[kernel] r9147 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Sun Jul 15 20:17:35 UTC 2007

Author: dannf
Date: Sun Jul 15 20:17:35 2007
New Revision: 9147

Log:
* bugfix/nf_conntrack_sctp-null-deref.patch
  [SECURITY] Fix remotely triggerable NULL pointer dereference 
  by sending an unknown chunk type.

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Sun Jul 15 20:17:35 2007
@@ -26,8 +26,11 @@
     system has no entropy source and fix a casting error in entropy
     extraction that resulted in slightly less random numbers.
     See CVE-2007-2453
+  * bugfix/nf_conntrack_sctp-null-deref.patch
+    [SECURITY] Fix remotely triggerable NULL pointer dereference 
+    by sending an unknown chunk type.
 
- -- dann frazier <dannf at debian.org>  Fri, 13 Jul 2007 00:06:31 -0600
+ -- dann frazier <dannf at debian.org>  Sun, 15 Jul 2007 14:01:50 -0600
 
 linux-2.6 (2.6.18.dfsg.1-13) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/nf_conntrack_sctp-null-deref.patch	Sun Jul 15 20:17:35 2007
@@ -0,0 +1,49 @@
+From: Patrick McHardy <kaber at trash.net>
+Date: Tue, 5 Jun 2007 12:14:22 +0000 (+0200)
+Subject: [UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable ...
+X-Git-Url: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-edgy.git;a=commitdiff;h=3ccb814b91bca2e0a6fe4b5d1c5dbb35a06a848b
+
+[UBUNTU] CVE-2007-2876 NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference
+
+When creating a new connection by sending an unknown chunk type, we
+don't transition to a valid state, causing a NULL pointer dereference in
+sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+
+Fix by don't creating new conntrack entry if initial state is invalid.
+
+Noticed by Vilmos Nebehaj <vilmos.nebehaj at ramsys.hu>
+
+CC: Kiran Kumar Immidi <immidi_kiran at yahoo.com>
+Cc: David Miller <davem at davemloft.net>
+Signed-off-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+
+modified:   net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+modified:   net/netfilter/nf_conntrack_proto_sctp.c
+---
+
+--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
++++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+@@ -461,7 +461,8 @@ static int sctp_new(struct ip_conntrack 
+ 						SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("ip_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -467,7 +467,8 @@ static int sctp_new(struct nf_conn *conn
+ 					 SCTP_CONNTRACK_NONE, sch->type);
+ 
+ 		/* Invalid: delete conntrack */
+-		if (newconntrack == SCTP_CONNTRACK_MAX) {
++		if (newconntrack == SCTP_CONNTRACK_NONE ||
++		    newconntrack == SCTP_CONNTRACK_MAX) {
+ 			DEBUGP("nf_conntrack_sctp: invalid new deleting.\n");
+ 			return 0;
+ 		}

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch1	Sun Jul 15 20:17:35 2007
@@ -7,3 +7,4 @@
 + bugfix/dn_fib-out-of-bounds.patch
 + bugfix/random-fix-seeding-with-zero-entropy.patch
 + bugfix/random-fix-error-in-entropy-extraction.patch
++ bugfix/nf_conntrack_sctp-null-deref.patch

