Bug#720471: kfreebsd-10: CVE-2013-3077: local ip_multicast buffer overflow

2013-08-22 Thread Steven Chamberlain 
Package: src:kfreebsd-10
Version: 10.0~svn253832-1
Severity: grave
Tags: security upstream
Control: found -1 kfreebsd-10/10.0~svn225709-1

http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc

 integer overflow in IP_MSFILTER

 An integer overflow in computing the size of a temporary buffer can
 result in a buffer which is too small for the requested operation.

 An unprivileged process can read or write pages of memory which
 belong to the kernel.  These may lead to exposure of sensitive
 information or allow privilege escalation.

kfreebsd-8 and kfreebsd-9 in wheezy will need the patch from r254629

kfreebsd-9 in jessie/sid will need updating to r254630 or later

kfreebsd-10 in experimental will need updating to r254629 or later

kfreebsd-8 8.1 in oldstable looks to be affected too (likely introduced
in r189592 or earlier).  The same patch should be suitable.

-- System Information:
Debian Release: 7.1
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 9.0-2-amd64-xenhvm
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kfreebsd-image-9.0-2-amd64-xenhvm depends on:
ii  devd   9.0-10+deb70.2
ii  freebsd-utils  9.0-10+deb70.2
ii  kbdcontrol 9.0-10+deb70.2
ii  kldutils   9.0-10+deb70.2

kfreebsd-image-9.0-2-amd64-xenhvm recommends no packages.

kfreebsd-image-9.0-2-amd64-xenhvm suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#720471: kfreebsd-10: CVE-2013-3077: local ip_multicast buffer overflow

2013-08-22 Thread Robert Millan 
On 22/08/2013 13:43, Steven Chamberlain wrote:
 
 kfreebsd-8 and kfreebsd-9 in wheezy will need the patch from r254629
 
 kfreebsd-9 in jessie/sid will need updating to r254630 or later
 
 kfreebsd-10 in experimental will need updating to r254629 or later
 
 kfreebsd-8 8.1 in oldstable looks to be affected too (likely introduced
 in r189592 or earlier).  The same patch should be suitable.

Hi Steven,

Thanks for all the triaging. I'll prepare sid uploads today for
kfreebsd-9 and kfreebsd-10.

-- 
Robert Millan


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org