[kernel] r6620 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Sat May 20 00:47:34 UTC 2006
Author: dannf
Date: Sat May 20 00:47:32 2006
New Revision: 6620
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mcast-ip-route-null-deref.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
Log:
* mcast-ip-route-null-deref.dpatch
[SECURITY] Fix local DoS vulnerability that allows local users to panic
a system by requesting a route for a multicast IP
See CVE-2006-1525
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat May 20 00:47:32 2006
@@ -55,8 +55,12 @@
[SECURITY] Fix vulnerability that allows local users to bypass IPC
permissions and replace portions of read-only tmpfs files with zeroes.
See CVE-2006-1524
+ * mcast-ip-route-null-deref.dpatch
+ [SECURITY] Fix local DoS vulnerability that allows local users to panic
+ a system by requesting a route for a multicast IP
+ See CVE-2006-1525
- -- dann frazier <dannf at debian.org> Fri, 19 May 2006 18:29:35 -0500
+ -- dann frazier <dannf at debian.org> Fri, 19 May 2006 19:46:10 -0500
kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mcast-ip-route-null-deref.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/mcast-ip-route-null-deref.dpatch Sat May 20 00:47:32 2006
@@ -0,0 +1,36 @@
+Fix for CVE-2006-1525, take from 2.6 git tree but applies to 2.4.27 as well.
+
+Signed-off-by: Troy Heber <troyh at debian.org>
+
+diff-tree a0b277b4fdcbc24c26af7c5d019e9448a51c79cf (from 54e5705fd460c7621a4d73c71197e2650ba034a2)
+Author: Stephen Hemminger <shemminger at osdl.org>
+Date: Mon Apr 17 17:27:11 2006 -0700
+
+ [PATCH] ip_route_input panic fix (CVE-2006-1525)
+
+ This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
+ The bug is caused by ip_route_input dereferencing skb->nh.protocol of
+ the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
+ it). It only happens if the route requested is for a multicast IP
+ address.
+
+ Signed-off-by: Stephen Hemminger <shemminger at osdl.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index fca5fe0..a67955e 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2750,7 +2750,10 @@ int inet_rtm_getroute(struct sk_buff *in
+ /* Reserve room for dummy headers, this skb can pass
+ through good chunk of routing engine.
+ */
+- skb->mac.raw = skb->data;
++ skb->mac.raw = skb->nh.raw = skb->data;
++
++ /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
++ skb->nh.iph->protocol = IPPROTO_ICMP;
+ skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
+
+ if (rta[RTA_SRC - 1])
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3 Sat May 20 00:47:32 2006
@@ -13,3 +13,4 @@
+ usb-gadget-rndis-bufoverflow.dpatch
+ group_complete_signal-BUG_ON.dpatch
+ madvise_remove-restrict.dpatch
++ mcast-ip-route-null-deref.dpatch
More information about the Kernel-svn-changes
mailing list