[Glibc-bsd-commits] r4901 - in branches/wheezy/kfreebsd-9/debian: . patches

Steven Chamberlain stevenc-guest at alioth.debian.org
Thu Aug 22 13:23:56 UTC 2013 

Author: stevenc-guest
Date: 2013-08-22 13:23:56 +0000 (Thu, 22 Aug 2013)
New Revision: 4901

Added:
   branches/wheezy/kfreebsd-9/debian/patches/SA-13_10.sctp.patch
Modified:
   branches/wheezy/kfreebsd-9/debian/changelog
   branches/wheezy/kfreebsd-9/debian/patches/series
Log:
Fix a bug that could lead to kernel memory disclosure with
SCTP state cookie. [13:10] (CVE-2013-5209) (Closes: #720475)


Modified: branches/wheezy/kfreebsd-9/debian/changelog
===================================================================
--- branches/wheezy/kfreebsd-9/debian/changelog	2013-08-22 13:14:48 UTC (rev 4900)
+++ branches/wheezy/kfreebsd-9/debian/changelog	2013-08-22 13:23:56 UTC (rev 4901)
@@ -5,6 +5,8 @@
     Incorrect privilege validation in the NFS server (Closes: #717958)
   * Pick SVN 254629 from FreeBSD 9-STABLE to fix SA-13:09 / CVE-2013-3077:
     integer overflow in IP_MSFILTER (Closes: #720468)
+  * Pick SVN 254352 from FreeBSD 9-STABLE to fix SA-13:10 / CVE-2013-5209:
+    Kernel memory disclosure in sctp(4) (Closes: #720475)
 
  -- Steven Chamberlain <steven at pyro.eu.org>  Thu, 22 Aug 2013 14:13:16 +0100
 

Added: branches/wheezy/kfreebsd-9/debian/patches/SA-13_10.sctp.patch
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/SA-13_10.sctp.patch	                        (rev 0)
+++ branches/wheezy/kfreebsd-9/debian/patches/SA-13_10.sctp.patch	2013-08-22 13:23:56 UTC (rev 4901)
@@ -0,0 +1,27 @@
+Description:
+ Fix a bug that could lead to kernel memory disclosure with
+ SCTP state cookie. [13:10] (CVE-2013-5209)
+Origin: vendor, http://security.FreeBSD.org/patches/SA-13:10/sctp.patch
+Bug: http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc
+Bug-Debian: http://bugs.debian.org/720475
+Applied-Upstream: http://svnweb.freebsd.org/base?view=revision&revision=254352
+
+Index: kfreebsd-9-9.0/sys/netinet/sctp_output.c
+===================================================================
+--- kfreebsd-9-9.0.orig/sys/netinet/sctp_output.c	2011-11-27 19:13:45.000000000 +0000
++++ kfreebsd-9-9.0/sys/netinet/sctp_output.c	2013-08-22 13:56:33.325837810 +0100
+@@ -5451,6 +5451,14 @@
+ 	}
+ 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
+ 
++	/*
++	 * We might not overwrite the identification[] completely and on
++	 * some platforms time_entered will contain some padding. Therefore
++	 * zero out the cookie to avoid putting uninitialized memory on the
++	 * wire.
++	 */
++	memset(&stc, 0, sizeof(struct sctp_state_cookie));
++
+ 	/* the time I built cookie */
+ 	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
+ 

Modified: branches/wheezy/kfreebsd-9/debian/patches/series
===================================================================
--- branches/wheezy/kfreebsd-9/debian/patches/series	2013-08-22 13:14:48 UTC (rev 4900)
+++ branches/wheezy/kfreebsd-9/debian/patches/series	2013-08-22 13:23:56 UTC (rev 4901)
@@ -12,6 +12,7 @@
 SA-13_06.mmap.patch
 SA-13_08.nfsserver.patch
 SA-13_09.ip_multicast.patch
+SA-13_10.sctp.patch
 
 # Other patches that might or might not be mergeable
 001_misc.diff

More information about the Glibc-bsd-commits mailing list