r3772 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Simon Horman horms at costa.debian.org
Tue Aug 9 06:07:08 UTC 2005 

Author: horms
Date: 2005-08-09 06:07:07 +0000 (Tue, 09 Aug 2005)
New Revision: 3772

Added:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/176_ipsec-array-overflow.diff
Modified:
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-11
Log:
+    [Security] Fix possible overflow of sock->sk_policy
+    See CAN-2005-2456 (See: #321401)


Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-08-09 04:25:11 UTC (rev 3771)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	2005-08-09 06:07:07 UTC (rev 3772)
@@ -1,40 +1,39 @@
 kernel-source-2.4.27 (2.4.27-11) UNRELEASED; urgency=low
 
+  [ Simon Horman ]
   * 167_arch-ia64-x86_64_execve.diff:
      Race condition in the ia32 compatibility code for the execve system call
-     See CAN-2005-1768. (closes: #319629). (Simon Horman)
+     See CAN-2005-1768. (closes: #319629).
 
   * 168_fs_ext3_64bit_offset.diff:
     Incorrect offset checks for ext3 xattr on 64 bit architectures
     can lead to a local DoS.
-    See CAN-2005-0757. (closes: #311164). (Simon Horman)
+    See CAN-2005-0757. (closes: #311164).
 
   * 169_arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
     [Security, x86_64] This works around an AMD Erratum by
     checking if the ptrace RIP is canonical.
-    See CAN-2005-1762 (Simon Horman)
+    See CAN-2005-1762
 
   * 169_arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
      [Security, x86_64] Fix canonical checking for segment registers in ptrace
-     See CAN-2005-0756 (Simon Horman)
+     See CAN-2005-0756
 
   * Makefile-gcc-3.3.dpatch, control
     Build with gcc-3.3, as gcc-4.0, now the dedault in unstable,
     fails to build this source. Upstream has stated that they
     have no intention making the 2.4 kernel compile with gcc-4
-    (closes: #320256) (Simon Horman)
+    (closes: #320256)
 
   * 171_arch-ia64-x86_64-execve-overflow.diff
     [Security, ia64, x86_64] Fix overflow in 32bit execve
-    See CAN-2005-1768 (Simon Horman)
+    See CAN-2005-1768
 
   * 172_ppc32-time_offset-misuse.diff
     [ppc32] stop misusing ntps time_offset value
-    (Simon Horman)
 
   * 173_tty_ldisc_ref-return-null-check.diff
      tty_ldisc_ref return null check
-     (Simon Horman)
 
   * 174_net-ipv4-netfilter-nat-mem.diff
      Fix potential memory corruption in NAT code (aka memory NAT)
@@ -42,13 +41,15 @@
 
   * 175-net-ipv6-netfilter-deadlock.diff
     Fix deadlock in ip6_queue
-    (Simon Horman)
 
+  * 176_ipsec-array-overflow.diff
+    [Security] Fix possible overflow of sock->sk_policy
+    See CAN-2005-2456 (See: #321401)
+
   * 177_rocket_c-fix-ldisc-ref-count.diff
     Fix ldisc ref count handling in rocketport driver
-    (Simon Horman)
 
- -- Simon Horman <horms at debian.org>  Wed,  3 Aug 2005 14:43:45 +0900
+ -- Simon Horman <horms at debian.org>  Tue,  9 Aug 2005 15:01:20 +0900
 
 kernel-source-2.4.27 (2.4.27-10) unstable; urgency=low
 

Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/176_ipsec-array-overflow.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/176_ipsec-array-overflow.diff	2005-08-09 04:25:11 UTC (rev 3771)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/176_ipsec-array-overflow.diff	2005-08-09 06:07:07 UTC (rev 3772)
@@ -0,0 +1,32 @@
+From stable-bounces at linux.kernel.org  Tue Jul 26 16:40:13 2005
+Date: Tue, 26 Jul 2005 16:40:31 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [PATCH][XFRM]: Fix possible overflow of sock->sk_policy
+
+From: Herbert Xu <herbert at gondor.apana.org.au>
+
+[XFRM]: Fix possible overflow of sock->sk_policy
+
+Spotted by, and original patch by, Balazs Scheidler.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/xfrm/xfrm_user.c |    3 +++
+ 1 files changed, 3 insertions(+)
+
+--- linux-2.6.12.3.orig/net/xfrm/xfrm_user.c	2005-07-28 11:17:01.000000000 -0700
++++ linux-2.6.12.3/net/xfrm/xfrm_user.c	2005-07-28 11:17:18.000000000 -0700
+@@ -1180,6 +1180,9 @@
+ 	if (nr > XFRM_MAX_DEPTH)
+ 		return NULL;
+ 
++	if (p->dir > XFRM_POLICY_OUT)
++		return NULL;
++
+ 	xp = xfrm_policy_alloc(GFP_KERNEL);
+ 	if (xp == NULL) {
+ 		*dir = -ENOBUFS;

Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-11
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-11	2005-08-09 04:25:11 UTC (rev 3771)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-11	2005-08-09 06:07:07 UTC (rev 3772)
@@ -8,4 +8,5 @@
 + 173_tty_ldisc_ref-return-null-check.diff
 + 174_net-ipv4-netfilter-nat-mem.diff
 + 175-net-ipv6-netfilter-deadlock.diff
++ 176_ipsec-array-overflow.diff
 + 177_rocket_c-fix-ldisc-ref-count.diff

More information about the Kernel-svn-changes mailing list