[kernel] r17193 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 01:22:57 UTC 2011 

Author: dannf
Date: Mon Apr  4 01:22:55 2011
New Revision: 17193

Log:
Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:20:18 2011	(r17192)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:22:55 2011	(r17193)
@@ -7,6 +7,7 @@
   * fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010)
   * ldm: corrupted partition table can cause kernel oops (CVE-2011-1012)
   * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
+  * Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch	Mon Apr  4 01:22:55 2011	(r17193, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch)
@@ -0,0 +1,26 @@
+commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Mon Feb 14 13:54:31 2011 +0300
+
+    Bluetooth: bnep: fix buffer overflow
+    
+    Struct ca is copied from userspace.  It is not checked whether the "device"
+    field is NULL terminated.  This potentially leads to BUG() inside of
+    alloc_netdev_mqs() and/or information leak by creating a device with a name
+    made of contents of kernel stack.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+
+diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
+index 2862f53..d935da7 100644
+--- a/net/bluetooth/bnep/sock.c
++++ b/net/bluetooth/bnep/sock.c
+@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
+ 			sockfd_put(nsock);
+ 			return -EBADFD;
+ 		}
++		ca.device[sizeof(ca.device)-1] = 0;
+ 
+ 		err = bnep_add_connection(&ca, nsock);
+ 		if (!err) {

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:20:18 2011	(r17192)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:22:55 2011	(r17193)
@@ -5,3 +5,4 @@
 + bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-tables.patch
 + bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
 + bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
++ bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch

More information about the Kernel-svn-changes mailing list