[kernel] r8722 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 23 06:03:48 UTC 2007 

Author: dannf
Date: Wed May 23 06:03:47 2007
New Revision: 8722

Log:
* 244_bluetooth-l2cap-hci-info-leaks.diff
  [SECURITY] Fix information leaks in setsockopt() implementations
  See CVE-2007-1353

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/244_bluetooth-l2cap-hci-info-leaks.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Wed May 23 06:03:47 2007
@@ -19,8 +19,11 @@
     ipv6_fl_socklist between the listening socket and the socket created
     for connection.
     See CVE-2007-1592
+  * 244_bluetooth-l2cap-hci-info-leaks.diff
+    [SECURITY] Fix information leaks in setsockopt() implementations
+    See CVE-2007-1353
 
- -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 17:04:51 -0600
+ -- dann frazier <dannf at debian.org>  Tue, 22 May 2007 23:58:34 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/244_bluetooth-l2cap-hci-info-leaks.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/244_bluetooth-l2cap-hci-info-leaks.diff	Wed May 23 06:03:47 2007
@@ -0,0 +1,52 @@
+From: Willy Tarreau <w at 1wt.eu>
+Date: Sat, 14 Apr 2007 16:23:12 +0000 (+0200)
+Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks (CVE-2007-1353)
+X-Git-Tag: v2.4.35-pre3~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=7d83d871b1fa17d8c23c8a03ae19ee772f3fe8dd
+
+[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks (CVE-2007-1353)
+
+Problem reported by Ilja van Sprundel. Assigned CVE-2007-1353.
+Fix below from Marcel Holtmann, backported to 2.4.
+
+The L2CAP and HCI setsockopt() implementations have a small information
+leak that makes it possible to leak kernel stack memory to userspace.
+
+If the optlen parameter is 0, no data will be copied by copy_from_user(),
+but the uninitialized stack buffer will be read and stored later. A call
+to getsockopt() can now retrieve the leaked information.
+
+To fix this problem the stack buffer given to copy_from_user() must be
+initialized with the current settings.
+
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 0d3aed8..8ececee 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -469,6 +469,8 @@ int hci_sock_setsockopt(struct socket *sock, int level, int optname, char *optva
+ 		break;
+ 
+ 	case HCI_FILTER:
++		memcpy(&flt, &hci_pi(sk)->filter, len);
++
+ 		len = MIN(len, sizeof(struct hci_filter));
+ 		if (copy_from_user(&flt, optval, len)) {
+ 			err = -EFAULT;
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 8a54327..68a3767 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -685,6 +685,10 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, ch
+ 
+ 	switch (optname) {
+ 	case L2CAP_OPTIONS:
++		opts.imtu     = l2cap_pi(sk)->imtu;
++		opts.omtu     = l2cap_pi(sk)->omtu;
++		opts.flush_to = l2cap_pi(sk)->flush_to;
++
+ 		len = MIN(sizeof(opts), optlen);
+ 		if (copy_from_user((char *)&opts, optval, len)) {
+ 			err = -EFAULT;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Wed May 23 06:03:47 2007
@@ -3,3 +3,4 @@
 + 241_bluetooth-capi-size-checks.diff
 + 242_ext3-fsfuzz.diff
 + 243_ipv6_fl_socklist-no-share.diff
++ 244_bluetooth-l2cap-hci-info-leaks.diff

More information about the Kernel-svn-changes mailing list