[kernel] r17130 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Mar 27 22:05:37 UTC 2011 

Author: dannf
Date: Sun Mar 27 22:05:30 2011
New Revision: 17130

Log:
bridge: netfilter: fix information leak (CVE-2011-1080)

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/32

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Sun Mar 27 22:03:46 2011	(r17129)
+++ dists/squeeze/linux-2.6/debian/changelog	Sun Mar 27 22:05:30 2011	(r17130)
@@ -50,6 +50,7 @@
   * drm/radeon/kms: check AA resolve registers on r300 (CVE-2011-1016)
   * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
   * Bluetooth: bnep: fix buffer overflow (CVE-2010-1079)
+  * bridge: netfilter: fix information leak (CVE-2011-1080)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 12 Mar 2011 20:20:58 +0000
 

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/bridge-netfilter-fix-information-leak.patch	Sun Mar 27 22:05:30 2011	(r17130)
@@ -0,0 +1,28 @@
+commit d846f71195d57b0bbb143382647c2c6638b04c5a
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Mon Feb 14 16:49:23 2011 +0100
+
+    bridge: netfilter: fix information leak
+    
+    Struct tmp is copied from userspace.  It is not checked whether the "name"
+    field is NULL terminated.  This may lead to buffer overflow and passing
+    contents of kernel stack as a module name to try_then_request_module() and,
+    consequently, to modprobe commandline.  It would be seen by all userspace
+    processes.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Signed-off-by: Patrick McHardy <kaber at trash.net>
+
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index 5f1825d..893669c 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
+ 	if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ 		return -ENOMEM;
+ 
++	tmp.name[sizeof(tmp.name) - 1] = 0;
++
+ 	countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
+ 	newinfo = vmalloc(sizeof(*newinfo) + countersize);
+ 	if (!newinfo)

Modified: dists/squeeze/linux-2.6/debian/patches/series/32
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/32	Sun Mar 27 22:03:46 2011	(r17129)
+++ dists/squeeze/linux-2.6/debian/patches/series/32	Sun Mar 27 22:05:30 2011	(r17130)
@@ -17,3 +17,4 @@
 + bugfix/all/stable/2.6.32.36.patch
 + bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
 + bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
++ bugfix/all/bridge-netfilter-fix-information-leak.patch

More information about the Kernel-svn-changes mailing list