Author: dannf
Date: Sun Jul 15 20:17:35 2007
New Revision: 9147
Log:
* bugfix/nf_conntrack_sctp-null-deref.patch
[SECURITY] Fix remotely triggerable NULL pointer dereference
by sending an unknown chunk type.
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Sun Jul 15 20:17:35 2007
@@ -26,8 +26,11 @@
system has no entropy source and fix a casting error in entropy
extraction that resulted in slightly less random numbers.
See CVE-2007-2453
+ * bugfix/nf_conntrack_sctp-null-deref.patch
+ [SECURITY] Fix remotely triggerable NULL pointer dereference
+ by sending an unknown chunk type.
- -- dann frazier <[EMAIL PROTECTED]> Fri, 13 Jul 2007 00:06:31 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Sun, 15 Jul 2007 14:01:50 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
Sun Jul 15 20:17:35 2007
@@ -0,0 +1,49 @@
+From: Patrick McHardy <[EMAIL PROTECTED]>
+Date: Tue, 5 Jun 2007 12:14:22 +0000 (+0200)
+Subject: [UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix
remotely triggerable ...
+X-Git-Url:
http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=3ccb814b91bca2e0a6fe4b5d1c5dbb35a06a848b
+
+[UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely
triggerable NULL ptr dereference
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <[EMAIL PROTECTED]>
+
+CC: Kiran Kumar Immidi <[EMAIL PROTECTED]>
+Cc: David Miller <[EMAIL PROTECTED]>
+Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
+Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
+
+modified: net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+modified: net/netfilter/nf_conntrack_proto_sctp.c
+---
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -467,7 +467,8 @@ static int sctp_new(struct nf_conn *conn
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1 Sun Jul 15
20:17:35 2007
@@ -7,3 +7,4 @@
+ bugfix/dn_fib-out-of-bounds.patch
+ bugfix/random-fix-seeding-with-zero-entropy.patch
+ bugfix/random-fix-error-in-entropy-extraction.patch
++ bugfix/nf_conntrack_sctp-null-deref.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes