[kernel] r8530 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Mon Apr 30 23:34:25 UTC 2007

Author: dannf
Date: Mon Apr 30 23:34:17 2007
New Revision: 8530

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack-set-nfctinfo.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch2
Log:
* bugfix/nf_conntrack-set-nfctinfo.patch
  [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
  which allows remote attackers to bypass certain rulesets
  See CVE-2007-1497

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Mon Apr 30 23:34:17 2007
@@ -4,8 +4,12 @@
     [SECURITY] Fix remotely exploitable NULL pointer dereference in
     nfulnl_recv_config()
     See CVE-2007-1496
+  * bugfix/nf_conntrack-set-nfctinfo.patch
+    [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
+    which allows remote attackers to bypass certain rulesets
+    See CVE-2007-1497
 
- -- dann frazier <dannf at debian.org>  Mon, 30 Apr 2007 17:20:14 -0600
+ -- dann frazier <dannf at debian.org>  Mon, 30 Apr 2007 17:30:17 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack-set-nfctinfo.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack-set-nfctinfo.patch	Mon Apr 30 23:34:17 2007
@@ -0,0 +1,35 @@
+From: Patrick McHardy <kaber at trash.net>
+Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
+Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+X-Git-Tag: v2.6.20.3~11
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
+
+nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
+
+The individual fragments of a packet reassembled by conntrack have the
+conntrack reference from the reassembled packet attached, but nfctinfo
+is not copied. This leaves it initialized to 0, which unfortunately is
+the value of IP_CT_ESTABLISHED.
+
+The result is that all IPv6 fragments are tracked as ESTABLISHED,
+allowing them to bypass a usual ruleset which accepts ESTABLISHED
+packets early.
+
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+index a20615f..6155b80 100644
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+ 		}
+ 		nf_conntrack_get(reasm->nfct);
+ 		(*pskb)->nfct = reasm->nfct;
++		(*pskb)->nfctinfo = reasm->nfctinfo;
+ 		return NF_ACCEPT;
+ 	}
+ 

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch2	Mon Apr 30 23:34:17 2007
@@ -1 +1,2 @@
 + bugfix/nfnetlink_log-null-deref.patch
++ bugfix/nf_conntrack-set-nfctinfo.patch

