[kernel] r9147 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Jul 15 20:17:35 UTC 2007
Author: dannf
Date: Sun Jul 15 20:17:35 2007
New Revision: 9147
Log:
* bugfix/nf_conntrack_sctp-null-deref.patch
[SECURITY] Fix remotely triggerable NULL pointer dereference
by sending an unknown chunk type.
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Sun Jul 15 20:17:35 2007
@@ -26,8 +26,11 @@
system has no entropy source and fix a casting error in entropy
extraction that resulted in slightly less random numbers.
See CVE-2007-2453
+ * bugfix/nf_conntrack_sctp-null-deref.patch
+ [SECURITY] Fix remotely triggerable NULL pointer dereference
+ by sending an unknown chunk type.
- -- dann frazier <dannf at debian.org> Fri, 13 Jul 2007 00:06:31 -0600
+ -- dann frazier <dannf at debian.org> Sun, 15 Jul 2007 14:01:50 -0600
linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch Sun Jul 15 20:17:35 2007
@@ -0,0 +1,49 @@
+From: Patrick McHardy <kaber at trash.net>
+Date: Tue, 5 Jun 2007 12:14:22 +0000 (+0200)
+Subject: [UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable ...
+X-Git-Url: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=3ccb814b91bca2e0a6fe4b5d1c5dbb35a06a848b
+
+[UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj at ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran at yahoo.com>
+Cc: David Miller <davem at davemloft.net>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+
+modified: net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+modified: net/netfilter/nf_conntrack_proto_sctp.c
+---
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -467,7 +467,8 @@ static int sctp_new(struct nf_conn *conn
+ SCTP_CONNTRACK_NONE, sch->type);
+
+ /* Invalid: delete conntrack */
+- if (newconntrack == SCTP_CONNTRACK_MAX) {
++ if (newconntrack == SCTP_CONNTRACK_NONE ||
++ newconntrack == SCTP_CONNTRACK_MAX) {
+ DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ return 0;
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1 Sun Jul 15 20:17:35 2007
@@ -7,3 +7,4 @@
+ bugfix/dn_fib-out-of-bounds.patch
+ bugfix/random-fix-seeding-with-zero-entropy.patch
+ bugfix/random-fix-error-in-entropy-extraction.patch
++ bugfix/nf_conntrack_sctp-null-deref.patch
More information about the Kernel-svn-changes
mailing list