[kernel] r9127 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Fri Jul 13 05:32:08 UTC 2007 

Author: dannf
Date: Fri Jul 13 05:32:08 2007
New Revision: 9127

Log:
* bugfix/dn_fib-out-of-bounds.patch
  See CVE-2007-2172

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/dn_fib-out-of-bounds.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Fri Jul 13 05:32:08 2007
@@ -17,8 +17,11 @@
     [SECURITY] nf_conntrack_h323: add checking of out-of-range on choices'
     index values
     See CVE-2007-3642
+  * bugfix/dn_fib-out-of-bounds.patch
+    [SECURITY] Fix out of bounds condition in dn_fib_props[]
+    See CVE-2007-2172
 
- -- dann frazier <dannf at debian.org>  Wed, 11 Jul 2007 00:28:15 -0600
+ -- dann frazier <dannf at debian.org>  Thu, 12 Jul 2007 23:30:55 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/dn_fib-out-of-bounds.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/dn_fib-out-of-bounds.patch	Fri Jul 13 05:32:08 2007
@@ -0,0 +1,37 @@
+commit a979101106f549f4ed80d6dcbc35077be34d4346
+Author: Thomas Graf <tgraf at suug.ch>
+Date:   Sat Mar 24 20:33:27 2007 -0700
+
+    [DECNet] fib: Fix out of bound access of dn_fib_props[]
+    
+    Fixes a typo which caused fib_props[] to have the wrong size
+    and makes sure the value used to index the array which is
+    provided by userspace via netlink is checked to avoid out of
+    bound access.
+    
+    Signed-off-by: Thomas Graf <tgraf at suug.ch>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
+index 3cbfddc..82d58a9 100644
+--- a/net/decnet/dn_fib.c
++++ b/net/decnet/dn_fib.c
+@@ -63,7 +63,7 @@ static struct
+ {
+ 	int error;
+ 	u8 scope;
+-} dn_fib_props[RTA_MAX+1] = {
++} dn_fib_props[RTN_MAX+1] = {
+ 	[RTN_UNSPEC] =      { .error = 0,       .scope = RT_SCOPE_NOWHERE },
+ 	[RTN_UNICAST] =     { .error = 0,       .scope = RT_SCOPE_UNIVERSE },
+ 	[RTN_LOCAL] =       { .error = 0,       .scope = RT_SCOPE_HOST },
+@@ -276,6 +276,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta
+ 	struct dn_fib_info *ofi;
+ 	int nhs = 1;
+ 
++	if (r->rtm_type > RTN_MAX)
++		goto err_inval;
++
+ 	if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
+ 		goto err_inval;
+ 

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1	Fri Jul 13 05:32:08 2007
@@ -4,3 +4,4 @@
 + bugfix/usblcd-limit-memory-consumption.patch
 + bugfix/pppoe-socket-release-mem-leak.patch
 + bugfix/nf_conntrack_h323-bounds-checking.patch
++ bugfix/dn_fib-out-of-bounds.patch

More information about the Kernel-svn-changes mailing list