[kernel] r12300 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Oct 10 18:14:52 UTC 2008
Author: dannf
Date: Fri Oct 10 18:14:51 2008
New Revision: 12300
Log:
* sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
(CVE-2008-4113)
* sctp: fix bounds checking in sctp_auth_ep_set_hmacs
(CVE-2008-4445)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog (original)
+++ dists/etch-security/linux-2.6.24/debian/changelog Fri Oct 10 18:14:51 2008
@@ -3,8 +3,12 @@
* Add missing capability checks in sbni_ioctl (CVE-2008-3525)
* [s390] prevent ptrace padding area read/write in 31-bit mode
(CVE-2008-1514)
+ * sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
+ (CVE-2008-4113)
+ * sctp: fix bounds checking in sctp_auth_ep_set_hmacs
+ (CVE-2008-4445)
- -- dann frazier <dannf at debian.org> Thu, 09 Oct 2008 23:52:07 -0600
+ -- dann frazier <dannf at debian.org> Fri, 10 Oct 2008 00:01:10 -0600
linux-2.6.24 (2.6.24-6~etchnhalf.5) stable-security; urgency=high
Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch Fri Oct 10 18:14:51 2008
@@ -0,0 +1,51 @@
+commit d97240552cd98c4b07322f30f66fd9c3ba4171de
+Author: Vlad Yasevich <vladislav.yasevich at hp.com>
+Date: Wed Aug 27 16:09:49 2008 -0700
+
+ sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
+
+ The number of identifiers needs to be checked against the option
+ length. Also, the identifier index provided needs to be verified
+ to make sure that it doesn't exceed the bounds of the array.
+
+ Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/sctp/auth.c linux-source-2.6.24/net/sctp/auth.c
+--- linux-source-2.6.24.orig/net/sctp/auth.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/auth.c 2008-10-09 23:57:42.000000000 -0600
+@@ -782,6 +782,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_e
+ for (i = 0; i < hmacs->shmac_num_idents; i++) {
+ id = hmacs->shmac_idents[i];
+
++ if (id > SCTP_AUTH_HMAC_ID_MAX)
++ return -EOPNOTSUPP;
++
+ if (SCTP_AUTH_HMAC_ID_SHA1 == id)
+ has_sha1 = 1;
+
+diff -urpN linux-source-2.6.24.orig/net/sctp/socket.c linux-source-2.6.24/net/sctp/socket.c
+--- linux-source-2.6.24.orig/net/sctp/socket.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/sctp/socket.c 2008-10-09 23:57:42.000000000 -0600
+@@ -2987,6 +2987,7 @@ static int sctp_setsockopt_hmac_ident(st
+ int optlen)
+ {
+ struct sctp_hmacalgo *hmacs;
++ u32 idents;
+ int err;
+
+ if (optlen < sizeof(struct sctp_hmacalgo))
+@@ -3001,8 +3002,9 @@ static int sctp_setsockopt_hmac_ident(st
+ goto out;
+ }
+
+- if (hmacs->shmac_num_idents == 0 ||
+- hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
++ idents = hmacs->shmac_num_idents;
++ if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
++ (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
+ err = -EINVAL;
+ goto out;
+ }
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6 (original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.6 Fri Oct 10 18:14:51 2008
@@ -1,2 +1,3 @@
+ bugfix/wan-sbni_ioctl-cap-checks.patch
+ bugfix/prevent-ptrace-padding-area-readwrite-in-32bit-mode.patch
++ bugfix/sctp-fix-random-memory-dereference-with-SCTP_HMAC_I.patch
More information about the Kernel-svn-changes
mailing list