[kernel] r11695 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed Jun 25 05:25:33 UTC 2008 

Author: dannf
Date: Wed Jun 25 05:25:31 2008
New Revision: 11695

Log:
bugfix/esp-iv-in-linear-part-of-skb.patch
[SECURITY] Avoid tripping BUG() in IPsec code when the first fragment
of an ESP packet does not contain the entire ESP header and IV
See CVE-2007-6282

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/esp-iv-in-linear-part-of-skb.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/18etch7

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Jun 25 05:25:31 2008
@@ -4,8 +4,12 @@
     [SECURITY] Fix potential overflow condition in
     sctp_getsockopt_local_addrs_old
     See CVE-2008-2826
+  * bugfix/esp-iv-in-linear-part-of-skb.patch
+    [SECURITY] Avoid tripping BUG() in IPsec code when the first fragment
+    of an ESP packet does not contain the entire ESP header and IV
+    See CVE-2007-6282
 
- -- dann frazier <dannf at debian.org>  Mon, 23 Jun 2008 20:06:16 -0600
+ -- dann frazier <dannf at debian.org>  Tue, 24 Jun 2008 23:06:40 -0600
 
 linux-2.6 (2.6.18.dfsg.1-18etch6) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/esp-iv-in-linear-part-of-skb.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/esp-iv-in-linear-part-of-skb.patch	Wed Jun 25 05:25:31 2008
@@ -0,0 +1,48 @@
+From: Thomas Graf <tgraf at suug.ch>
+Date: Thu, 27 Mar 2008 23:08:03 +0000 (-0700)
+Subject: (CVE-2007-6282) [ESP]: Ensure IV is in linear part of the skb to avoid BUG() due ...
+X-Git-Url: http://kernel.ubuntu.com/git?p=ubuntu-security%2Fubuntu-dapper.git;a=commitdiff_plain;h=3f83e11fbd494f5e40db1a7bbd2b780118b712a1
+
+(CVE-2007-6282) [ESP]: Ensure IV is in linear part of the skb to avoid BUG() due to OOB access
+
+[linux-2.6: 920fc941a9617f95ccb283037fe6f8a38d95bb69]
+
+ESP does not account for the IV size when calling pskb_may_pull() to
+ensure everything it accesses directly is within the linear part of a
+potential fragment. This results in a BUG() being triggered when the
+both the IPv4 and IPv6 ESP stack is fed with an skb where the first
+fragment ends between the end of the esp header and the end of the IV.
+
+This bug was found by Dirk Nehring <dnehring at gmx.net> .
+
+Signed-off-by: Thomas Graf <tgraf at suug.ch>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Kees Cook <kees.cook at canonical.com>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/net/ipv4/esp4.c linux-source-2.6.18/net/ipv4/esp4.c
+--- linux-source-2.6.18.orig/net/ipv4/esp4.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/esp4.c	2008-06-24 22:47:45.000000000 -0600
+@@ -147,7 +147,7 @@ static int esp_input(struct xfrm_state *
+ 	struct scatterlist *sg;
+ 	int padlen;
+ 
+-	if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr)))
++	if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr) + esp->conf.ivlen))
+ 		goto out;
+ 
+ 	if (elen <= 0 || (elen & (blksize-1)))
+diff -urpN linux-source-2.6.18.orig/net/ipv6/esp6.c linux-source-2.6.18/net/ipv6/esp6.c
+--- linux-source-2.6.18.orig/net/ipv6/esp6.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv6/esp6.c	2008-06-24 22:47:45.000000000 -0600
+@@ -143,7 +143,7 @@ static int esp6_input(struct xfrm_state 
+ 	int nfrags;
+ 	int ret = 0;
+ 
+-	if (!pskb_may_pull(skb, sizeof(struct ipv6_esp_hdr))) {
++	if (!pskb_may_pull(skb, sizeof(struct ipv6_esp_hdr) + esp->conf.ivlen)) {
+ 		ret = -EINVAL;
+ 		goto out;
+ 	}

Modified: dists/etch-security/linux-2.6/debian/patches/series/18etch7
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/18etch7	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/18etch7	Wed Jun 25 05:25:31 2008
@@ -1 +1,2 @@
 + bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
++ bugfix/esp-iv-in-linear-part-of-skb.patch

More information about the Kernel-svn-changes mailing list