[kernel] r8551 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue May 1 20:27:29 UTC 2007 

Author: dannf
Date: Tue May  1 20:27:26 2007
New Revision: 8551

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6-disallow-RH0-by-default.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch2
Log:
* bugfix/ipv6-disallow-RH0-by-default.patch
  [SECURITY] Avoid a remote DoS (network amplification between two routers)
  by disabling type0 IPv6 route headers by default. Can be re-enabled via
  a sysctl interface.
  See CVE-2007-2242

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue May  1 20:27:26 2007
@@ -13,8 +13,13 @@
     See CVE-2007-1861
   * bugfix/nl_fib_lookup-oops.patch
     Add fix for oops bug added by previous patch
+  * bugfix/ipv6-disallow-RH0-by-default.patch
+    [SECURITY] Avoid a remote DoS (network amplification between two routers)
+    by disabling type0 IPv6 route headers by default. Can be re-enabled via
+    a sysctl interface.
+    See CVE-2007-2242
 
- -- dann frazier <dannf at debian.org>  Tue, 01 May 2007 08:34:18 -0600
+ -- dann frazier <dannf at debian.org>  Tue, 01 May 2007 14:16:33 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6-disallow-RH0-by-default.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/ipv6-disallow-RH0-by-default.patch	Tue May  1 20:27:26 2007
@@ -0,0 +1,166 @@
+From: YOSHIFUJI Hideaki <yoshfuji at linux-ipv6.org>
+Date: Thu, 26 Apr 2007 04:56:57 +0000 (-0700)
+Subject: [PATCH] IPV6: Disallow RH0 by default.
+X-Git-Tag: v2.6.20.9~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=010831ab8436dfd9304b203467566fb6b135c24f
+
+[PATCH] IPV6: Disallow RH0 by default.
+
+[IPV6]: Disallow RH0 by default.
+
+A security issue is emerging.  Disallow Routing Header Type 0 by default
+as we have been doing for IPv4.
+Note: We allow RH2 by default because it is harmless.
+
+Signed-off-by: YOSHIFUJI Hideaki <yoshfuji at linux-ipv6.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.6.18 by dann frazier with help from Vlad Yasevich
+
+diff -urN linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt linux-source-2.6.18/Documentation/networking/ip-sysctl.txt
+--- linux-source-2.6.18.orig/Documentation/networking/ip-sysctl.txt	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/Documentation/networking/ip-sysctl.txt	2007-05-01 09:57:58.000000000 -0600
+@@ -775,6 +775,14 @@
+ 	Functional default: enabled if local forwarding is disabled.
+ 			    disabled if local forwarding is enabled.
+ 
++accept_source_route - INTEGER
++	Accept source routing (routing extension header).
++
++	> 0: Accept routing header.
++	= 0: Do not accept routing header.
++
++	Default: 0
++
+ autoconf - BOOLEAN
+ 	Autoconfigure addresses using Prefix Information in Router 
+ 	Advertisements.
+diff -urN linux-source-2.6.18.orig/include/linux/ipv6.h linux-source-2.6.18/include/linux/ipv6.h
+--- linux-source-2.6.18.orig/include/linux/ipv6.h	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/include/linux/ipv6.h	2007-05-01 10:04:07.000000000 -0600
+@@ -153,6 +153,7 @@
+ 	__s32		accept_ra_rt_info_max_plen;
+ #endif
+ #endif
++	__s32		accept_source_route;
+ 	void		*sysctl;
+ };
+ 
+@@ -180,6 +181,7 @@
+ 	DEVCONF_ACCEPT_RA_RTR_PREF,
+ 	DEVCONF_RTR_PROBE_INTERVAL,
+ 	DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN,
++	DEVCONF_ACCEPT_SOURCE_ROUTE,
+ 	DEVCONF_MAX
+ };
+ 
+diff -urN linux-source-2.6.18.orig/include/linux/sysctl.h linux-source-2.6.18/include/linux/sysctl.h
+--- linux-source-2.6.18.orig/include/linux/sysctl.h	2007-04-09 10:49:30.000000000 -0600
++++ linux-source-2.6.18/include/linux/sysctl.h	2007-05-01 08:54:28.000000000 -0600
+@@ -553,6 +553,7 @@
+ 	NET_IPV6_ACCEPT_RA_RTR_PREF=20,
+ 	NET_IPV6_RTR_PROBE_INTERVAL=21,
+ 	NET_IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN=22,
++	NET_IPV6_ACCEPT_SOURCE_ROUTE=23,
+ 	__NET_IPV6_MAX
+ };
+ 
+diff -urN linux-source-2.6.18.orig/net/ipv6/addrconf.c linux-source-2.6.18/net/ipv6/addrconf.c
+--- linux-source-2.6.18.orig/net/ipv6/addrconf.c	2007-04-09 10:49:31.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/addrconf.c	2007-05-01 09:34:40.000000000 -0600
+@@ -173,6 +173,7 @@
+ 	.accept_ra_rt_info_max_plen = 0,
+ #endif
+ #endif
++	.accept_source_route	= 0,	/* we do not accept RH0 by default. */
+ };
+ 
+ static struct ipv6_devconf ipv6_devconf_dflt = {
+@@ -203,6 +204,7 @@
+ 	.accept_ra_rt_info_max_plen = 0,
+ #endif
+ #endif
++	.accept_source_route	= 0,	/* we do not accept RH0 by default. */
+ };
+ 
+ /* IPv6 Wildcard Address and Loopback Address defined by RFC2553 */
+@@ -3333,6 +3335,7 @@
+ 	array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen;
+ #endif
+ #endif
++	array[DEVCONF_ACCEPT_SOURCE_ROUTE] = cnf->accept_source_route;
+ }
+ 
+ /* Maximum length of ifinfomsg attributes */
+@@ -3891,6 +3894,14 @@
+ 			.child		=	addrconf_sysctl.addrconf_proto_dir,
+ 		},
+ 		{
++			.ctl_name	=	NET_IPV6_ACCEPT_SOURCE_ROUTE,
++			.procname	=	"accept_source_route",
++			.data		=	&ipv6_devconf.accept_source_route,
++			.maxlen		=	sizeof(int),
++			.mode		=	0644,
++			.proc_handler	=	&proc_dointvec,
++		},
++		{
+ 			.ctl_name	=	0,	/* sentinel */
+ 		}
+ 	},
+diff -urN linux-source-2.6.18.orig/net/ipv6/exthdrs.c linux-source-2.6.18/net/ipv6/exthdrs.c
+--- linux-source-2.6.18.orig/net/ipv6/exthdrs.c	2007-05-01 09:43:02.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/exthdrs.c	2007-05-01 14:21:32.000000000 -0600
+@@ -221,10 +221,24 @@
+ 	struct inet6_skb_parm *opt = IP6CB(skb);
+ 	struct in6_addr *addr;
+ 	struct in6_addr daddr;
++	struct inet6_dev *idev;
+ 	int n, i;
+-
+ 	struct ipv6_rt_hdr *hdr;
+ 	struct rt0_hdr *rthdr;
++	int accept_source_route = ipv6_devconf.accept_source_route;
++
++	if (accept_source_route == 0 ||
++	    ((idev = in6_dev_get(skb->dev)) == NULL)) {
++		kfree_skb(skb);
++		return -1;
++	}
++	if (idev->cnf.accept_source_route == 0) {
++		in6_dev_put(idev);
++		kfree_skb(skb);
++		return -1;
++	}
++
++	in6_dev_put(idev);
+ 
+ 	if (!pskb_may_pull(skb, (skb->h.raw-skb->data)+8) ||
+ 	    !pskb_may_pull(skb, (skb->h.raw-skb->data)+((skb->h.raw[1]+1)<<3))) {
+@@ -235,6 +249,12 @@
+ 
+ 	hdr = (struct ipv6_rt_hdr *) skb->h.raw;
+ 
++	if (hdr->type != IPV6_SRCRT_TYPE_0) {
++		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
++		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
++		return -1;
++	}
++
+ 	if (ipv6_addr_is_multicast(&skb->nh.ipv6h->daddr) ||
+ 	    skb->pkt_type != PACKET_HOST) {
+ 		IP6_INC_STATS_BH(IPSTATS_MIB_INADDRERRORS);
+@@ -253,12 +273,6 @@
+ 		return 1;
+ 	}
+ 
+-	if (hdr->type != IPV6_SRCRT_TYPE_0) {
+-		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+-		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->type) - skb->nh.raw);
+-		return -1;
+-	}
+-	
+ 	if (hdr->hdrlen & 0x01) {
+ 		IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
+ 		icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, (&hdr->hdrlen) - skb->nh.raw);

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch2	Tue May  1 20:27:26 2007
@@ -2,3 +2,4 @@
 + bugfix/nf_conntrack-set-nfctinfo.patch
 + bugfix/netlink-infinite-recursion.patch
 + bugfix/nl_fib_lookup-oops.patch
++ bugfix/ipv6-disallow-RH0-by-default.patch

More information about the Kernel-svn-changes mailing list