[kernel] r12142 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue Aug 26 22:32:01 UTC 2008 

Author: dannf
Date: Tue Aug 26 22:32:00 2008
New Revision: 12142

Log:
Fix integer overflow in dccp_setsockopt_change() (CVE-2008-3276)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Tue Aug 26 22:32:00 2008
@@ -5,8 +5,9 @@
   * Fix possible information leak in seq_oss_synth.c
     (CVE-2008-3272)
   * Fix regression introduced upstream by the fixes for CVE-2008-1673
+  * Fix integer overflow in dccp_setsockopt_change() (CVE-2008-3276)
 
- -- dann frazier <dannf at debian.org>  Sun, 17 Aug 2008 19:12:39 -0600
+ -- dann frazier <dannf at debian.org>  Tue, 26 Aug 2008 16:29:23 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch	Tue Aug 26 22:32:00 2008
@@ -0,0 +1,30 @@
+commit 3e8a0a559c66ee9e7468195691a56fefc3589740
+Author: Arnaldo Carvalho de Melo <acme at redhat.com>
+Date:   Wed Aug 13 13:48:39 2008 -0700
+
+    dccp: change L/R must have at least one byte in the dccpsf_val field
+    
+    Thanks to Eugene Teo for reporting this problem.
+    
+    Signed-off-by: Eugene Teo <eugenete at kernel.sg>
+    Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
+    Signed-off-by: Gerrit Renker <gerrit at erg.abdn.ac.uk>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.24.orig/net/dccp/proto.c linux-source-2.6.24/net/dccp/proto.c
+--- linux-source-2.6.24.orig/net/dccp/proto.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/dccp/proto.c	2008-08-26 16:07:29.000000000 -0600
+@@ -458,6 +458,11 @@ static int dccp_setsockopt_change(struct
+ 
+ 	if (copy_from_user(&opt, optval, sizeof(opt)))
+ 		return -EFAULT;
++	/*
++	 * rfc4340: 6.1. Change Options
++	 */
++	if (opt.dccpsf_len < 1)
++		return -EINVAL;
+ 
+ 	val = kmalloc(opt.dccpsf_len, GFP_KERNEL);
+ 	if (!val)

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	Tue Aug 26 22:32:00 2008
@@ -2,3 +2,4 @@
 + bugfix/sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch
 + bugfix/cifs-fix-compiler-warning.patch
 + bugfix/netfilter-nf_nat_snmp_basic-fix-range-check.patch
++ bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch

More information about the Kernel-svn-changes mailing list