[kernel] r6615 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Sat May 20 00:32:34 UTC 2006

Author: dannf
Date: Sat May 20 00:32:33 2006
New Revision: 6615

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/212_ipv4-sin_zero_clear.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3

Log:
* 212_ipv4-sin_zero_clear.diff
  [SECURITY] Fix local information leak in af_inet code
  See CVE-2006-1342

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================

--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sat May 20 00:32:33 2006
@@ -20,8 +20,11 @@
     [SECURITY] Fix buffer overflow in the USB Gadget RNDIS implementation that
     allows for a remote DoS attack (kmalloc'd memory corruption)
     See CVE-2006-1368
+  * 212_ipv4-sin_zero_clear.diff
+    [SECURITY] Fix local information leak in af_inet code
+    See CVE-2006-1342
 
- -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 17:51:10 -0500
+ -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 19:24:12 -0500
 
 kernel-source-2.4.27 (2.4.27-10sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/212_ipv4-sin_zero_clear.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/212_ipv4-sin_zero_clear.diff	Sat May 20 00:32:33 2006
@@ -0,0 +1,35 @@
+Fix for CVE-2006-1342, removed the first hunk of the upstream fix because it has
+already been applied in 043_ipsec.diff 
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree 09d3b3dcfa80c9094f1748c1be064b9326c9ef2b (from 5dceef59f2919d7396853e4264636e3bd55f85e7)
+Author: Pavel Kankovsky <peak at argo.troja.mff.cuni.cz>
+Date:   Sat Mar 4 14:53:16 2006 +0100
+
+    [PATCH] Fix small information leak in SO_ORIGINAL_DST and getname()
+    
+    It appears sockaddr_in.sin_zero is not zeroed during certain operations
+    returning IPv4 socket names, namely:
+    
+    - getsockopt(...SO_ORIGINAL_DST...) (2.4 and 2.6)
+      see getorigdst() in net/ipv4/netfilter/ip_conntrack_core.c
+    
+    - getsockname() and getpeername()
+      see inet_getname() in net/ipv4/af_inet.c
+    
+    A small patch for 2.4 fixing the problem is enclosed. Its first part
+    (fixing net/ipv4/af_inet.c) is identical to the change made in 2.6.
+
+diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
+index e32dc17..afbb6cb 100644
+--- a/net/ipv4/netfilter/ip_conntrack_core.c
++++ b/net/ipv4/netfilter/ip_conntrack_core.c
+@@ -1349,6 +1349,7 @@ getorigdst(struct sock *sk, int optval, 
+ 			.tuple.dst.u.tcp.port;
+ 		sin.sin_addr.s_addr = h->ctrack->tuplehash[IP_CT_DIR_ORIGINAL]
+ 			.tuple.dst.ip;
++		memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
+ 
+ 		DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
+ 		       NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge3	Sat May 20 00:32:33 2006
@@ -3,3 +3,4 @@
 + 209_sctp-discard-unexpected-in-closed.diff
 + 210_ipv4-id-no-increment.diff
 + 211_usb-gadget-rndis-bufoverflow.diff
++ 212_ipv4-sin_zero_clear.diff

