[kernel] r8414 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Sat Mar 31 23:05:02 UTC 2007 

Author: dannf
Date: Sat Mar 31 23:05:01 2007
New Revision: 8414

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/243_ipv6_fl_socklist-no-share.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Log:
* 243_ipv6_fl_socklist-no-share.diff
  [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
  ipv6_fl_socklist between the listening socket and the socket created
  for connection.
  See CVE-2007-1592

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sat Mar 31 23:05:01 2007
@@ -14,8 +14,13 @@
     [SECURITY] Fix a DoS vulnerability that can be triggered by a local
     user with the ability to mount a corrupted ext3 filesystem
     See CVE-2006-6053
+  * 243_ipv6_fl_socklist-no-share.diff
+    [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing
+    ipv6_fl_socklist between the listening socket and the socket created
+    for connection.
+    See CVE-2007-1592
 
- -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 15:49:18 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 17:04:51 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/243_ipv6_fl_socklist-no-share.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/243_ipv6_fl_socklist-no-share.diff	Sat Mar 31 23:05:01 2007
@@ -0,0 +1,38 @@
+From: Willy Tarreau <w at 1wt.eu>
+Date: Thu, 22 Mar 2007 20:22:10 +0000 (+0100)
+Subject: [PATCH] IPV6: ipv6_fl_socklist is inadvertently shared.
+X-Git-Tag: v2.4.35-pre2~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=86b21d8a1b97aaf523749d9c7b03b113e0cf9ee0
+
+[PATCH] IPV6: ipv6_fl_socklist is inadvertently shared.
+
+Backport from 2.6. Original patch from Masayuki Nakagawa, with
+his description below :
+
+"
+ The ipv6_fl_socklist from listening socket is inadvertently shared
+ with new socket created for connection.  This leads to a variety of
+ interesting, but fatal, bugs. For example, removing one of the
+ sockets may lead to the other socket's encountering a page fault
+ when the now freed list is referenced.
+
+ The fix is to not share the flow label list with the new socket.
+"
+
+original patch:
+   Signed-off-by: Masayuki Nakagawa <nakagawa.msy at ncos.nec.co.jp>
+Signed-off-by: Willy Tarreau <w at 1wt.eu>
+---
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 33eeee8..d3127e2 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1354,6 +1354,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+ 	   First: no IPv4 options.
+ 	 */
+ 	newsk->protinfo.af_inet.opt = NULL;
++	np->ipv6_fl_list = NULL;
+ 
+ 	/* Clone RX bits */
+ 	np->rxopt.all = sk->net_pinfo.af_inet6.rxopt.all;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Sat Mar 31 23:05:01 2007
@@ -2,3 +2,4 @@
 + 240_smbfs-honor-mount-opts-2.diff
 + 241_bluetooth-capi-size-checks.diff
 + 242_ext3-fsfuzz.diff
++ 243_ipv6_fl_socklist-no-share.diff

More information about the Kernel-svn-changes mailing list