[kernel] r8032 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Wed Dec 20 22:05:34 UTC 2006 

Author: dannf
Date: Wed Dec 20 23:05:34 2006
New Revision: 8032

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/dvb-core-handle-0-length-ule-sndu.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* dvb-core-handle-0-length-ule-sndu.dpatch
  [SECURITY] Avoid sending invalid ULE packets which may not properly
  handled by the receiving side triggering a crash. This is a backport
  of the patch that went into 2.6.17.y. It would be better to fix the
  receiving end, but no patch for the era kernel has been developed yet.
  See CVE-2006-4623

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Wed Dec 20 23:05:34 2006
@@ -11,8 +11,14 @@
     [SECURITY] Correct an error path in dev_queue_xmit() to rebalance
     local_bh_enable() calls. Patch from Vasily Averin.
     See CVE-2006-6535
+  * dvb-core-handle-0-length-ule-sndu.dpatch
+    [SECURITY] Avoid sending invalid ULE packets which may not properly
+    handled by the receiving side triggering a crash. This is a backport
+    of the patch that went into 2.6.17.y. It would be better to fix the
+    receiving end, but no patch for the era kernel has been developed yet.
+    See CVE-2006-4623
 
- -- dann frazier <dannf at debian.org>  Sun, 17 Dec 2006 14:12:33 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 20 Dec 2006 14:59:57 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/dvb-core-handle-0-length-ule-sndu.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/dvb-core-handle-0-length-ule-sndu.dpatch	Wed Dec 20 23:05:34 2006
@@ -0,0 +1,35 @@
+From: Ang Way Chuang <wcang at nrg.cs.usm.my>
+Date: Fri, 1 Sep 2006 06:13:01 +0000 (+0800)
+Subject: dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commitdiff;h=b7a7e34e7e033822ffef7386b1b884edede7f6c5
+
+dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623)
+
+ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
+code has a bug that allows an attacker to send a malformed ULE packet
+with SNDU length of 0 and bring down the receiving machine. This patch
+fix the bug and has been tested on version 2.6.17.11. This bug is 100%
+reproducible and the modified source code (GPL) used to produce this bug
+will be posted on http://nrg.cs.usm.my/downloads.htm shortly.  The
+kernel will produce a dump during CRC32 checking on faulty ULE packet.
+
+
+Signed-off-by: Ang Way Chuang <wcang at nrg.cs.usm.my>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.6.8.orig/drivers/media/dvb/dvb-core/dvb_net.c kernel-source-2.6.8/drivers/media/dvb/dvb-core/dvb_net.c
+--- kernel-source-2.6.8.orig/drivers/media/dvb/dvb-core/dvb_net.c	2004-08-13 23:36:31.000000000 -0600
++++ kernel-source-2.6.8/drivers/media/dvb/dvb-core/dvb_net.c	2006-12-20 11:10:32.672819733 -0700
+@@ -330,7 +330,8 @@
+ 				/* printk(KERN_WARNING "ULE D-Bit: %d, SNDU len %u.\n",
+ 				          priv->ule_dbit, priv->ule_sndu_len); */
+ 
+-				if (priv->ule_sndu_len > 32763) {
++				if (priv->ule_sndu_len > 32763 ||
++				    priv->ule_sndu_len < ((priv->ule_dbit) ? 4 : 4 + ETH_ALEN)) {
+ 					printk(KERN_WARNING "Invalid ULE SNDU length %u. "
+ 					       "Resyncing.\n", priv->ule_sndu_len);
+ 					hexdump(ts, TS_SZ);

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Wed Dec 20 23:05:34 2006
@@ -1,3 +1,4 @@
 + mincore-fixes.dpatch
 + mincore_hang.dpatch
 + dev_queue_xmit-error-path.dpatch
++ dvb-core-handle-0-length-ule-sndu.dpatch

More information about the Kernel-svn-changes mailing list