[Glibc-bsd-commits] r5700 - in trunk/kfreebsd-10/debian: . patches
stevenc-guest at alioth.debian.org
stevenc-guest at alioth.debian.org
Tue Apr 7 21:16:45 UTC 2015
Author: stevenc-guest
Date: 2015-04-07 21:16:45 +0000 (Tue, 07 Apr 2015)
New Revision: 5700
Modified:
trunk/kfreebsd-10/debian/changelog
trunk/kfreebsd-10/debian/patches/SA-15_04.igmp.patch
Log:
SA-15:04: integer overflow in IGMP protocol (CVE-2015-1414)
updated patch from advisory revision 1.1
Modified: trunk/kfreebsd-10/debian/changelog
===================================================================
--- trunk/kfreebsd-10/debian/changelog 2015-02-28 12:39:23 UTC (rev 5699)
+++ trunk/kfreebsd-10/debian/changelog 2015-04-07 21:16:45 UTC (rev 5700)
@@ -1,3 +1,11 @@
+kfreebsd-10 (10.1~svn274115-4) UNRELEASED; urgency=medium
+
+ * Pick SVN SVN r281232 from FreeBSD 10.1-RELEASE to fix:
+ - SA-15:04: integer overflow in IGMP protocol (CVE-2015-1414)
+ updated patch from advisory revision 1.1 (Closes: #XXXXXX)
+
+ -- Steven Chamberlain <steven at pyro.eu.org> Tue, 07 Apr 2015 22:13:19 +0100
+
kfreebsd-10 (10.1~svn274115-3) unstable; urgency=high
* Pick SVN r279264 from FreeBSD 10.1-RELEASE to fix:
Modified: trunk/kfreebsd-10/debian/patches/SA-15_04.igmp.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-15_04.igmp.patch 2015-02-28 12:39:23 UTC (rev 5699)
+++ trunk/kfreebsd-10/debian/patches/SA-15_04.igmp.patch 2015-04-07 21:16:45 UTC (rev 5700)
@@ -1,20 +1,41 @@
Description:
Fix integer overflow in IGMP protocol [SA-15:04] (CVE-2015-1414)
-Origin: vendor, https://security.FreeBSD.org/patches/SA-15:04/igmp.patch
+ .
+ Updated patch from advisory revision 1.1
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch
Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc
Bug-Debian: https://bugs.debian.org/779195
-Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=279264
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=281232
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
-@@ -1533,8 +1533,8 @@
+@@ -1533,8 +1533,7 @@
case IGMP_VERSION_3: {
struct igmpv3 *igmpv3;
uint16_t igmpv3len;
- uint16_t srclen;
- int nsrc;
+ uint16_t nsrc;
-+ int srclen;
IGMPSTAT_INC(igps_rcv_v3_queries);
igmpv3 = (struct igmpv3 *)igmp;
+@@ -1542,8 +1541,8 @@
+ * Validate length based on source count.
+ */
+ nsrc = ntohs(igmpv3->igmp_numsrc);
+- srclen = sizeof(struct in_addr) * nsrc;
+- if (nsrc * sizeof(in_addr_t) > srclen) {
++ if (nsrc * sizeof(in_addr_t) >
++ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
+ IGMPSTAT_INC(igps_rcv_tooshort);
+ return;
+ }
+@@ -1552,7 +1551,7 @@
+ * this scope.
+ */
+ igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
+- srclen;
++ sizeof(struct in_addr) * nsrc;
+ if ((m->m_flags & M_EXT ||
+ m->m_len < igmpv3len) &&
+ (m = m_pullup(m, igmpv3len)) == NULL) {
More information about the Glibc-bsd-commits
mailing list