Author: dannf
Date: Mon Apr 30 23:34:17 2007
New Revision: 8530
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack-set-nfctinfo.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/12etch2
Log:
* bugfix/nf_conntrack-set-nfctinfo.patch
[SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
which allows remote attackers to bypass certain rulesets
See CVE-2007-1497
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Mon Apr 30 23:34:17 2007
@@ -4,8 +4,12 @@
[SECURITY] Fix remotely exploitable NULL pointer dereference in
nfulnl_recv_config()
See CVE-2007-1496
+ * bugfix/nf_conntrack-set-nfctinfo.patch
+ [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
+ which allows remote attackers to bypass certain rulesets
+ See CVE-2007-1497
- -- dann frazier <[EMAIL PROTECTED]> Mon, 30 Apr 2007 17:20:14 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Mon, 30 Apr 2007 17:30:17 -0600
linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack-set-nfctinfo.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack-set-nfctinfo.patch
Mon Apr 30 23:34:17 2007
@@ -0,0 +1,35 @@
+From: Patrick McHardy <[EMAIL PROTECTED]>
+Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
+Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as
ESTABLISHED
+X-Git-Tag: v2.6.20.3~11
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
+
+nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as
ESTABLISHED
+
+The individual fragments of a packet reassembled by conntrack have the
+conntrack reference from the reassembled packet attached, but nfctinfo
+is not copied. This leaves it initialized to 0, which unfortunately is
+the value of IP_CT_ESTABLISHED.
+
+The result is that all IPv6 fragments are tracked as ESTABLISHED,
+allowing them to bypass a usual ruleset which accepts ESTABLISHED
+packets early.
+
+Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
+Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index a20615f..6155b80 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ }
+ nf_conntrack_get(reasm->nfct);
+ (*pskb)->nfct = reasm->nfct;
++ (*pskb)->nfctinfo = reasm->nfctinfo;
+ return NF_ACCEPT;
+ }
+
Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch2 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch2 Mon Apr 30
23:34:17 2007
@@ -1 +1,2 @@
+ bugfix/nfnetlink_log-null-deref.patch
++ bugfix/nf_conntrack-set-nfctinfo.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
