[kernel] r9118 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

[Dann Frazier]

Author: dannf
Date: Wed Jul 11 06:32:35 2007
New Revision: 9118

Log:
* bugfix/nf_conntrack_h323-bounds-checking.patch
  [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
  index values
  See CVE-2007-3642

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_h323-bounds-checking.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Jul 11 06:32:35 2007
@@ -13,8 +13,12 @@
     [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
     after connect but before PPPIOCGCHAN ioctl is called upon it
     See CVE-2007-2525
+  * bugfix/nf_conntrack_h323-bounds-checking.patch
+    [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
+    index values
+    See CVE-2007-3642
 
- -- dann frazier <dannf at debian.org>  Thu, 05 Jul 2007 22:35:14 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 11 Jul 2007 00:28:15 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_h323-bounds-checking.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_h323-bounds-checking.patch	Wed Jul 11 06:32:35 2007
@@ -0,0 +1,42 @@
+From: Jing Min Zhao <zhaojingmin at vivecode.com>
+Date: Fri, 6 Jul 2007 00:05:01 +0000 (-0700)
+Subject: [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+X-Git-Tag: v2.6.22~11^2~2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=25845b5155b55cd77e42655ec24161ba3feffa47
+
+[NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+
+Choices' index values may be out of range while still encoded in the fixed
+length bit-field. This bug may cause access to undefined types (NULL
+pointers) and thus crashes (Reported by Zhongling Wen).
+
+This patch also adds checking of decode flag when decoding SEQUENCEs.
+
+Signed-off-by: Jing Min Zhao <zhaojingmin at vivecode.com>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c linux-source-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c
+--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/netfilter/ip_conntrack_helper_h323_asn1.c	2007-07-11 00:23:22.000000000 -0600
+@@ -518,7 +518,7 @@ int decode_seq(bitstr_t * bs, field_t * 
+ 			CHECK_BOUND(bs, 2);
+ 			len = get_len(bs);
+ 			CHECK_BOUND(bs, len);
+-			if (!base) {
++			if (!base || !(son->attr & DECODE)) {
+ 				PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
+ 				      " ", son->name);
+ 				bs->cur += len;
+@@ -704,6 +704,8 @@ int decode_choice(bitstr_t * bs, field_t
+ 	} else {
+ 		ext = 0;
+ 		type = get_bits(bs, f->sz);
++		if (type >= f->lb)
++			return H323_ERROR_RANGE;
+ 	}
+ 
+ 	/* Write Type */

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1	Wed Jul 11 06:32:35 2007
@@ -3,3 +3,4 @@
 + bugfix/fat-fix-compat-ioctls.patch
 + bugfix/usblcd-limit-memory-consumption.patch
 + bugfix/pppoe-socket-release-mem-leak.patch
++ bugfix/nf_conntrack_h323-bounds-checking.patch