[linux] 01/01: tipc: fix an infoleak in tipc_nl_compat_link_dump (CVE-2016-5243)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 23 19:45:23 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit b7a433d43fd27082075cdff9749dab3646bf88ff
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jun 23 21:37:20 2016 +0200

    tipc: fix an infoleak in tipc_nl_compat_link_dump (CVE-2016-5243)
---
 debian/changelog                                   |  1 +
 ...x-an-infoleak-in-tipc_nl_compat_link_dump.patch | 26 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 28 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 09e3933..c1123f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,6 +30,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
   * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
   * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or
     snd_timer_user_tinterrupt (CVE-2016-4578)
+  * tipc: fix an infoleak in tipc_nl_compat_link_dump (CVE-2016-5243)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 30 Mar 2016 16:32:07 +0100
 
diff --git a/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
new file mode 100644
index 0000000..9a05947
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
@@ -0,0 +1,26 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Thu, 2 Jun 2016 04:04:56 -0400
+Subject: tipc: fix an infoleak in tipc_nl_compat_link_dump
+Origin: https://git.kernel.org/linus/5d2be1422e02ccd697ccfcd45c85b4a26e6178e2
+
+link_info.str is a char array of size 60. Memory after the NULL
+byte is not initialized. Sending the whole object out can cause
+a leak.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[carnil: Backported to 3.16 (same as bwh did for 3.2): the unpadded strcpy() is
+in tipc_node_get_links() and no nlattr is involved, so use strncpy()]
+---
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -417,7 +417,8 @@ struct sk_buff *tipc_node_get_links(cons
+ 				continue;
+ 			link_info.dest = htonl(n_ptr->addr);
+ 			link_info.up = htonl(tipc_link_is_up(n_ptr->links[i]));
+-			strcpy(link_info.str, n_ptr->links[i]->name);
++			strncpy(link_info.str, n_ptr->links[i]->name,
++				sizeof(link_info.str));
+ 			tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO,
+ 					    &link_info, sizeof(link_info));
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index dcf39d4..95f4883 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -682,3 +682,4 @@ bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
 bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
 bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
 bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
+bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list