[kernel] r17906 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Aug 11 06:12:28 UTC 2011
Author: dannf
Date: Thu Aug 11 06:12:26 2011
New Revision: 17906
Log:
Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Thu Aug 11 06:04:25 2011 (r17905)
+++ dists/squeeze-security/linux-2.6/debian/changelog Thu Aug 11 06:12:26 2011 (r17906)
@@ -4,6 +4,7 @@
* net: Fix memory leak/corruption on VLAN GRO_DROP (CVE-2011-1576)
* taskstats: don't allow duplicate entries in listener mode (CVE-2011-2484)
* NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
+ * Bluetooth: l2cap/rfcomm: fix 1 byte infoleak to userspace (CVE-2011-2492)
-- dann frazier <dannf at debian.org> Thu, 21 Jul 2011 00:31:53 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch Thu Aug 11 06:12:26 2011 (r17906)
@@ -0,0 +1,38 @@
+commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f
+Author: Filip Palian <s3810 at pjwstk.edu.pl>
+Date: Thu May 12 19:32:46 2011 +0200
+
+ Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
+
+ Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
+ byte each. This byte in "cinfo" is copied to userspace uninitialized.
+
+ Signed-off-by: Filip Palian <filip.palian at pjwstk.edu.pl>
+ Acked-by: Marcel Holtmann <marcel at holtmann.org>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 8d1c4a9..514aa8f 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -1886,6 +1886,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us
+ break;
+ }
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 30a3649..1ae3f80 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
+
+ l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+
++ memset(&cinfo, 0, sizeof(cinfo));
+ cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Thu Aug 11 06:04:25 2011 (r17905)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1 Thu Aug 11 06:12:26 2011 (r17906)
@@ -3,3 +3,4 @@
+ bugfix/all/taskstats-don-t-allow-duplicate-entries-in-listener-mode.patch
+ bugfix/all/nlm-dont-hang-forever-on-nlm-unlock-requests.patch
+ debian/nlm-Avoid-ABI-change-from-dont-hang-forever-on-nlm-unlock-requests.patch
++ bugfix/all/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch
More information about the Kernel-svn-changes
mailing list