[kernel] r11532 - in dists/sid/linux-2.6/debian: . patches/bugfix/all/stable patches/series

Maximilian Attems maks at alioth.debian.org
Sat Jun 7 00:58:48 UTC 2008 

Author: maks
Date: Sat Jun  7 00:58:47 2008
New Revision: 11532

Log:
add stable 2.6.25.5

security fix
not yet long awaited stable queue


Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/stable/2.6.25.5.patch
   dists/sid/linux-2.6/debian/patches/series/5
Modified:
   dists/sid/linux-2.6/debian/changelog

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Sat Jun  7 00:58:47 2008
@@ -1,7 +1,12 @@
 linux-2.6 (2.6.25-5) UNRELEASED; urgency=low
 
+  [ Bastian Blank ]
   * Reenable VServer images.
 
+  [ maximilian attems ]
+  * Add stable release 2.6.25.5:
+    - asn1: additional sanity checking during BER decoding (CVE-2008-1673)
+
  -- Bastian Blank <waldi at debian.org>  Wed, 28 May 2008 23:55:43 +0200
 
 linux-2.6 (2.6.25-4) unstable; urgency=low

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/stable/2.6.25.5.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/stable/2.6.25.5.patch	Sat Jun  7 00:58:47 2008
@@ -0,0 +1,78 @@
+diff --git a/fs/cifs/asn1.c b/fs/cifs/asn1.c
+index bcda2c6..5dbba89 100644
+--- a/fs/cifs/asn1.c
++++ b/fs/cifs/asn1.c
+@@ -186,6 +186,11 @@ asn1_length_decode(struct asn1_ctx *ctx, unsigned int *def, unsigned int *len)
+ 			}
+ 		}
+ 	}
++
++	/* don't trust len bigger than ctx buffer */
++	if (*len > ctx->end - ctx->pointer)
++		return 0;
++
+ 	return 1;
+ }
+ 
+@@ -203,6 +208,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
+ 	if (!asn1_length_decode(ctx, &def, &len))
+ 		return 0;
+ 
++	/* primitive shall be definite, indefinite shall be constructed */
++	if (*con == ASN1_PRI && !def)
++		return 0;
++
+ 	if (def)
+ 		*eoc = ctx->pointer + len;
+ 	else
+@@ -389,6 +398,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
+ 	unsigned long *optr;
+ 
+ 	size = eoc - ctx->pointer + 1;
++
++	/* first subid actually encodes first two subids */
++	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++		return 0;
++
+ 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+ 	if (*oid == NULL)
+ 		return 0;
+diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+index 540ce6a..5f35f0b 100644
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -231,6 +231,11 @@ static unsigned char asn1_length_decode(struct asn1_ctx *ctx,
+ 			}
+ 		}
+ 	}
++
++	/* don't trust len bigger than ctx buffer */
++	if (*len > ctx->end - ctx->pointer)
++		return 0;
++
+ 	return 1;
+ }
+ 
+@@ -249,6 +254,10 @@ static unsigned char asn1_header_decode(struct asn1_ctx *ctx,
+ 	if (!asn1_length_decode(ctx, &def, &len))
+ 		return 0;
+ 
++	/* primitive shall be definite, indefinite shall be constructed */
++	if (*con == ASN1_PRI && !def)
++		return 0;
++
+ 	if (def)
+ 		*eoc = ctx->pointer + len;
+ 	else
+@@ -433,6 +442,11 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
+ 	unsigned long *optr;
+ 
+ 	size = eoc - ctx->pointer + 1;
++
++	/* first subid actually encodes first two subids */
++	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++		return 0;
++
+ 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+ 	if (*oid == NULL) {
+ 		if (net_ratelimit())

Added: dists/sid/linux-2.6/debian/patches/series/5
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/series/5	Sat Jun  7 00:58:47 2008
@@ -0,0 +1 @@
++ bugfix/all/stable/2.6.25.5.patch

More information about the Kernel-svn-changes mailing list