[kernel] r15557 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Apr 27 05:35:23 UTC 2010
Author: dannf
Date: Tue Apr 27 05:35:18 2010
New Revision: 15557
Log:
dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
by an invalid Payload Pointer (CVE-2010-1086)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue Apr 27 05:32:20 2010 (r15556)
+++ dists/lenny-security/linux-2.6/debian/changelog Tue Apr 27 05:35:18 2010 (r15557)
@@ -4,6 +4,8 @@
* USB: usbfs: only copy the actual data received (CVE-2010-1083)
* GFS2: Skip check for mandatory locks when unlocking (CVE-2010-0727)
* Bluetooth: Fix potential bad memory access with sysfs files (CVE-2010-1084)
+ * dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
+ by an invalid Payload Pointer (CVE-2010-1086)
[ Ben Hutchings ]
* [x86] KVM: disable paravirt mmu reporting (Closes: #573071) (regressed
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch Tue Apr 27 05:35:18 2010 (r15557)
@@ -0,0 +1,40 @@
+commit ea3da36299bd775ff09528f6b6767893de487c39
+Author: Ang Way Chuang <wcang79 at gmail.com>
+Date: Thu Feb 25 09:45:03 2010 +0800
+
+ dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered by an invalid Payload Pointer
+
+ ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
+ has a bug that causes endless loop when Payload Pointer of MPEG2-TS
+ frame is 182 or 183. Anyone who sends malicious MPEG2-TS frame will
+ cause the receiver of ULE SNDU to go into endless loop.
+
+ This patch was generated and tested against linux-2.6.32.9 and should
+ apply cleanly to linux-2.6.33 as well because there was only one typo
+ fix to dvb_net.c since v2.6.32.
+
+ This bug was brought to you by modern day Santa Claus who decided to
+ shower the satellite dish at Keio University with heavy snow causing
+ huge burst of errors. We, receiver end, received Santa Claus's gift in
+ the form of kernel bug.
+
+ Care has been taken not to introduce more bug by fixing this bug, but
+ please scrutinize the code for I always produces buggy code.
+
+ Signed-off-by: Ang Way Chuang <wcang79 at gmail.com>
+ Acked-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/media/dvb/dvb-core/dvb_net.c b/drivers/media/dvb/dvb-core/dvb_net.c
+index c2334ae..155ef76 100644
+--- a/drivers/media/dvb/dvb-core/dvb_net.c
++++ b/drivers/media/dvb/dvb-core/dvb_net.c
+@@ -504,6 +504,7 @@ static void dvb_net_ule( struct net_device *dev, const u8 *buf, size_t buf_len )
+ "bytes left in TS. Resyncing.\n", ts_remain);
+ priv->ule_sndu_len = 0;
+ priv->need_pusi = 1;
++ ts += TS_SZ;
+ continue;
+ }
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/21lenny5
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Tue Apr 27 05:32:20 2010 (r15556)
+++ dists/lenny-security/linux-2.6/debian/patches/series/21lenny5 Tue Apr 27 05:35:18 2010 (r15557)
@@ -5,3 +5,4 @@
+ bugfix/all/r8169-offical-fix-for-cve-2009-4537-overlength-frame-dmas.patch
+ bugfix/all/r8169-clean-up-my-printk-uglyness.patch
+ bugfix/all/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch
++ bugfix/all/dvb-core-fix-dos-in-ule-decapsulation.patch
More information about the Kernel-svn-changes
mailing list