[kernel] r7779 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 13 01:41:28 UTC 2006 

Author: dannf
Date: Mon Nov 13 02:41:27 2006
New Revision: 7779

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/234_atm-clip-freed-skb-deref.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
Log:
* 234_atm-clip-freed-skb-deref.diff
  [SECURITY] Avoid dereferencing an already freed skb, preventing a
  potential remote DoS (system crash) vector
  See CVE-2006-4997

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Mon Nov 13 02:41:27 2006
@@ -4,8 +4,12 @@
     [SECURITY] Prevent cross-region mappings on ia64 and sparc which
     could be used in a local DoS attack (system crash)
     See CVE-2006-4538
+  * 234_atm-clip-freed-skb-deref.diff
+    [SECURITY] Avoid dereferencing an already freed skb, preventing a
+    potential remote DoS (system crash) vector
+    See CVE-2006-4997
 
- -- dann frazier <dannf at debian.org>  Fri, 10 Nov 2006 15:22:03 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 18:39:22 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge4) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/234_atm-clip-freed-skb-deref.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/234_atm-clip-freed-skb-deref.diff	Mon Nov 13 02:41:27 2006
@@ -0,0 +1,38 @@
+From: dann frazier <dannf at debian.org>
+Date: Thu, 28 Sep 2006 00:25:27 +0000 (-0600)
+Subject: [PATCH] Backport fix for CVE-2006-4997 to 2.4 tree
+X-Git-Tag: v2.4.34-pre4
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commitdiff;h=e642722f285e8fd335d109c557bb90b50cc10bd5
+
+[PATCH] Backport fix for CVE-2006-4997 to 2.4 tree
+
+Backport fix for CVE-2006-4997 to 2.4 tree, compile tested.
+Original commit message follows.
+
+[ATM] CLIP: Do not refer freed skbuff in clip_mkip().
+
+In clip_mkip(), skb->dev is dereferenced after clip_push(),
+which frees up skb.
+
+Advisory: AD_LAB-06009 (<adlab at venustech.com.cn>).
+
+Original patch by YOSHIFUJI Hideaki.
+
+Signed-off-by: dann frazier <dannf at debian.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -489,9 +489,11 @@ static int clip_mkip(struct atm_vcc *vcc
+ 		else {
+ 			unsigned int len = skb->len;
+ 
++			skb_get(skb);
+ 			clip_push(vcc,skb);
+ 			PRIV(skb->dev)->stats.rx_packets--;
+ 			PRIV(skb->dev)->stats.rx_bytes -= len;
++			kfree_skb(skb);
+ 		}
+ 	return 0;
+ }

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5	Mon Nov 13 02:41:27 2006
@@ -1 +1,2 @@
 + 233_ia64-sparc-cross-region-mappings.diff
++ 234_atm-clip-freed-skb-deref.diff

More information about the Kernel-svn-changes mailing list