[kernel] r12300 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Fri Oct 10 18:14:52 UTC 2008

Author: dannf
Date: Fri Oct 10 18:14:51 2008
New Revision: 12300

Log:
* sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
  (CVE-2008-4113)
* sctp: fix bounds checking in sctp_auth_ep_set_hmacs
  (CVE-2008-4445)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Fri Oct 10 18:14:51 2008
@@ -3,8 +3,12 @@
   * Add missing capability checks in sbni_ioctl (CVE-2008-3525)
   * [s390] prevent ptrace padding area read/write in 31-bit mode
     (CVE-2008-1514)
+  * sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
+    (CVE-2008-4113)
+  * sctp: fix bounds checking in sctp_auth_ep_set_hmacs
+    (CVE-2008-4445)
 
- -- dann frazier <dannf at debian.org>  Thu, 09 Oct 2008 23:52:07 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 10 Oct 2008 00:01:10 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.5) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch	Fri Oct 10 18:14:51 2008
@@ -0,0 +1,51 @@
+commit d97240552cd98c4b07322f30f66fd9c3ba4171de
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date:   Wed Aug 27 16:09:49 2008 -0700
+
+    sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
+    
+    The number of identifiers needs to be checked against the option
+    length.  Also, the identifier index provided needs to be verified
+    to make sure that it doesn't exceed the bounds of the array.
+    
+    Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/sctp/auth.c linux-source-2.6.24/net/sctp/auth.c
+--- linux-source-2.6.24.orig/net/sctp/auth.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/auth.c	2008-10-09 23:57:42.000000000 -0600
+@@ -782,6 +782,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_e
+ 	for (i = 0; i < hmacs->shmac_num_idents; i++) {
+ 		id = hmacs->shmac_idents[i];
+ 
++		if (id > SCTP_AUTH_HMAC_ID_MAX)
++			return -EOPNOTSUPP;
++
+ 		if (SCTP_AUTH_HMAC_ID_SHA1 == id)
+ 			has_sha1 = 1;
+ 
+diff -urpN linux-source-2.6.24.orig/net/sctp/socket.c linux-source-2.6.24/net/sctp/socket.c
+--- linux-source-2.6.24.orig/net/sctp/socket.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/socket.c	2008-10-09 23:57:42.000000000 -0600
+@@ -2987,6 +2987,7 @@ static int sctp_setsockopt_hmac_ident(st
+ 				    int optlen)
+ {
+ 	struct sctp_hmacalgo *hmacs;
++	u32 idents;
+ 	int err;
+ 
+ 	if (optlen < sizeof(struct sctp_hmacalgo))
+@@ -3001,8 +3002,9 @@ static int sctp_setsockopt_hmac_ident(st
+ 		goto out;
+ 	}
+ 
+-	if (hmacs->shmac_num_idents == 0 ||
+-	    hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
++	idents = hmacs->shmac_num_idents;
++	if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
++	    (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
+ 		err = -EINVAL;
+ 		goto out;
+ 	}

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6	Fri Oct 10 18:14:51 2008
@@ -1,2 +1,3 @@
 + bugfix/wan-sbni_ioctl-cap-checks.patch
 + bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
++ bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch

