[kernel] r17194 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Apr 4 01:28:52 UTC 2011
Author: dannf
Date: Mon Apr 4 01:28:43 2011
New Revision: 17194
Log:
bridge: netfilter: fix information leak (CVE-2011-1080)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
- copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 01:22:55 2011 (r17193)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 01:28:43 2011 (r17194)
@@ -8,6 +8,7 @@
* ldm: corrupted partition table can cause kernel oops (CVE-2011-1012)
* Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
* Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
+ * bridge: netfilter: fix information leak (CVE-2011-1080)
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch Mon Apr 4 01:28:43 2011 (r17194, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch)
@@ -0,0 +1,28 @@
+commit d846f71195d57b0bbb143382647c2c6638b04c5a
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date: Mon Feb 14 16:49:23 2011 +0100
+
+ bridge: netfilter: fix information leak
+
+ Struct tmp is copied from userspace. It is not checked whether the "name"
+ field is NULL terminated. This may lead to buffer overflow and passing
+ contents of kernel stack as a module name to try_then_request_module() and,
+ consequently, to modprobe commandline. It would be seen by all userspace
+ processes.
+
+ Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+ Signed-off-by: Patrick McHardy <kaber at trash.net>
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 5f1825d..893669c 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
+ if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ return -ENOMEM;
+
++ tmp.name[sizeof(tmp.name) - 1] = 0;
++
+ countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+ newinfo = vmalloc(sizeof(*newinfo) + countersize);
+ if (!newinfo)
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 01:22:55 2011 (r17193)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 01:28:43 2011 (r17194)
@@ -6,3 +6,4 @@
+ bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
+ bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
+ bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
++ bugfix/all/bridge-netfilter-fix-information-leak.patch
More information about the Kernel-svn-changes
mailing list