[kernel] r17983 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 21 22:00:07 UTC 2011
Author: dannf
Date: Sun Aug 21 22:00:05 2011
New Revision: 17983
Log:
Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
- copied unchanged from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Aug 21 21:57:56 2011 (r17982)
+++ dists/lenny-security/linux-2.6/debian/changelog Sun Aug 21 22:00:05 2011 (r17983)
@@ -6,6 +6,7 @@
* NLM: Don't hang forever on NLM unlock requests (CVE-2011-2491)
* proc: restrict access to /proc/PID/io (CVE-2011-2495)
* vm: fix vm_pgoff wrap in up/down stack expansions (CVE-2011-2496)
+ * Bluetooth: Prevent buffer overflow in l2cap config request (CVE-2011-2497)
[ Moritz Muehlenhoff ]
* ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch (from r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch Sun Aug 21 22:00:05 2011 (r17983, copy of r17980, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch)
@@ -0,0 +1,30 @@
+commit 7ac28817536797fd40e9646452183606f9e17f71
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri Jun 24 08:38:05 2011 -0400
+
+ Bluetooth: Prevent buffer overflow in l2cap config request
+
+ A remote user can provide a small value for the command size field in
+ the command header of an l2cap configuration request, resulting in an
+ integer underflow when subtracting the size of the configuration request
+ header. This results in copying a very large amount of data via
+ memcpy() and destroying the kernel heap. Check for underflow.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
+index 514aa8f..71120ee 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+
+ /* Reject if config buffer is too small. */
+ len = cmd_len - sizeof(*req);
+- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ l2cap_build_conf_rsp(sk, rsp,
+ L2CAP_CONF_REJECT, flags), rsp);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Sun Aug 21 21:57:56 2011 (r17982)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Sun Aug 21 22:00:05 2011 (r17983)
@@ -10,3 +10,4 @@
+ bugfix/all/mm-avoid-wrapping-vm_pgoff-in-mremap.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch
+ bugfix/all/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch
++ bugfix/all/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
More information about the Kernel-svn-changes
mailing list