[kernel] r17192 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 01:20:22 UTC 2011 

Author: dannf
Date: Mon Apr  4 01:20:18 2011
New Revision: 17192

Log:
Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:04:35 2011	(r17191)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:20:18 2011	(r17192)
@@ -6,6 +6,7 @@
   * [s390] remove task_show_regs (CVE-2011-0710)
   * fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010)
   * ldm: corrupted partition table can cause kernel oops (CVE-2011-1012)
+  * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch	Mon Apr  4 01:20:18 2011	(r17192, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch)
@@ -0,0 +1,25 @@
+commit c4c896e1471aec3b004a693c689f60be3b17ac86
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Mon Feb 14 13:54:26 2011 +0300
+
+    Bluetooth: sco: fix information leak to userspace
+    
+    struct sco_conninfo has one padding byte in the end.  Local variable
+    cinfo of type sco_conninfo is copied to userspace with this uninizialized
+    one byte, leading to old stack contents leak.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 960c6d1..926ed39 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -703,6 +703,7 @@ static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user
+ 			break;
+ 		}
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:04:35 2011	(r17191)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:20:18 2011	(r17192)
@@ -4,3 +4,4 @@
 + bugfix/s390/remove-task_show_regs.patch
 + bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch
 + bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
++ bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch

More information about the Kernel-svn-changes mailing list