[kernel] r13358 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Apr 8 06:04:56 UTC 2009
Author: dannf
Date: Wed Apr 8 06:04:54 2009
New Revision: 13358
Log:
af_rose/x25: Sanity check the maximum user frame size (CVE-2009-0795)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue Apr 7 12:27:39 2009 (r13357)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Apr 8 06:04:54 2009 (r13358)
@@ -8,6 +8,7 @@
This issue does not effect pre-build Debian kernels.
* Fix an off-by-two memory error in console selection (CVE-2009-1046)
* nfsd: drop CAP_MKNOD for non-root (CVE-2009-1072)
+ * af_rose/x25: Sanity check the maximum user frame size (CVE-2009-0795)
-- dann frazier <dannf at debian.org> Fri, 03 Apr 2009 19:12:51 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch Wed Apr 8 06:04:54 2009 (r13358)
@@ -0,0 +1,61 @@
+commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9
+Author: Alan Cox <alan at lxorguk.ukuu.org.uk>
+Date: Fri Mar 27 00:28:21 2009 -0700
+
+ af_rose/x25: Sanity check the maximum user frame size
+
+ Otherwise we can wrap the sizes and end up sending garbage.
+
+ Closes #10423
+
+ Signed-off-by: Alan Cox <alan at lxorguk.ukuu.org.uk>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+--- a/net/netrom/af_netrom.c 2008-01-24 15:58:37.000000000 -0700
++++ b/net/netrom/af_netrom.c 2009-04-07 23:56:09.000000000 -0600
+@@ -1074,7 +1074,11 @@ static int nr_sendmsg(struct kiocb *iocb
+
+ SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
+
+- /* Build a packet */
++ /* Build a packet - the conventional user limit is 236 bytes. We can
++ do ludicrously large NetROM frames but must not overflow */
++ if (len > 65536)
++ return -EMSGSIZE;
++
+ SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
+ size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
+
+diff -urpN a/net/rose/af_rose.c b/net/rose/af_rose.c
+--- a/net/rose/af_rose.c 2008-01-24 15:58:37.000000000 -0700
++++ b/net/rose/af_rose.c 2009-04-07 23:56:09.000000000 -0600
+@@ -1100,6 +1100,10 @@ static int rose_sendmsg(struct kiocb *io
+
+ /* Build a packet */
+ SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
++ /* Sanity check the packet size */
++ if (len > 65535)
++ return -EMSGSIZE;
++
+ size = len + AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN;
+
+ if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
+diff -urpN a/net/x25/af_x25.c b/net/x25/af_x25.c
+--- a/net/x25/af_x25.c 2008-01-24 15:58:37.000000000 -0700
++++ b/net/x25/af_x25.c 2009-04-07 23:56:09.000000000 -0600
+@@ -1042,6 +1042,12 @@ static int x25_sendmsg(struct kiocb *ioc
+ sx25.sx25_addr = x25->dest_addr;
+ }
+
++ /* Sanity check the packet size */
++ if (len > 65535) {
++ rc = -EMSGSIZE;
++ goto out;
++ }
++
+ SOCK_DEBUG(sk, "x25_sendmsg: sendto: Addresses built.\n");
+
+ /* Build a packet */
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Tue Apr 7 12:27:39 2009 (r13357)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny1 Wed Apr 8 06:04:54 2009 (r13358)
@@ -4,3 +4,4 @@
+ bugfix/all/shm-fix-shmctl(SHM_INFO)-lockup-without-CONFIG_SHMEM.patch
+ bugfix/all/fix-off-by-2-error-in-console-selection.patch
+ bugfix/all/nfsd-drop-CAP_MKNOD-for-non-root.patch
++ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
More information about the Kernel-svn-changes
mailing list