[kernel] r14352 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 8 06:23:52 UTC 2009
Author: dannf
Date: Thu Oct 8 06:23:50 2009
New Revision: 14352
Log:
net: fix information leak due to uninitialized structures in
getname functions (CVE-2009-3002)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Oct 8 06:07:39 2009 (r14351)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Oct 8 06:23:50 2009 (r14352)
@@ -7,6 +7,8 @@
* selinux: prevent local users from bypassing mmap_min_addr
in unconfined domains (CVE-2009-2695)
* fix information leak in llc_ui_getname (CVE-2009-3001)
+ * net: fix information leak due to uninitialized structures in
+ getname functions (CVE-2009-3002)
-- dann frazier <dannf at debian.org> Tue, 15 Sep 2009 22:54:06 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-fix-raw_getname-leak.patch Thu Oct 8 06:23:50 2009 (r14352)
@@ -0,0 +1,27 @@
+commit e84b90ae5eb3c112d1f208964df1d8156a538289
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 20:27:04 2009 +0000
+
+ can: Fix raw_getname() leak
+
+ raw_getname() can leak 10 bytes of kernel memory to user
+
+ (two bytes hole between can_family and can_ifindex,
+ 8 bytes at the end of sockaddr_can structure)
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Acked-by: Oliver Hartkopp <oliver at hartkopp.net>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/raw.c b/net/can/raw.c
+index f4cc445..db3152d 100644
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -401,6 +401,7 @@ static int raw_getname(struct socket *sock, struct sockaddr *uaddr,
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(addr, 0, sizeof(*addr));
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = ro->ifindex;
+
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-fix-econet_getname-leak.patch Thu Oct 8 06:23:50 2009 (r14352)
@@ -0,0 +1,23 @@
+commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:48:36 2009 +0000
+
+ econet: Fix econet_getname() leak
+
+ econet_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 2e1f836..f0bbc57 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -520,6 +520,7 @@ static int econet_getname(struct socket *sock, struct sockaddr *uaddr,
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(sec, 0, sizeof(*sec));
+ mutex_lock(&econet_mutex);
+
+ sk = sock->sk;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/irda-fix-irda_getname-leak.patch Thu Oct 8 06:23:50 2009 (r14352)
@@ -0,0 +1,23 @@
+commit 09384dfc76e526c3993c09c42e016372dc9dd22c
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:55:04 2009 +0000
+
+ irda: Fix irda_getname() leak
+
+ irda_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index cb762c8..3ec2b43 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -714,6 +714,7 @@ static int irda_getname(struct socket *sock, struct sockaddr *uaddr,
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+
++ memset(&saddr, 0, sizeof(saddr));
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/netrom-fix-nr_getname-leak.patch Thu Oct 8 06:23:50 2009 (r14352)
@@ -0,0 +1,23 @@
+commit f6b97b29513950bfbf621a83d85b6f86b39ec8db
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:31:07 2009 +0000
+
+ netrom: Fix nr_getname() leak
+
+ nr_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index ce51ce0..ce1a34b 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -847,6 +847,7 @@ static int nr_getname(struct socket *sock, struct sockaddr *uaddr,
+ sax->fsa_ax25.sax25_family = AF_NETROM;
+ sax->fsa_ax25.sax25_ndigis = 1;
+ sax->fsa_ax25.sax25_call = nr->user_addr;
++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater));
+ sax->fsa_digipeater[0] = nr->dest_addr;
+ *uaddr_len = sizeof(struct full_sockaddr_ax25);
+ } else {
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/rose-fix-rose_getname-leak.patch Thu Oct 8 06:23:50 2009 (r14352)
@@ -0,0 +1,23 @@
+commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Thu Aug 6 03:34:06 2009 +0000
+
+ rose: Fix rose_getname() leak
+
+ rose_getname() can leak kernel memory to user.
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f0a76f6..e5f478c 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -954,6 +954,7 @@ static int rose_getname(struct socket *sock, struct sockaddr *uaddr,
+ struct rose_sock *rose = rose_sk(sk);
+ int n;
+
++ memset(srose, 0, sizeof(*srose));
+ if (peer != 0) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Thu Oct 8 06:07:39 2009 (r14351)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Thu Oct 8 06:23:50 2009 (r14352)
@@ -7,3 +7,8 @@
+ bugfix/all/security-seperate-lsm-specific-mmap_min_addr.patch
+ bugfix/all/security-define-round_hint_to_min-when-CONFIG_SECURITY-is-off.patch
+ bugfix/all/net-llc-zero-sockaddr_llc-struct.patch
++ bugfix/all/irda-fix-irda_getname-leak.patch
++ bugfix/all/rose-fix-rose_getname-leak.patch
++ bugfix/all/econet-fix-econet_getname-leak.patch
++ bugfix/all/can-fix-raw_getname-leak.patch
++ bugfix/all/netrom-fix-nr_getname-leak.patch
More information about the Kernel-svn-changes
mailing list