[kernel] r7780 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Nov 13 01:43:22 UTC 2006
Author: dannf
Date: Mon Nov 13 02:43:21 2006
New Revision: 7780
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/atm-clip-freed-skb-deref.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* atm-clip-freed-skb-deref.dpatch
[SECURITY] Avoid dereferencing an already freed skb, preventing a
potential remote DoS (system crash) vector
See CVE-2006-4997
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Mon Nov 13 02:43:21 2006
@@ -12,8 +12,12 @@
* __block_prepare_write-recovery.dpatch
[SECURITY] Fix an information leak in __block_prepare_write()
See CVE-2006-4813
+ * atm-clip-freed-skb-deref.dpatch
+ [SECURITY] Avoid dereferencing an already freed skb, preventing a
+ potential remote DoS (system crash) vector
+ See CVE-2006-4997
- -- dann frazier <dannf at debian.org> Sun, 12 Nov 2006 17:50:06 -0700
+ -- dann frazier <dannf at debian.org> Sun, 12 Nov 2006 18:42:48 -0700
kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/atm-clip-freed-skb-deref.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/atm-clip-freed-skb-deref.dpatch Mon Nov 13 02:43:21 2006
@@ -0,0 +1,31 @@
+commit fe26109a9dfd9327fdbe630fc819e1b7450986b2
+Author: YOSHIFUJI Hideaki <yoshfuji at linux-ipv6.org>
+Date: Mon Sep 18 06:37:58 2006 -0700
+
+ [ATM] CLIP: Do not refer freed skbuff in clip_mkip().
+
+ In clip_mkip(), skb->dev is dereferenced after clip_push(),
+ which frees up skb.
+
+ Advisory: AD_LAB-06009 (<adlab at venustech.com.cn>).
+
+ Signed-off-by: YOSHIFUJI Hideaki <yoshfuji at linux-ipv6.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/net/atm/clip.c kernel-source-2.6.8/net/atm/clip.c
+--- kernel-source-2.6.8.orig/net/atm/clip.c 2004-08-13 23:38:08.000000000 -0600
++++ kernel-source-2.6.8/net/atm/clip.c 2006-11-12 18:22:06.506654441 -0700
+@@ -511,9 +511,11 @@ static int clip_mkip(struct atm_vcc *vcc
+ else {
+ unsigned int len = skb->len;
+
++ skb_get(skb);
+ clip_push(vcc,skb);
+ PRIV(skb->dev)->stats.rx_packets--;
+ PRIV(skb->dev)->stats.rx_bytes -= len;
++ kfree_skb(skb);
+ }
+ return 0;
+ }
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6 Mon Nov 13 02:43:21 2006
@@ -1,3 +1,4 @@
+ perfmon-fd-refcnt.dpatch
+ ia64-sparc-cross-region-mappings.dpatch
+ __block_prepare_write-recovery.dpatch
++ atm-clip-freed-skb-deref.dpatch
More information about the Kernel-svn-changes
mailing list