[kernel] r17194 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 01:28:52 UTC 2011 

Author: dannf
Date: Mon Apr  4 01:28:43 2011
New Revision: 17194

Log:
bridge: netfilter: fix information leak (CVE-2011-1080)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:22:55 2011	(r17193)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:28:43 2011	(r17194)
@@ -8,6 +8,7 @@
   * ldm: corrupted partition table can cause kernel oops (CVE-2011-1012)
   * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
   * Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
+  * bridge: netfilter: fix information leak (CVE-2011-1080)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch	Mon Apr  4 01:28:43 2011	(r17194, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch)
@@ -0,0 +1,28 @@
+commit d846f71195d57b0bbb143382647c2c6638b04c5a
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Mon Feb 14 16:49:23 2011 +0100
+
+    bridge: netfilter: fix information leak
+    
+    Struct tmp is copied from userspace.  It is not checked whether the "name"
+    field is NULL terminated.  This may lead to buffer overflow and passing
+    contents of kernel stack as a module name to try_then_request_module() and,
+    consequently, to modprobe commandline.  It would be seen by all userspace
+    processes.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Signed-off-by: Patrick McHardy <kaber at trash.net>
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 5f1825d..893669c 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
+ 
++	tmp.name[sizeof(tmp.name) - 1] = 0;
++
+ 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+ 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
+ 	if (!newinfo)

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:22:55 2011	(r17193)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:28:43 2011	(r17194)
@@ -6,3 +6,4 @@
 + bugfix/all/ldm-corrupted-partition-table-can-cause-kernel-oops.patch
 + bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
 + bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
++ bugfix/all/bridge-netfilter-fix-information-leak.patch

More information about the Kernel-svn-changes mailing list