[kernel] r17193 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Apr 4 01:22:57 UTC 2011
Author: dannf
Date: Mon Apr 4 01:22:55 2011
New Revision: 17193
Log:
Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
- copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 01:20:18 2011 (r17192)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 01:22:55 2011 (r17193)
@@ -7,6 +7,7 @@
* fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010)
* ldm: corrupted partition table can cause kernel oops (CVE-2011-1012)
* Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
+ * Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch Mon Apr 4 01:22:55 2011 (r17193, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch)
@@ -0,0 +1,26 @@
+commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon Feb 14 13:54:31 2011 +0300
+
+ Bluetooth: bnep: fix buffer overflow
+
+ Struct ca is copied from userspace. It is not checked whether the "device"
+ field is NULL terminated. This potentially leads to BUG() inside of
+ alloc_netdev_mqs() and/or information leak by creating a device with a name
+ made of contents of kernel stack.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+
+diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
+index 2862f53..d935da7 100644
+--- a/net/bluetooth/bnep/sock.c
++++ b/net/bluetooth/bnep/sock.c
+@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
+ sockfd_put(nsock);
+ return -EBADFD;
+ }
++ ca.device[sizeof(ca.device)-1] = 0;
+
+ err = bnep_add_connection(&ca, nsock);
+ if (!err) {
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 01:20:18 2011 (r17192)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 01:22:55 2011 (r17193)
@@ -5,3 +5,4 @@
+ bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch
+ bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
+ bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
++ bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
More information about the Kernel-svn-changes
mailing list