[kernel] r10544 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Thu Feb 14 06:33:31 UTC 2008 

Author: dannf
Date: Thu Feb 14 06:33:30 2008
New Revision: 10544

Log:
* 255_pppoe-socket-release-mem-leak.diff
  [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
  after connect but before PPPIOCGCHAN ioctl is called upon it
  See CVE-2007-2525

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_pppoe-socket-release-mem-leak.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Thu Feb 14 06:33:30 2008
@@ -49,6 +49,10 @@
     [SECURITY] Add a sanity check of the block length in cramfs_readpage to
     avoid a potential oops condition
     See CVE-2006-5823
+  * 255_pppoe-socket-release-mem-leak.diff
+    [SECURITY] fix unpriveleged memory leak when a PPPoE socket is released
+    after connect but before PPPIOCGCHAN ioctl is called upon it
+    See CVE-2007-2525
   * 256_i4l-isdn_ioctl-mem-overrun.diff
     [SECURITY] Fix potential isdn ioctl memory overrun
     See CVE-2007-6151
@@ -62,7 +66,7 @@
     ext2_find_entry()
     See CVE-2006-6054
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 23:10:11 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 23:32:09 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_pppoe-socket-release-mem-leak.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_pppoe-socket-release-mem-leak.diff	Thu Feb 14 06:33:30 2008
@@ -0,0 +1,42 @@
+commit f1e981303d0f4ccbf3dcd64af41bbf85c62a7122
+Author: dann frazier <dannf at debian.org>
+Date:   Mon Jan 21 23:10:51 2008 -0700
+
+    memory leak when socket is release()d before PPPIOCGCHAN has been called on it
+    
+    This is a 2.4 backport of a linux-2.6 change by Florian Zumbiehl.
+    (commit 202a03acf9994076055df40ae093a5c5474ad0bd)
+    
+    CVE-2007-2525 was assigned for this issue - compile-tested only.
+    
+    Commit log from 2.6 follows.
+    
+      below you find a patch that fixes a memory leak when a PPPoE socket is
+      release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl
+      ever has been called on it.
+    
+      This is somewhat of a security problem, too, since PPPoE sockets can be
+      created by any user, so any user can easily allocate all the machine's
+      RAM to non-swappable address space and thus DoS the system.
+    
+      Is there any specific reason for PPPoE sockets being available to any
+      unprivileged process, BTW? After all, you need a packet socket for the
+      discovery stage anyway, so it's unlikely that any unprivileged process
+      will ever need to create a PPPoE socket, no? Allocating all session IDs
+      for a known AC is a kind of DoS, too, after all - with Juniper ERXes,
+      this is really easy, actually, since they don't ever assign session ids
+      above 8000 ...
+
+diff --git a/drivers/net/pppox.c b/drivers/net/pppox.c
+index 7830e4d..4883c0f 100644
+--- a/drivers/net/pppox.c
++++ b/drivers/net/pppox.c
+@@ -67,7 +67,7 @@ void pppox_unbind_sock(struct sock *sk)
+ {
+ 	/* Clear connection to ppp device, if attached. */
+ 
+-	if (sk->state & (PPPOX_BOUND|PPPOX_ZOMBIE)) {
++	if (sk->state & (PPPOX_BOUND | PPPOX_CONNECTED | PPPOX_ZOMBIE)) {
+ 		ppp_unregister_channel(&sk->protinfo.pppox->chan);
+ 		sk->state = PPPOX_DEAD;
+ 	}

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Thu Feb 14 06:33:30 2008
@@ -14,6 +14,7 @@
 + 252_openpromfs-checks-3.diff
 + 253_coredump-only-to-same-uid.diff
 + 254_cramfs-check-block-length.diff
++ 255_pppoe-socket-release-mem-leak.diff
 + 256_i4l-isdn_ioctl-mem-overrun.diff
 + 257_isdn-net-overflow.diff
 + 258_ext2_readdir-f_pos-fix.diff

More information about the Kernel-svn-changes mailing list