Author: dannf
Date: Sat Mar 31 23:05:01 2007
New Revision: 8414
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/243_ipv6_fl_socklist-no-share.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Log:
* 243_ipv6_fl_socklist-no-share.diff
[SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
ipv6_fl_socklist between the listening socket and the socket created
for connection.
See CVE-2007-1592
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Sat Mar 31 23:05:01 2007
@@ -14,8 +14,13 @@
[SECURITY] Fix a DoS vulnerability that can be triggered by a local
user with the ability to mount a corrupted ext3 filesystem
See CVE-2006-6053
+ * 243_ipv6_fl_socklist-no-share.diff
+ [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+ ipv6_fl_socklist between the listening socket and the socket created
+ for connection.
+ See CVE-2007-1592
- -- dann frazier <[EMAIL PROTECTED]> Sat, 31 Mar 2007 15:49:18 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Sat, 31 Mar 2007 17:04:51 -0600
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/243_ipv6_fl_socklist-no-share.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/243_ipv6_fl_socklist-no-share.diff
Sat Mar 31 23:05:01 2007
@@ -0,0 +1,38 @@
+From: Willy Tarreau <[EMAIL PROTECTED]>
+Date: Thu, 22 Mar 2007 20:22:10 +0000 (+0100)
+Subject: [PATCH] IPV6: ipv6_fl_socklist is inadvertently shared.
+X-Git-Tag: v2.4.35-pre2~1
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=86b21d8a1b97aaf523749d9c7b03b113e0cf9ee0
+
+[PATCH] IPV6: ipv6_fl_socklist is inadvertently shared.
+
+Backport from 2.6. Original patch from Masayuki Nakagawa, with
+his description below :
+
+"
+ The ipv6_fl_socklist from listening socket is inadvertently shared
+ with new socket created for connection. This leads to a variety of
+ interesting, but fatal, bugs. For example, removing one of the
+ sockets may lead to the other socket's encountering a page fault
+ when the now freed list is referenced.
+
+ The fix is to not share the flow label list with the new socket.
+"
+
+original patch:
+ Signed-off-by: Masayuki Nakagawa <[EMAIL PROTECTED]>
+Signed-off-by: Willy Tarreau <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 33eeee8..d3127e2 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1354,6 +1354,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock
*sk, struct sk_buff *skb,
+ First: no IPv4 options.
+ */
+ newsk->protinfo.af_inet.opt = NULL;
++ np->ipv6_fl_list = NULL;
+
+ /* Clone RX bits */
+ np->rxopt.all = sk->net_pinfo.af_inet6.rxopt.all;
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Sat Mar 31 23:05:01 2007
@@ -2,3 +2,4 @@
+ 240_smbfs-honor-mount-opts-2.diff
+ 241_bluetooth-capi-size-checks.diff
+ 242_ext3-fsfuzz.diff
++ 243_ipv6_fl_socklist-no-share.diff
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
