[kernel] r16578 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Nov 20 23:13:42 UTC 2010
Author: dannf
Date: Sat Nov 20 23:13:40 2010
New Revision: 16578
Log:
net: ax25: fix information leak to userland (CVE-2010-3875)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 21:39:36 2010 (r16577)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 23:13:40 2010 (r16578)
@@ -23,6 +23,7 @@
- Truncate recvfrom and sendto length to INT_MAX.
- Limit socket I/O iovec total length to INT_MAX.
- Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
+ * net: ax25: fix information leak to userland (CVE-2010-3875)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-ax25-fix-information-leak-to-userland.patch Sat Nov 20 23:13:40 2010 (r16578)
@@ -0,0 +1,34 @@
+commit 4b162edbd50eafb140fb25446822974ae611344f
+Author: Vasiliy Kulikov <segooon at gmail.com>
+Date: Wed Nov 10 10:14:33 2010 -0800
+
+ net: ax25: fix information leak to userland
+
+ Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
+ field of fsa struct, also the struct has padding bytes between
+ sax25_call and sax25_ndigis fields. This structure is then copied to
+ userland. It leads to leaking of contents of kernel stack memory.
+
+ Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 3c10a11..1fa11ab 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1385,6 +1385,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+ ax25_cb *ax25;
+ int err = 0;
+
++ memset(fsa, 0, sizeof(fsa));
+ lock_sock(sk);
+ ax25 = ax25_sk(sk);
+
+@@ -1396,7 +1397,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
+
+ fsa->fsa_ax25.sax25_family = AF_AX25;
+ fsa->fsa_ax25.sax25_call = ax25->dest_addr;
+- fsa->fsa_ax25.sax25_ndigis = 0;
+
+ if (ax25->digipeat != NULL) {
+ ndigi = ax25->digipeat->ndigi;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sat Nov 20 21:39:36 2010 (r16577)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sat Nov 20 23:13:40 2010 (r16578)
@@ -19,3 +19,4 @@
+ bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch
+ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
+ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-ax25-fix-information-leak-to-userland.patch
More information about the Kernel-svn-changes
mailing list