[kernel] r17201 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 02:42:19 UTC 2011 

Author: dannf
Date: Mon Apr  4 02:42:16 2011
New Revision: 17201

Log:
econet: 4 byte infoleak to the network (CVE-2011-1173)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 02:40:32 2011	(r17200)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 02:42:16 2011	(r17201)
@@ -16,6 +16,7 @@
   * netfilter: arp_tables: fix infoleak to userspace (CVE-2011-1170)
   * netfilter: ip_tables: fix infoleak to userspace (CVE-2011-1171)
   * ipv6: netfilter: ip6_tables: fix infoleak to userspace (CVE-2011-1172)
+  * econet: 4 byte infoleak to the network (CVE-2011-1173)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch	Mon Apr  4 02:42:16 2011	(r17201, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/econet-4-byte-infoleak-to-the-network.patch)
@@ -0,0 +1,33 @@
+commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Thu Mar 17 01:40:10 2011 +0000
+
+    econet: 4 byte infoleak to the network
+    
+    struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
+    x86_64.  These bytes are not initialized in the variable 'ah' before
+    sending 'ah' to the network.  This leads to 4 bytes kernel stack
+    infoleak.
+    
+    This bug was introduced before the git epoch.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Acked-by: Phil Blundell <philb at gnu.org>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
+index 0c28263..116d3fd 100644
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
+ 		udpdest.sin_addr.s_addr = htonl(network | addr.station);
+ 	}
+ 
++	memset(&ah, 0, sizeof(ah));
+ 	ah.port = port;
+ 	ah.cb = cb & 0x7f;
+ 	ah.code = 2;		/* magic */
+-	ah.pad = 0;
+ 
+ 	/* tack our header on the front of the iovec */
+ 	size = sizeof(struct aunhdr);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 02:40:32 2011	(r17200)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 02:42:16 2011	(r17201)
@@ -15,3 +15,4 @@
 + bugfix/all/netfilter-arp_tables-fix-infoleak-to-userspace.patch
 + bugfix/all/netfilter-ip_tables-fix-infoleak-to-userspace.patch
 + bugfix/all/ipv6-netfilter-ip6_tables-fix-infoleak-to-userspace.patch
++ bugfix/all/econet-4-byte-infoleak-to-the-network.patch

More information about the Kernel-svn-changes mailing list