Author: dannf
Date: Tue May 1 20:27:26 2007
New Revision: 8551
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6-disallow-RH0-by-default.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/12etch2
Log:
* bugfix/ipv6-disallow-RH0-by-default.patch
[SECURITY] Avoid a remote DoS (network amplification between two routers)
by disabling type0 IPv6 route headers by default. Can be re-enabled via
a sysctl interface.
See CVE-2007-2242
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue May 1 20:27:26 2007
@@ -13,8 +13,13 @@
See CVE-2007-1861
* bugfix/nl_fib_lookup-oops.patch
Add fix for oops bug added by previous patch
+ * bugfix/ipv6-disallow-RH0-by-default.patch
+ [SECURITY] Avoid a remote DoS (network amplification between two routers)
+ by disabling type0 IPv6 route headers by default. Can be re-enabled via
+ a sysctl interface.
+ See CVE-2007-2242
- -- dann frazier <[EMAIL PROTECTED]> Tue, 01 May 2007 08:34:18 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Tue, 01 May 2007 14:16:33 -0600
linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6-disallow-RH0-by-default.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6-disallow-RH0-by-default.patch
Tue May 1 20:27:26 2007
@@ -0,0 +1,166 @@
+From: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>
+Date: Thu, 26 Apr 2007 04:56:57 +0000 (-0700)
+Subject: [PATCH] IPV6: Disallow RH0 by default.
+X-Git-Tag: v2.6.20.9~1
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=010831ab8436dfd9304b203467566fb6b135c24f
+
+[PATCH] IPV6: Disallow RH0 by default.
+
+[IPV6]: Disallow RH0 by default.
+
+A security issue is emerging. Disallow Routing Header Type 0 by default
+as we have been doing for IPv4.
+Note: We allow RH2 by default because it is harmless.
+
+Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>
+Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.18 by dann frazier with help from Vlad Yasevich
+
+diff -urN linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt
linux-source-2.6.18/Documentation/networking/ip-sysctl.txt
+--- linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt
2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/Documentation/networking/ip-sysctl.txt 2007-05-01
09:57:58.000000000 -0600
+@@ -775,6 +775,14 @@
+ Functional default: enabled if local forwarding is disabled.
+ disabled if local forwarding is enabled.
+
++accept_source_route - INTEGER
++ Accept source routing (routing extension header).
++
++ > 0: Accept routing header.
++ = 0: Do not accept routing header.
++
++ Default: 0
++
+ autoconf - BOOLEAN
+ Autoconfigure addresses using Prefix Information in Router
+ Advertisements.
+diff -urN linux-source-2.6.18.orig/include/linux/ipv6.h
linux-source-2.6.18/include/linux/ipv6.h
+--- linux-source-2.6.18.orig/include/linux/ipv6.h 2006-09-19
21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/linux/ipv6.h 2007-05-01 10:04:07.000000000
-0600
+@@ -153,6 +153,7 @@
+ __s32 accept_ra_rt_info_max_plen;
+ #endif
+ #endif
++ __s32 accept_source_route;
+ void *sysctl;
+ };
+
+@@ -180,6 +181,7 @@
+ DEVCONF_ACCEPT_RA_RTR_PREF,
+ DEVCONF_RTR_PROBE_INTERVAL,
+ DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN,
++ DEVCONF_ACCEPT_SOURCE_ROUTE,
+ DEVCONF_MAX
+ };
+
+diff -urN linux-source-2.6.18.orig/include/linux/sysctl.h
linux-source-2.6.18/include/linux/sysctl.h
+--- linux-source-2.6.18.orig/include/linux/sysctl.h 2007-04-09
10:49:30.000000000 -0600
++++ linux-source-2.6.18/include/linux/sysctl.h 2007-05-01 08:54:28.000000000
-0600
+@@ -553,6 +553,7 @@
+ NET_IPV6_ACCEPT_RA_RTR_PREF=20,
+ NET_IPV6_RTR_PROBE_INTERVAL=21,
+ NET_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=22,
++ NET_IPV6_ACCEPT_SOURCE_ROUTE=23,
+ __NET_IPV6_MAX
+ };
+
+diff -urN linux-source-2.6.18.orig/net/ipv6/addrconf.c
linux-source-2.6.18/net/ipv6/addrconf.c
+--- linux-source-2.6.18.orig/net/ipv6/addrconf.c 2007-04-09
10:49:31.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/addrconf.c 2007-05-01 09:34:40.000000000
-0600
+@@ -173,6 +173,7 @@
+ .accept_ra_rt_info_max_plen = 0,
+ #endif
+ #endif
++ .accept_source_route = 0, /* we do not accept RH0 by default. */
+ };
+
+ static struct ipv6_devconf ipv6_devconf_dflt = {
+@@ -203,6 +204,7 @@
+ .accept_ra_rt_info_max_plen = 0,
+ #endif
+ #endif
++ .accept_source_route = 0, /* we do not accept RH0 by default. */
+ };
+
+ /* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
+@@ -3333,6 +3335,7 @@
+ array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] =
cnf->accept_ra_rt_info_max_plen;
+ #endif
+ #endif
++ array[DEVCONF_ACCEPT_SOURCE_ROUTE] = cnf->accept_source_route;
+ }
+
+ /* Maximum length of ifinfomsg attributes */
+@@ -3891,6 +3894,14 @@
+ .child =
addrconf_sysctl.addrconf_proto_dir,
+ },
+ {
++ .ctl_name = NET_IPV6_ACCEPT_SOURCE_ROUTE,
++ .procname = "accept_source_route",
++ .data =
&ipv6_devconf.accept_source_route,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec,
++ },
++ {
+ .ctl_name = 0, /* sentinel */
+ }
+ },
+diff -urN linux-source-2.6.18.orig/net/ipv6/exthdrs.c
linux-source-2.6.18/net/ipv6/exthdrs.c
+--- linux-source-2.6.18.orig/net/ipv6/exthdrs.c 2007-05-01
09:43:02.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/exthdrs.c 2007-05-01 14:21:32.000000000
-0600
+@@ -221,10 +221,24 @@
+ struct inet6_skb_parm *opt = IP6CB(skb);
+ struct in6_addr *addr;
+ struct in6_addr daddr;
++ struct inet6_dev *idev;
+ int n, i;
+-
+ struct ipv6_rt_hdr *hdr;
+ struct rt0_hdr *rthdr;
++ int accept_source_route = ipv6_devconf.accept_source_route;
++
++ if (accept_source_route == 0 ||
++ ((idev = in6_dev_get(skb->dev)) == NULL)) {
++ kfree_skb(skb);
++ return -1;
++ }
++ if (idev->cnf.accept_source_route == 0) {
++ in6_dev_put(idev);
++ kfree_skb(skb);
++ return -1;
++ }
++
++ in6_dev_put(idev);
+
+ if (!pskb_may_pull(skb, (skb->h.raw-skb->data)+8) ||
+ !pskb_may_pull(skb, (skb->h.raw-skb->data)+((skb->h.raw[1]+1)<<3)))
{
+@@ -235,6 +249,12 @@
+
+ hdr = (struct ipv6_rt_hdr *) skb->h.raw;
+
++ if (hdr->type != IPV6_SRCRT_TYPE_0) {
++ IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
++ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) -
skb->nh.raw);
++ return -1;
++ }
++
+ if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
+ skb->pkt_type != PACKET_HOST) {
+ IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS);
+@@ -253,12 +273,6 @@
+ return 1;
+ }
+
+- if (hdr->type != IPV6_SRCRT_TYPE_0) {
+- IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+- icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) -
skb->nh.raw);
+- return -1;
+- }
+-
+ if (hdr->hdrlen & 0x01) {
+ IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) -
skb->nh.raw);
Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch2 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch2 Tue May 1
20:27:26 2007
@@ -2,3 +2,4 @@
+ bugfix/nf_conntrack-set-nfctinfo.patch
+ bugfix/netlink-infinite-recursion.patch
+ bugfix/nl_fib_lookup-oops.patch
++ bugfix/ipv6-disallow-RH0-by-default.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
