @@
+* this scope.
+*/
+ igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
+- srclen;
++ sizeof(struct in_addr) * nsrc;
+ if ((m-m_flags M_EXT ||
+m-m_len igmpv3len)
+ (m = m_pullup(m, igmpv3len)) == NULL) {
diff -Nru kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch
kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch
--- kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch 1970-01-01
00:00:00.0 +
+++ kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch 2015-04-16
21:36:56.0 +
@@ -0,0 +1,28 @@
+Description:
+ Fix Denial of Service with IPv6 Router Advertisements [SA-15:09]
(CVE-2015-2923)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc
+Bug-Debian: https://bugs.debian.org/782735
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revisionrevision=281231
+
+--- a/sys/netinet6/nd6_rtr.c
b/sys/netinet6/nd6_rtr.c
+@@ -293,8 +293,16 @@
+ }
+ if (nd_ra-nd_ra_retransmit)
+ ndi-retrans = ntohl(nd_ra-nd_ra_retransmit);
+- if (nd_ra-nd_ra_curhoplimit)
+- ndi-chlim = nd_ra-nd_ra_curhoplimit;
++ if (nd_ra-nd_ra_curhoplimit) {
++ if (ndi-chlim nd_ra-nd_ra_curhoplimit)
++ ndi-chlim = nd_ra-nd_ra_curhoplimit;
++ else if (ndi-chlim != nd_ra-nd_ra_curhoplimit) {
++ log(LOG_ERR, RA with a lower CurHopLimit sent from
++ %s on %s (current = %d, received = %d).
++