[kernel] r6620 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sat May 20 00:47:34 UTC 2006


Author: dannf
Date: Sat May 20 00:47:32 2006
New Revision: 6620

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mcast-ip-route-null-deref.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3

Log:
* mcast-ip-route-null-deref.dpatch
  [SECURITY] Fix local DoS vulnerability that allows local users to panic
  a system by requesting a route for a multicast IP
  See CVE-2006-1525

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat May 20 00:47:32 2006
@@ -55,8 +55,12 @@
     [SECURITY] Fix vulnerability that allows local users to bypass IPC
     permissions and replace portions of read-only tmpfs files with zeroes.
     See CVE-2006-1524
+  * mcast-ip-route-null-deref.dpatch
+    [SECURITY] Fix local DoS vulnerability that allows local users to panic
+    a system by requesting a route for a multicast IP
+    See CVE-2006-1525
 
- -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 18:29:35 -0500
+ -- dann frazier <dannf at debian.org>  Fri, 19 May 2006 19:46:10 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mcast-ip-route-null-deref.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mcast-ip-route-null-deref.dpatch	Sat May 20 00:47:32 2006
@@ -0,0 +1,36 @@
+Fix for CVE-2006-1525, take from 2.6 git tree but applies to 2.4.27 as well.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree a0b277b4fdcbc24c26af7c5d019e9448a51c79cf (from 54e5705fd460c7621a4d73c71197e2650ba034a2)
+Author: Stephen Hemminger <shemminger at osdl.org>
+Date:   Mon Apr 17 17:27:11 2006 -0700
+
+    [PATCH] ip_route_input panic fix (CVE-2006-1525)
+    
+    This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
+    The bug is caused by ip_route_input dereferencing skb->nh.protocol of
+    the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
+    it). It only happens if the route requested is for a multicast IP
+    address.
+    
+    Signed-off-by: Stephen Hemminger <shemminger at osdl.org>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index fca5fe0..a67955e 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in
+ 	/* Reserve room for dummy headers, this skb can pass
+ 	   through good chunk of routing engine.
+ 	 */
+-	skb->mac.raw = skb->data;
++	skb->mac.raw = skb->nh.raw = skb->data;
++
++	/* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
++	skb->nh.iph->protocol = IPPROTO_ICMP;
+ 	skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
+ 
+ 	if (rta[RTA_SRC - 1])

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Sat May 20 00:47:32 2006
@@ -13,3 +13,4 @@
 + usb-gadget-rndis-bufoverflow.dpatch
 + group_complete_signal-BUG_ON.dpatch
 + madvise_remove-restrict.dpatch
++ mcast-ip-route-null-deref.dpatch



More information about the Kernel-svn-changes mailing list