[kernel] r4878 - dists/sid/linux-2.6/debian
dists/sid/linux-2.6/debian/patches-debian
dists/sid/linux-2.6/debian/patches-debian/series patch-tracking
Simon Horman
horms at costa.debian.org
Thu Nov 24 07:17:38 UTC 2005
Author: horms
Date: Thu Nov 24 07:17:32 2005
New Revision: 4878
Added:
dists/sid/linux-2.6/debian/patches-debian/ctnetlink-check-if-protoinfo-is-present.patch
patch-tracking/ctnetlink-check-if-protoinfo-is-present.patch
- copied, changed from r4876, patch-tracking/00boilerplate
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches-debian/series/2.6.14-4
Log:
[SECURITY] ctnetlink: check if protoinfo is present (local DoS)
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog (original)
+++ dists/sid/linux-2.6/debian/changelog Thu Nov 24 07:17:32 2005
@@ -10,8 +10,10 @@
* Enable MKISS globally (closes: #340215)
* mm-invalidate_inode_pages2-overflow.patch
[SECURITY] 32bit integer overflow in invalidate_inode_pages2() (local DoS)
+ * ctnetlink-check-if-protoinfo-is-present.patch
+ [SECURITY] ctnetlink: check if protoinfo is present (local DoS)
- -- Simon Horman <horms at debian.org> Thu, 24 Nov 2005 15:30:58 +0900
+ -- Simon Horman <horms at debian.org> Thu, 24 Nov 2005 16:14:27 +0900
linux-2.6 (2.6.14-3) unstable; urgency=low
Added: dists/sid/linux-2.6/debian/patches-debian/ctnetlink-check-if-protoinfo-is-present.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches-debian/ctnetlink-check-if-protoinfo-is-present.patch Thu Nov 24 07:17:32 2005
@@ -0,0 +1,32 @@
+commit 51df784ed739246a3774b300e5f536e17bec36ed
+tree 866c76ffab5fa6c19648829f46dfcaee6f314a7d
+parent a2506c04322ca266fe2f9bd7d02a67b1972da611
+author Pablo Neira Ayuso <pablo at netfilter.org> Wed, 09 Nov 2005 12:59:41 -0800
+committer David S. Miller <davem at davemloft.net> Wed, 09 Nov 2005 12:59:41 -0800
+
+ [NETFILTER] ctnetlink: check if protoinfo is present
+
+ This fixes an oops triggered from userspace. If we don't pass information
+ about the private protocol info, the reference to attr will be NULL. This is
+ likely to happen in update messages.
+
+ Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+ Signed-off-by: Harald Welte <laforge at netfilter.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.14 by Horms
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-11-24 16:11:10.000000000 +0900
++++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-11-24 16:11:33.000000000 +0900
+@@ -362,6 +362,11 @@
+ struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
+ struct nfattr *tb[CTA_PROTOINFO_TCP_MAX];
+
++ /* updates could not contain anything about the private
++ * protocol info, in that case skip the parsing */
++ if (!attr)
++ return 0;
++
+ if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0)
+ goto nfattr_failure;
+
Modified: dists/sid/linux-2.6/debian/patches-debian/series/2.6.14-4
==============================================================================
--- dists/sid/linux-2.6/debian/patches-debian/series/2.6.14-4 (original)
+++ dists/sid/linux-2.6/debian/patches-debian/series/2.6.14-4 Thu Nov 24 07:17:32 2005
@@ -1,3 +1,4 @@
+ setkeys-needs-root-1.patch
+ setkeys-needs-root-2.patch
+ mm-invalidate_inode_pages2-overflow.patch
++ ctnetlink-check-if-protoinfo-is-present.patch
Copied: patch-tracking/ctnetlink-check-if-protoinfo-is-present.patch (from r4876, patch-tracking/00boilerplate)
==============================================================================
--- patch-tracking/00boilerplate (original)
+++ patch-tracking/ctnetlink-check-if-protoinfo-is-present.patch Thu Nov 24 07:17:32 2005
@@ -1,16 +1,16 @@
-Candidate:
-References:
+Candidate: needed
+References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=51df784ed739246a3774b300e5f536e17bec36ed
Description:
Notes:
Bugs:
-upstream:
-2.6.14:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
-2.6.8:
-2.4.19-woody-security:
-2.4.18-woody-security:
-2.4.17-woody-security:
-2.4.16-woody-security:
-2.4.17-woody-security-hppa:
-2.4.17-woody-security-ia64:
+upstream: 2.6.15-rc1
+2.6.14: pending (2.6.14-4)
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.8: N/A
+2.4.19-woody-security: N/A
+2.4.18-woody-security: N/A
+2.4.17-woody-security: N/A
+2.4.16-woody-security: N/A
+2.4.17-woody-security-hppa: N/A
+2.4.17-woody-security-ia64: N/A
More information about the Kernel-svn-changes
mailing list