[kernel] r17906 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Aug 11 06:12:28 UTC 2011 

Author: dannf
Date: Thu Aug 11 06:12:26 2011
New Revision: 17906

Log:
Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 11 06:04:25 2011	(r17905)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Thu Aug 11 06:12:26 2011	(r17906)
@@ -4,6 +4,7 @@
   * net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576)
   * taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
   * NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
+  * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
 
  -- dann frazier <dannf at debian.org>  Thu, 21 Jul 2011 00:31:53 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch	Thu Aug 11 06:12:26 2011	(r17906)
@@ -0,0 +1,38 @@
+commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f
+Author: Filip Palian <s3810 at pjwstk.edu.pl>
+Date:   Thu May 12 19:32:46 2011 +0200
+
+    Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
+    
+    Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
+    byte each. This byte in "cinfo" is copied to userspace uninitialized.
+    
+    Signed-off-by: Filip Palian <filip.palian at pjwstk.edu.pl>
+    Acked-by: Marcel Holtmann <marcel at holtmann.org>
+    Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 8d1c4a9..514aa8f 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -1886,6 +1886,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
+ 			break;
+ 		}
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+ 
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 30a3649..1ae3f80 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
+ 
+ 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+ 
++		memset(&cinfo, 0, sizeof(cinfo));
+ 		cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ 		memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+ 

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 11 06:04:25 2011	(r17905)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Thu Aug 11 06:12:26 2011	(r17906)
@@ -3,3 +3,4 @@
 + bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
 + bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
 + debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
++ bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch

More information about the Kernel-svn-changes mailing list