series

Dann Frazier Tue, 22 May 2007 23:04:22 -0700

Author: dannf
Date: Wed May 23 06:03:47 2007
New Revision: 8722

Log:
* 244_bluetooth-l2cap-hci-info-leaks.diff
  [SECURITY] Fix information leaks in setsockopt() implementations
  See CVE-2007-1353


Added:
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/244_bluetooth-l2cap-hci-info-leaks.diff
Modified:
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
 (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
 Wed May 23 06:03:47 2007
@@ -19,8 +19,11 @@
     ipv6_fl_socklist between the listening socket and the socket created
     for connection.
     See CVE-2007-1592
+  * 244_bluetooth-l2cap-hci-info-leaks.diff
+    [SECURITY] Fix information leaks in setsockopt() implementations
+    See CVE-2007-1353
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 31 Mar 2007 17:04:51 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Tue, 22 May 2007 23:58:34 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/244_bluetooth-l2cap-hci-info-leaks.diff
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/244_bluetooth-l2cap-hci-info-leaks.diff
   Wed May 23 06:03:47 2007
@@ -0,0 +1,52 @@
+From: Willy Tarreau <[EMAIL PROTECTED]>
+Date: Sat, 14 Apr 2007 16:23:12 +0000 (+0200)
+Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks 
(CVE-2007-1353)
+X-Git-Tag: v2.4.35-pre3~3
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=7d83d871b1fa17d8c23c8a03ae19ee772f3fe8dd
+
+[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks (CVE-2007-1353)
+
+Problem reported by Ilja van Sprundel. Assigned CVE-2007-1353.
+Fix below from Marcel Holtmann, backported to 2.4.
+
+The L2CAP and HCI setsockopt() implementations have a small information
+leak that makes it possible to leak kernel stack memory to userspace.
+
+If the optlen parameter is 0, no data will be copied by copy_from_user(),
+but the uninitialized stack buffer will be read and stored later. A call
+to getsockopt() can now retrieve the leaked information.
+
+To fix this problem the stack buffer given to copy_from_user() must be
+initialized with the current settings.
+
+Signed-off-by: Marcel Holtmann <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 0d3aed8..8ececee 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -469,6 +469,8 @@ int hci_sock_setsockopt(struct socket *sock, int level, 
int optname, char *optva
+               break;
+ 
+       case HCI_FILTER:
++              memcpy(&flt, &hci_pi(sk)->filter, len);
++
+               len = MIN(len, sizeof(struct hci_filter));
+               if (copy_from_user(&flt, optval, len)) {
+                       err = -EFAULT;
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 8a54327..68a3767 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -685,6 +685,10 @@ static int l2cap_sock_setsockopt(struct socket *sock, int 
level, int optname, ch
+ 
+       switch (optname) {
+       case L2CAP_OPTIONS:
++              opts.imtu     = l2cap_pi(sk)->imtu;
++              opts.omtu     = l2cap_pi(sk)->omtu;
++              opts.flush_to = l2cap_pi(sk)->flush_to;
++
+               len = MIN(sizeof(opts), optlen);
+               if (copy_from_user((char *)&opts, optval, len)) {
+                       err = -EFAULT;

Modified: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
    (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
    Wed May 23 06:03:47 2007
@@ -3,3 +3,4 @@
 + 241_bluetooth-capi-size-checks.diff
 + 242_ext3-fsfuzz.diff
 + 243_ipv6_fl_socklist-no-share.diff
++ 244_bluetooth-l2cap-hci-info-leaks.diff

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r8722 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Reply via email to