[kernel] r8374 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Mon, 19 Mar 2007 17:00:16 -0800 

Author: dannf
Date: Tue Mar 20 01:00:14 2007
New Revision: 8374

Added:
   
dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6_getsockopt_sticky-null-opt.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/11etch1
Log:
* bugfix/ipv6_getsockopt_sticky-null-opt.patch
  [SECURITY] Fix kernel memory leak vulnerability in
  ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
  See CVE-2007-1000

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog      (original)
+++ dists/etch-security/linux-2.6/debian/changelog      Tue Mar 20 01:00:14 2007
@@ -9,8 +9,12 @@
     [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead
     to a local DoS (oops).
     See CVE-2007-1388
+  * bugfix/ipv6_getsockopt_sticky-null-opt.patch
+    [SECURITY] Fix kernel memory leak vulnerability in
+    ipv6_getsockopt_sticky() which can be triggered by passing a len < 0.
+    See CVE-2007-1000
 
- -- dann frazier <[EMAIL PROTECTED]>  Mon, 19 Mar 2007 18:56:15 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Mon, 19 Mar 2007 18:58:46 -0600
 
 linux-2.6 (2.6.18.dfsg.1-11) unstable; urgency=low
 

Added: 
dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6_getsockopt_sticky-null-opt.patch
==============================================================================
--- (empty file)
+++ 
dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6_getsockopt_sticky-null-opt.patch
   Tue Mar 20 01:00:14 2007
@@ -0,0 +1,42 @@
+From: David S. Miller <[EMAIL PROTECTED]>
+Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800)
+Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+X-Git-Tag: v2.6.21-rc4~99^2~7
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f
+
+[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky().
+
+Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 286c867..4e0561a 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, 
int optname,
+ EXPORT_SYMBOL(compat_ipv6_setsockopt);
+ #endif
+ 
+-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
++static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
+                                 char __user *optval, int len)
+ {
+-      if (!hdr)
++      struct ipv6_opt_hdr *hdr;
++
++      if (!opt || !opt->hopopt)
+               return 0;
++      hdr = opt->hopopt;
++
+       len = min_t(int, len, ipv6_optlen(hdr));
+       if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+               return -EFAULT;
+@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, 
int optname,
+       {
+ 
+               lock_sock(sk);
+-              len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
++              len = ipv6_getsockopt_sticky(sk, np->opt,
+                                            optval, len);
+               release_sock(sk);
+               return put_user(len, optlen);

Modified: dists/etch-security/linux-2.6/debian/patches/series/11etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/11etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/11etch1 Tue Mar 20 
01:00:14 2007
@@ -1,2 +1,3 @@
 + bugfix/keys-serial-num-collision.patch
 + bugfix/ipv6_setsockopt-NULL-deref.patch
++ bugfix/ipv6_getsockopt_sticky-null-opt.patch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to