[kernel] r11583 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jun 9 06:01:38 UTC 2008 

Author: dannf
Date: Mon Jun  9 06:01:35 2008
New Revision: 11583

Log:
2.6.18.dfsg.1-18etch6 changes

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/asn1-ber-decoding-checks.patch
   dists/etch-security/linux-2.6/debian/patches/bugfix/dccp-feature-length-check.patch
   dists/etch-security/linux-2.6/debian/patches/series/18etch6
Modified:
   dists/etch-security/linux-2.6/debian/changelog

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Mon Jun  9 06:01:35 2008
@@ -1,3 +1,15 @@
+linux-2.6 (2.6.18.dfsg.1-18etch6) stable-security; urgency=high
+
+  * bugfix/dccp-feature-length-check.patch
+    [SECURITY] Validate feature length to avoid heap overflow
+    See CVE-2008-2358
+  * bugfix/asn1-ber-decoding-checks.patch
+    [SECURITY] Validate lengths in ASN.1 decoding code to avoid
+    heap overflow
+    See CVE-2008-1673
+  
+ -- dann frazier <dannf at debian.org>  Thu, 05 Jun 2008 22:36:07 -0600
+
 linux-2.6 (2.6.18.dfsg.1-18etch5) stable-security; urgency=high
 
   * bugfix/sit-missing-kfree_skb-on-pskb_may_pull.patch

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/asn1-ber-decoding-checks.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/asn1-ber-decoding-checks.patch	Mon Jun  9 06:01:35 2008
@@ -0,0 +1,103 @@
+From: Chris Wright <chrisw at sous-sol.org>
+Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700)
+Subject: asn1: additional sanity checking during BER decoding
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ddb2c43594f22843e9f3153da151deaba1a834c5
+
+asn1: additional sanity checking during BER decoding
+
+- Don't trust a length which is greater than the working buffer.
+  An invalid length could cause overflow when calculating buffer size
+  for decoding oid.
+
+- An oid length of zero is invalid and allows for an off-by-one error when
+  decoding oid because the first subid actually encodes first 2 subids.
+
+- A primitive encoding may not have an indefinite length.
+
+Thanks to Wei Wang from McAfee for report.
+
+Cc: Steven French <sfrench at us.ibm.com>
+Cc: stable at kernel.org
+Acked-by: Patrick McHardy <kaber at trash.net>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/asn1.c linux-source-2.6.18/fs/cifs/asn1.c
+--- linux-source-2.6.18.orig/fs/cifs/asn1.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/asn1.c	2008-06-05 21:52:32.000000000 -0600
+@@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
+ 			}
+ 		}
+ 	}
++
++	/* don't trust len bigger than ctx buffer */
++	if (*len > ctx->end - ctx->pointer)
++		return 0;
++
+ 	return 1;
+ }
+ 
+@@ -199,6 +204,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
+ 	if (!asn1_length_decode(ctx, &def, &len))
+ 		return 0;
+ 
++	/* primitive shall be definite, indefinite shall be constructed */
++	if (*con == ASN1_PRI && !def)
++		return 0;
++
+ 	if (def)
+ 		*eoc = ctx->pointer + len;
+ 	else
+@@ -385,6 +394,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
+ 	unsigned long *optr;
+ 
+ 	size = eoc - ctx->pointer + 1;
++
++	/* first subid actually encodes first two subids */
++	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++		return 0;
++
+ 	*oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC);
+ 	if (*oid == NULL) {
+ 		return 0;
+diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c
+--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c	2008-06-05 21:53:29.000000000 -0600
+@@ -235,6 +235,11 @@ static unsigned char asn1_length_decode(
+ 			}
+ 		}
+ 	}
++
++	/* don't trust len bigger than ctx buffer */
++	if (*len > ctx->end - ctx->pointer)
++		return 0;
++
+ 	return 1;
+ }
+ 
+@@ -253,6 +258,10 @@ static unsigned char asn1_header_decode(
+ 	if (!asn1_length_decode(ctx, &def, &len))
+ 		return 0;
+ 		
++	/* primitive shall be definite, indefinite shall be constructed */
++	if (*con == ASN1_PRI && !def)
++		return 0;
++
+ 	if (def)
+ 		*eoc = ctx->pointer + len;
+ 	else
+@@ -437,6 +446,11 @@ static unsigned char asn1_oid_decode(str
+ 	unsigned long *optr;
+ 	
+ 	size = eoc - ctx->pointer + 1;
++
++	/* first subid actually encodes first two subids */
++	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++		return 0;
++
+ 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+ 	if (*oid == NULL) {
+ 		if (net_ratelimit())

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/dccp-feature-length-check.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/dccp-feature-length-check.patch	Mon Jun  9 06:01:35 2008
@@ -0,0 +1,15 @@
+diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
+--- linux-source-2.6.18.orig/net/dccp/feat.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/dccp/feat.c	2008-06-05 19:57:08.000000000 -0600
+@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
+ 
+ 	dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+ 
++	if (len > 3) {
++		if (net_ratelimit())
++			printk("%s: invalid length %d\n", __func__, len);
++		return -EINVAL;
++	}
+ 	/* XXX sanity check feat change request */
+ 
+ 	/* check if that feature is already being negotiated */

Added: dists/etch-security/linux-2.6/debian/patches/series/18etch6
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch6	Mon Jun  9 06:01:35 2008
@@ -0,0 +1,2 @@
++ bugfix/dccp-feature-length-check.patch
++ bugfix/asn1-ber-decoding-checks.patch

More information about the Kernel-svn-changes mailing list