Author: dannf
Date: Fri Jul 13 05:32:08 2007
New Revision: 9127
Log:
* bugfix/dn_fib-out-of-bounds.patch
See CVE-2007-2172
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/dn_fib-out-of-bounds.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Fri Jul 13 05:32:08 2007
@@ -17,8 +17,11 @@
[SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
index values
See CVE-2007-3642
+ * bugfix/dn_fib-out-of-bounds.patch
+ [SECURITY] Fix out of bounds condition in dn_fib_props[]
+ See CVE-2007-2172
- -- dann frazier <[EMAIL PROTECTED]> Wed, 11 Jul 2007 00:28:15 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Thu, 12 Jul 2007 23:30:55 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/dn_fib-out-of-bounds.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/dn_fib-out-of-bounds.patch
Fri Jul 13 05:32:08 2007
@@ -0,0 +1,37 @@
+commit a979101106f549f4ed80d6dcbc35077be34d4346
+Author: Thomas Graf <[EMAIL PROTECTED]>
+Date: Sat Mar 24 20:33:27 2007 -0700
+
+ [DECNet] fib: Fix out of bound access of dn_fib_props[]
+
+ Fixes a typo which caused fib_props[] to have the wrong size
+ and makes sure the value used to index the array which is
+ provided by userspace via netlink is checked to avoid out of
+ bound access.
+
+ Signed-off-by: Thomas Graf <[EMAIL PROTECTED]>
+ Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
+
+diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
+index 3cbfddc..82d58a9 100644
+--- a/net/decnet/dn_fib.c
++++ b/net/decnet/dn_fib.c
+@@ -63,7 +63,7 @@ static struct
+ {
+ int error;
+ u8 scope;
+-} dn_fib_props[RTA_MAX+1] = {
++} dn_fib_props[RTN_MAX+1] = {
+ [RTN_UNSPEC] = { .error = 0, .scope = RT_SCOPE_NOWHERE },
+ [RTN_UNICAST] = { .error = 0, .scope = RT_SCOPE_UNIVERSE },
+ [RTN_LOCAL] = { .error = 0, .scope = RT_SCOPE_HOST },
+@@ -276,6 +276,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg
*r, struct dn_kern_rta
+ struct dn_fib_info *ofi;
+ int nhs = 1;
+
++ if (r->rtm_type > RTN_MAX)
++ goto err_inval;
++
+ if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
+ goto err_inval;
+
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1 Fri Jul 13
05:32:08 2007
@@ -4,3 +4,4 @@
+ bugfix/usblcd-limit-memory-consumption.patch
+ bugfix/pppoe-socket-release-mem-leak.patch
+ bugfix/nf_conntrack_h323-bounds-checking.patch
++ bugfix/dn_fib-out-of-bounds.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
