[kernel] r16581 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Nov 21 00:38:20 UTC 2010

Author: dannf
Date: Sun Nov 21 00:38:14 2010
New Revision: 16581

Log:
net: tipc: fix information leak to userland (CVE-2010-3877)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/25lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 00:19:36 2010	(r16580)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Nov 21 00:38:14 2010	(r16581)
@@ -26,6 +26,7 @@
   * net: ax25: fix information leak to userland (CVE-2010-3875)
   * can-bcm: fix minor heap overflow (CVE-2010-3874)
   * net: packet: fix information leak to userland (CVE-2010-3876)
+  * net: tipc: fix information leak to userland (CVE-2010-3877)
 
  -- dann frazier <dannf at debian.org>  Thu, 30 Sep 2010 21:42:24 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/net-tipc-fix-information-leak-to-userland.patch	Sun Nov 21 00:38:14 2010	(r16581)
@@ -0,0 +1,25 @@
+commit cff130bf33f85cc3ab24f6584feaa227048c0738
+Author: Kulikov Vasiliy <segooon at gmail.com>
+Date:   Sun Oct 31 07:10:32 2010 +0000
+
+    net: tipc: fix information leak to userland
+    
+    Structure sockaddr_tipc is copied to userland with padding bytes after
+    "id" field in union field "name" unitialized.  It leads to leaking of
+    contents of kernel stack memory.  We have to initialize them to zero.
+    
+    Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 230f9ca..296e28a 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -390,6 +390,7 @@ static int get_name(struct socket *sock, struct sockaddr *uaddr,
+ 	u32 portref = tipc_sk_port(sock->sk)->ref;
+ 	u32 res;
+ 
++	memset(addr, 0, sizeof(*addr));
+ 	if (peer) {
+ 		res = tipc_peer(portref, &addr->addr.id);
+ 		if (res)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 00:19:36 2010	(r16580)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2	Sun Nov 21 00:38:14 2010	(r16581)
@@ -21,3 +21,4 @@
 + bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
 + bugfix/all/net-ax25-fix-information-leak-to-userland.patch
 + bugfix/all/can-bcm-fix-minor-heap-overflow.patch
++ bugfix/all/net-tipc-fix-information-leak-to-userland.patch

