[kernel] r6607 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Fri May 19 22:19:55 UTC 2006 

Author: dannf
Date: Fri May 19 22:19:54 2006
New Revision: 6607

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/210_ipv4-id-no-increment.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3

Log:
* 210_ipv4-id-no-increment.diff
  [SECURITY] Fix vulnerability that allows remote attackers to conduct an
  Idle Scan attack, bypassing intended protections against such attacks
  See CVE-2006-1242

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Fri May 19 22:19:54 2006
@@ -12,8 +12,12 @@
     [SECURITY] Fix remote DoS in SCTP code by discarding unexpected chunks
     received in CLOSED state instead of calling BUG()
     See CVE-2006-2271
+  * 210_ipv4-id-no-increment.diff
+    [SECURITY] Fix vulnerability that allows remote attackers to conduct an
+    Idle Scan attack, bypassing intended protections against such attacks
+    See CVE-2006-1242
 
- -- dann frazier <dannf at debian.org>  Thu, 18 May 2006 18:19:54 -0500
+ -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 17:17:39 -0500
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/210_ipv4-id-no-increment.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/210_ipv4-id-no-increment.diff	Fri May 19 22:19:54 2006
@@ -0,0 +1,50 @@
+Fix for CVE-2006-1242, applies to Sarge 2.4.27.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 6f78133bf7a06845afee5bcdff7c276bbceaaf55 (from 65851bbf2ab375b4c00f4571dfb5c1003625c12f)
+Author: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+Date:   Wed Mar 22 14:34:42 2006 -0800
+
+    [PATCH] TCP: Do not use inet->id of global tcp_socket when sending RST (CVE-2006-1242)
+    
+    The problem is in ip_push_pending_frames(), which uses:
+    
+            if (!df) {
+                    __ip_select_ident(iph, &rt->u.dst, 0);
+            } else {
+                    iph->id = htons(inet->id++);
+            }
+    
+    instead of ip_select_ident().
+    
+    Right now I think the code is a nonsense. Most likely, I copied it from
+    old ip_build_xmit(), where it was really special, we had to decide
+    whether to generate unique ID when generating the first (well, the last)
+    fragment.
+    
+    In ip_push_pending_frames() it does not make sense, it should use plain
+    ip_select_ident() instead.
+    
+    Signed-off-by: Alexey Kuznetsov <kuznet at ms2.inr.ac.ru>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+
+diff -urN kernel-source-2.4.27.orig/net/ipv4/ip_output.c 2.4/net/ipv4/ip_output.c
+--- kernel-source-2.4.27.orig/net/ipv4/ip_output.c	2005-08-17 02:30:02.000000000 -0600
++++ 2.4/net/ipv4/ip_output.c	2006-05-18 11:27:20.000000000 -0600
+@@ -1151,11 +1151,7 @@
+ 	iph->tos = inet->tos;
+ 	iph->tot_len = htons(skb->len);
+ 	iph->frag_off = df;
+-	if (!df) {
+-		__ip_select_ident(iph, &rt->u.dst);
+-	} else {
+-		iph->id = htons(inet->id++);
+-	}
++	ip_select_ident(iph, &rt->u.dst, sk);
+ 	iph->ttl = ttl;
+ 	iph->protocol = sk->protocol;
+ 	iph->saddr = rt->rt_src;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	Fri May 19 22:19:54 2006
@@ -1,3 +1,4 @@
 + 207_smbfs-chroot-escape.diff
 + 208_ia64-die_if_kernel-returns.diff
 + 209_sctp-discard-unexpected-in-closed.diff
++ 210_ipv4-id-no-increment.diff

More information about the Kernel-svn-changes mailing list