series

Dann Frazier Mon, 10 Sep 2007 23:25:57 -0700

Author: dannf
Date: Tue Sep 11 06:25:52 2007
New Revision: 9498

Log:
* bluetooth-l2cap-hci-info-leaks.dpatch
  [SECURITY] Fix information leaks in setsockopt() implementations
  See CVE-2007-1353


Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Tue Sep 11 06:25:52 2007
@@ -16,8 +16,11 @@
   * [SECURITY] Fix potential privilege escalation caused by improper
     clearing of the child process' pdeath signal.
     See CVE-2007-3848
+  * bluetooth-l2cap-hci-info-leaks.dpatch
+    [SECURITY] Fix information leaks in setsockopt() implementations
+    See CVE-2007-1353
 
- -- dann frazier <[EMAIL PROTECTED]>  Wed, 29 Aug 2007 01:10:46 -0600
+ -- dann frazier <[EMAIL PROTECTED]>  Tue, 11 Sep 2007 00:24:22 -0600
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-l2cap-hci-info-leaks.dpatch
   Tue Sep 11 06:25:52 2007
@@ -0,0 +1,62 @@
+From: Marcel Holtmann <[EMAIL PROTECTED]>
+Date: Fri, 4 May 2007 22:35:59 +0000 (+0200)
+Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
+X-Git-Tag: v2.6.22-rc1~822^2~2^2~6
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0878b6667f28772aa7d6b735abff53efc7bf6d91
+
+[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
+
+The L2CAP and HCI setsockopt() implementations have a small information
+leak that makes it possible to leak kernel stack memory to userspace.
+
+If the optlen parameter is 0, no data will be copied by copy_from_user(),
+but the uninitialized stack buffer will be read and stored later. A call
+to getsockopt() can now retrieve the leaked information.
+
+To fix this problem the stack buffer given to copy_from_user() must be
+initialized with the current settings.
+
+Signed-off-by: Marcel Holtmann <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/net/bluetooth/hci_sock.c 
kernel-source-2.6.8/net/bluetooth/hci_sock.c
+--- kernel-source-2.6.8.orig/net/bluetooth/hci_sock.c  2004-08-13 
23:37:14.000000000 -0600
++++ kernel-source-2.6.8/net/bluetooth/hci_sock.c       2007-09-11 
00:01:19.143775861 -0600
+@@ -471,6 +471,15 @@ int hci_sock_setsockopt(struct socket *s
+               break;
+ 
+       case HCI_FILTER:
++              {
++                      struct hci_filter *f = &hci_pi(sk)->filter;
++
++                      uf.type_mask = f->type_mask;
++                      uf.opcode    = f->opcode;
++                      uf.event_mask[0] = *((u32 *) f->event_mask + 0);
++                      uf.event_mask[1] = *((u32 *) f->event_mask + 1);
++              }
++
+               len = min_t(unsigned int, len, sizeof(uf));
+               if (copy_from_user(&uf, optval, len)) {
+                       err = -EFAULT;
+diff -urpN kernel-source-2.6.8.orig/net/bluetooth/l2cap.c 
kernel-source-2.6.8/net/bluetooth/l2cap.c
+--- kernel-source-2.6.8.orig/net/bluetooth/l2cap.c     2004-08-13 
23:37:26.000000000 -0600
++++ kernel-source-2.6.8/net/bluetooth/l2cap.c  2007-09-11 00:21:15.495780084 
-0600
+@@ -759,11 +759,16 @@ static int l2cap_sock_setsockopt(struct 
+ 
+       switch (optname) {
+       case L2CAP_OPTIONS:
++              opts.imtu     = l2cap_pi(sk)->imtu;
++              opts.omtu     = l2cap_pi(sk)->omtu;
++              opts.flush_to = l2cap_pi(sk)->flush_to;
++
+               len = min_t(unsigned int, sizeof(opts), optlen);
+               if (copy_from_user((char *)&opts, optval, len)) {
+                       err = -EFAULT;
+                       break;
+               }
++
+               l2cap_pi(sk)->imtu  = opts.imtu;
+               l2cap_pi(sk)->omtu  = opts.omtu;
+               break;

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   Tue Sep 11 06:25:52 2007
@@ -4,3 +4,4 @@
 + ipv4-fib_props-out-of-bounds.dpatch
 + aacraid-ioctl-perm-check.dpatch
 + reset-pdeathsig-on-suid.dpatch 
++ bluetooth-l2cap-hci-info-leaks.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r9498 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Reply via email to