[kernel] r8413 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Mar 31 22:58:00 UTC 2007
Author: dannf
Date: Sat Mar 31 22:58:00 2007
New Revision: 8413
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv6_fl_socklist-no-share.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* ipv6_fl_socklist-no-share.dpatch
[SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
ipv6_fl_socklist between the listening socket and the socket created
for connection.
See CVE-2007-1592
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat Mar 31 22:58:00 2007
@@ -52,8 +52,13 @@
if no root inode is found. On an SELinux-enabled system, this can
be used to trigger a local DoS. Debian does not enable SELinux by
default.
+ * ipv6_fl_socklist-no-share.dpatch
+ [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+ ipv6_fl_socklist between the listening socket and the socket created
+ for connection.
+ See CVE-2007-1592
- -- dann frazier <dannf at debian.org> Sat, 31 Mar 2007 16:26:49 -0600
+ -- dann frazier <dannf at debian.org> Sat, 31 Mar 2007 16:55:45 -0600
kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv6_fl_socklist-no-share.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ipv6_fl_socklist-no-share.dpatch Sat Mar 31 22:58:00 2007
@@ -0,0 +1,32 @@
+From: Masayuki Nakagawa <nakagawa.msy at ncos.nec.co.jp>
+Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700)
+Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared.
+X-Git-Tag: v2.6.21-rc5~72^2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299
+
+[IPV6]: ipv6_fl_socklist is inadvertently shared.
+
+The ipv6_fl_socklist from listening socket is inadvertently shared
+with new socket created for connection. This leads to a variety of
+interesting, but fatal, bugs. For example, removing one of the
+sockets may lead to the other socket's encountering a page fault
+when the now freed list is referenced.
+
+The fix is to not share the flow label list with the new socket.
+
+Signed-off-by: Masayuki Nakagawa <nakagawa.msy at ncos.nec.co.jp>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index f57a9ba..92f9992 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ First: no IPv4 options.
+ */
+ newinet->opt = NULL;
++ newnp->ipv6_fl_list = NULL;
+
+ /* Clone RX bits */
+ newnp->rxopt.all = np->rxopt.all;
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7 Sat Mar 31 22:58:00 2007
@@ -10,3 +10,4 @@
+ unmap_hugepage_area-check-null-pte.dpatch
+ ext3-fsfuzz.dpatch
+ hfs-no-root-inode.dpatch
++ ipv6_fl_socklist-no-share.dpatch
More information about the Kernel-svn-changes
mailing list