[kernel] r12573 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Wed Jan 14 05:27:46 2009
New Revision: 12573

Log:
* sctp: fix memory overflow
   - bugfix/all/sctp-avoid-memory-overflow.patch
  See CVE-2009-0065

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch   (contents, props changed)
      - copied, changed from r12566, /dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/23etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Jan 14 05:27:46 2009
@@ -6,8 +6,11 @@
   * nfs: Fix fcntl/close race
      - bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
     See CVE-2008-4307
+  * sctp: fix memory overflow
+     - bugfix/all/sctp-avoid-memory-overflow.patch
+    See CVE-2009-0065
 
- -- dann frazier <dannf at debian.org>  Tue, 13 Jan 2009 22:14:02 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 13 Jan 2009 22:25:05 -0700
 
 linux-2.6 (2.6.18.dfsg.1-23etch1) stable-security; urgency=high
 

Copied: dists/etch-security/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch (from r12566, /dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch)
==============================================================================
--- /dists/sid/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch	(original)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/sctp-avoid-memory-overflow.patch	Wed Jan 14 05:27:46 2009
@@ -25,28 +25,21 @@
     Signed-off-by: Vlad Yasevich <vladislav.yasevich at hp.com>
     Signed-off-by: David S. Miller <davem at davemloft.net>
 
-Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
 
-diff -urpN linux-source-2.6.26.orig/net/sctp/sm_statefuns.c linux-source-2.6.26/net/sctp/sm_statefuns.c
---- linux-source-2.6.26.orig/net/sctp/sm_statefuns.c	2009-01-08 16:43:13.000000000 -0700
-+++ linux-source-2.6.26/net/sctp/sm_statefuns.c	2009-01-10 10:15:32.000000000 -0700
-@@ -3641,6 +3641,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
+diff -urpN linux-source-2.6.18.orig/net/sctp/sm_statefuns.c linux-source-2.6.18/net/sctp/sm_statefuns.c
+--- linux-source-2.6.18.orig/net/sctp/sm_statefuns.c	2008-10-13 09:28:32.000000000 -0600
++++ linux-source-2.6.18/net/sctp/sm_statefuns.c	2009-01-13 22:22:46.000000000 -0700
+@@ -3466,6 +3466,8 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
  {
  	struct sctp_chunk *chunk = arg;
  	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
 +	struct sctp_fwdtsn_skip *skip;
- 	__u16 len;
- 	__u32 tsn;
- 
-@@ -3701,6 +3702,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
- {
- 	struct sctp_chunk *chunk = arg;
- 	struct sctp_fwdtsn_hdr *fwdtsn_hdr;
 +	struct sctp_fwdtsn_skip *skip;
  	__u16 len;
  	__u32 tsn;
  
-@@ -3730,6 +3732,18 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
+@@ -3495,6 +3497,18 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
  	if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
  		goto gen_shutdown;
  
@@ -64,4 +57,4 @@
 +
  	sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
  	if (len > sizeof(struct sctp_fwdtsn_hdr))
- 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
+ 		sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN, 

Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch2	Wed Jan 14 05:27:46 2009
@@ -1,2 +1,3 @@
 + bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
 + bugfix/all/nfs-remove-buggy-lock-if-signalled-case.patch
++ bugfix/all/sctp-avoid-memory-overflow.patch