[kernel] r12468 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Tue Dec 2 05:52:25 UTC 2008

Author: dannf
Date: Tue Dec  2 05:52:24 2008
New Revision: 12468

Log:
Fix buffer overflow in libertas (CVE-2008-5134)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/libertas-fix-buffer-overrun.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Tue Dec  2 05:52:24 2008
@@ -14,8 +14,9 @@
   * Fix BUG() in hfsplus (CVE-2008-4934)
   * Fix stack corruption in hfs (CVE-2008-5025)
   * Make sendmsg() block during UNIX garbage collection (CVE-2008-5300)
+  * Fix buffer overflow in libertas (CVE-2008-5134)
 
- -- dann frazier <dannf at debian.org>  Mon, 01 Dec 2008 10:39:35 -0700
+ -- dann frazier <dannf at debian.org>  Mon, 01 Dec 2008 22:49:26 -0700
 
 linux-2.6.24 (2.6.24-6~etchnhalf.6) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/libertas-fix-buffer-overrun.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/libertas-fix-buffer-overrun.patch	Tue Dec  2 05:52:24 2008
@@ -0,0 +1,30 @@
+commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077
+Author: Johannes Berg <johannes at sipsolutions.net>
+Date:   Wed Oct 29 11:43:32 2008 +0100
+
+    libertas: fix buffer overrun
+    
+    If somebody sends an invalid beacon/probe response, that can trash the
+    whole BSS descriptor. The descriptor is, luckily, large enough so that
+    it cannot scribble past the end of it; it's well above 400 bytes long.
+    
+    Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
+    Cc: stable at kernel.org [2.6.24-2.6.27, bug present in some form since driver was added (2.6.22)]
+    Signed-off-by: John W. Linville <linville at tuxdriver.com>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/drivers/net/wireless/libertas/scan.c linux-source-2.6.24/drivers/net/wireless/libertas/scan.c
+--- linux-source-2.6.24.orig/drivers/net/wireless/libertas/scan.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/drivers/net/wireless/libertas/scan.c	2008-12-01 22:44:28.000000000 -0700
+@@ -1022,8 +1022,8 @@ static int libertas_process_bss(struct b
+ 
+ 		switch (elem->id) {
+ 		case MFIE_TYPE_SSID:
+-			bss->ssid_len = elem->len;
+-			memcpy(bss->ssid, elem->data, elem->len);
++			bss->ssid_len = min_t(int, 32, elem->len);
++			memcpy(bss->ssid, elem->data, bss->ssid_len);
+ 			lbs_deb_scan("ssid '%s', ssid length %u\n",
+ 			             escape_essid(bss->ssid, bss->ssid_len),
+ 			             bss->ssid_len);

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.7	Tue Dec  2 05:52:24 2008
@@ -10,3 +10,4 @@
 + bugfix/hfsplus-check_read_mapping_page-return-value.patch
 + bugfix/hfs-fix-namelength-memory-corruption.patch
 + bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
++ bugfix/all/libertas-fix-buffer-overrun.patch

