diff options
author | Robert Buchholz <rbu@gentoo.org> | 2007-07-24 18:11:28 +0000 |
---|---|---|
committer | Robert Buchholz <rbu@gentoo.org> | 2007-07-24 18:11:28 +0000 |
commit | ec6574bb6ada4d468ae15a080a1983cf82f1bdd5 (patch) | |
tree | c64088f100b206e76754caffeefbc24d0c62c9d9 /tags/2.6.18/debian-security-patches-2.6.18.1-12etch2 | |
parent | Initial checkin of patches (diff) | |
download | xen-ec6574bb6ada4d468ae15a080a1983cf82f1bdd5.tar.gz xen-ec6574bb6ada4d468ae15a080a1983cf82f1bdd5.tar.bz2 xen-ec6574bb6ada4d468ae15a080a1983cf82f1bdd5.zip |
Tagging tarballs
svn path=/patches/; revision=8
Diffstat (limited to 'tags/2.6.18/debian-security-patches-2.6.18.1-12etch2')
11 files changed, 586 insertions, 0 deletions
diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README new file mode 100644 index 0000000..4cce70c --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/README @@ -0,0 +1,42 @@ + * bugfix/nfnetlink_log-null-deref.patch + [SECURITY] Fix remotely exploitable NULL pointer dereference in + nfulnl_recv_config() + See CVE-2007-1496 + * bugfix/nf_conntrack-set-nfctinfo.patch + [SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED, + which allows remote attackers to bypass certain rulesets + See CVE-2007-1497 + * bugfix/netlink-infinite-recursion.patch + [SECURITY] Fix infinite recursion bug in netlink + See CVE-2007-1861 + * bugfix/nl_fib_lookup-oops.patch + Add fix for oops bug added by previous patch + * bugfix/core-dump-unreadable-PT_INTERP.patch + [SECURITY] Fix a vulnerability that allows local users to read + otherwise unreadable (but executable) files by triggering a core dump. + See CVE-2007-0958 + * bugfix/appletalk-length-mismatch.patch + [SECURITY] Fix a remote DoS (crash) in appletalk + Depends upon bugfix/appletalk-endianness-annotations.patch + See CVE-2007-1357 + * bugfix/cm4040-buffer-overflow.patch + [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver + See CVE-2007-0005 + * bugfix/ipv6_fl_socklist-no-share.patch + [SECURITY] Fix local DoS vulnerability caused by inadvertently sharing + ipv6_fl_socklist between the listening socket and the socket created + for connection. + See CVE-2007-1592 + * bugfix/keys-serial-num-collision.patch + [SECURITY] Fix the key serial number collision avoidance code in + key_alloc_serial() that could lead to a local DoS (oops). + (closes: #398470) + See CVE-2007-0006 + * bugfix/ipv6_getsockopt_sticky-null-opt.patch + [SECURITY] Fix NULL dereference in ipv6_setsockopt that could lead + to a local DoS (oops). + See CVE-2007-1388 + * bugfix/ipv6_getsockopt_sticky-null-opt.patch + [SECURITY] Fix kernel memory leak vulnerability in + ipv6_getsockopt_sticky() which can be triggered by passing a len < 0. + See CVE-2007-1000 diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch new file mode 100644 index 0000000..b82c4fe --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/appletalk-length-mismatch.patch @@ -0,0 +1,93 @@ +From: Jean Delvare <jdelvare@suse.de> +Date: Thu, 5 Apr 2007 06:52:46 +0000 (-0700) +Subject: [APPLETALK]: Fix a remotely triggerable crash +X-Git-Tag: v2.6.21-rc6~3 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a + +[APPLETALK]: Fix a remotely triggerable crash + +When we receive an AppleTalk frame shorter than what its header says, +we still attempt to verify its checksum, and trip on the BUG_ON() at +the end of function atalk_sum_skb() because of the length mismatch. + +This has security implications because this can be triggered by simply +sending a specially crafted ethernet frame to a target victim, +effectively crashing that host. Thus this qualifies, I think, as a +remote DoS. Here is the frame I used to trigger the crash, in npg +format: + +<Appletalk Killer> +{ +# Ethernet header ----- + + XX XX XX XX XX XX # Destination MAC + 00 00 00 00 00 00 # Source MAC + 00 1D # Length + +# LLC header ----- + + AA AA 03 + 08 00 07 80 9B # Appletalk + +# Appletalk header ----- + + 00 1B # Packet length (invalid) + 00 01 # Fake checksum + 00 00 00 00 # Destination and source networks + 00 00 00 00 # Destination and source nodes and ports + +# Payload ----- + + 0C 0D 0E 0F 10 11 12 13 + 14 +} + +The destination MAC address must be set to those of the victim. + +The severity is mitigated by two requirements: +* The target host must have the appletalk kernel module loaded. I + suspect this isn't so frequent. +* AppleTalk frames are non-IP, thus I guess they can only travel on + local networks. I am no network expert though, maybe it is possible + to somehow encapsulate AppleTalk packets over IP. + +The bug has been reported back in June 2004: + http://bugzilla.kernel.org/show_bug.cgi?id=2979 +But it wasn't investigated, and was closed in July 2006 as both +reporters had vanished meanwhile. + +This code was new in kernel 2.6.0-test5: + http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 +And not modified since then, so we can assume that vanilla kernels +2.6.0-test5 and later, and distribution kernels based thereon, are +affected. + +Note that I still do not know for sure what triggered the bug in the +real-world cases. The frame could have been corrupted by the kernel if +we have a bug hiding somewhere. But more likely, we are receiving the +faulty frame from the network. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 113c175..c8b7dc2 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1417,10 +1417,13 @@ static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, + /* + * Size check to see if ddp->deh_len was crap + * (Otherwise we'll detonate most spectacularly +- * in the middle of recvmsg()). ++ * in the middle of atalk_checksum() or recvmsg()). + */ +- if (skb->len < sizeof(*ddp)) ++ if (skb->len < sizeof(*ddp) || skb->len < (len_hops & 1023)) { ++ pr_debug("AppleTalk: dropping corrupted frame (deh_len=%u, " ++ "skb->len=%u)\n", len_hops & 1023, skb->len); + goto freeit; ++ } + + /* + * Any checksums. Note we don't do htons() on this == is assumed to be diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch new file mode 100644 index 0000000..3047ff6 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/cm4040-buffer-overflow.patch @@ -0,0 +1,44 @@ +From: Marcel Holtmann <marcel@holtmann.org> +Date: Tue, 6 Mar 2007 21:12:00 +0000 (+0100) +Subject: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) +X-Git-Tag: v2.6.21-rc3~17 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=059819a41d4331316dd8ddcf977a24ab338f4300 + +[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) + +Based on a patch from Don Howard <dhoward@redhat.com> + +When calling write() with a buffer larger than 512 bytes, the +driver's write buffer overflows, allowing to overwrite the EIP and +execute arbitrary code with kernel privileges. + +In read(), there exists a similar problem, but coming from the device. +A malicous or buggy device sending more than 512 bytes can overflow +of the driver's read buffer, with the same effects as above. + +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Harald Welte <laforge@gnumonks.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c +index 0e82968..f2e4ec4 100644 +--- a/drivers/char/pcmcia/cm4040_cs.c ++++ b/drivers/char/pcmcia/cm4040_cs.c +@@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file *filp, char __user *buf, + DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read); + + min_bytes_to_read = min(count, bytes_to_read + 5); ++ min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE); + + DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read); + +@@ -340,7 +341,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, + return 0; + } + +- if (count < 5) { ++ if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) { + DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count); + return -EIO; + } diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch new file mode 100644 index 0000000..33c7c4f --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/core-dump-unreadable-PT_INTERP.patch @@ -0,0 +1,70 @@ +From: Alexey Dobriyan <adobriyan@openvz.org> +Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800) +Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP +X-Git-Tag: v2.6.20-rc7^0~60 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b + +[PATCH] core-dumping unreadable binaries via PT_INTERP + +Proposed patch to fix #5 in +http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt +aka +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 + +To reproduce, do +* grab poc at the end of advisory. +* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" + where first "4096" is something equal to or greater than 4096. +* ./poc /usr/bin/sudo && ls -l + +Here I get with 2.6.20-rc5: + + -rw------- 1 ad ad 102400 2007-01-15 19:17 core + ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo + +Check for MAY_READ like binfmt_misc.c does. + +Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> +Signed-off-by: Andrew Morton <akpm@osdl.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 90461f4..669dbe5 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) + retval = PTR_ERR(interpreter); + if (IS_ERR(interpreter)) + goto out_free_interp; ++ ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval != BINPRM_BUF_SIZE) { +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 6e6d456..a4d933a 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm, + goto error; + } + ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval < 0) diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch new file mode 100644 index 0000000..8749435 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_fl_socklist-no-share.patch @@ -0,0 +1,32 @@ +From: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> +Date: Fri, 16 Mar 2007 23:14:03 +0000 (-0700) +Subject: [IPV6]: ipv6_fl_socklist is inadvertently shared. +X-Git-Tag: v2.6.21-rc5~72^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d35690beda1429544d46c8eb34b2e3a8c37ab299 + +[IPV6]: ipv6_fl_socklist is inadvertently shared. + +The ipv6_fl_socklist from listening socket is inadvertently shared +with new socket created for connection. This leads to a variety of +interesting, but fatal, bugs. For example, removing one of the +sockets may lead to the other socket's encountering a page fault +when the now freed list is referenced. + +The fix is to not share the flow label list with the new socket. + +Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index f57a9ba..92f9992 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1453,6 +1453,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, + First: no IPv4 options. + */ + newinet->opt = NULL; ++ newnp->ipv6_fl_list = NULL; + + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch new file mode 100644 index 0000000..1a124c2 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/ipv6_getsockopt_sticky-null-opt.patch @@ -0,0 +1,42 @@ +From: David S. Miller <davem@sunset.davemloft.net> +Date: Wed, 7 Mar 2007 20:50:46 +0000 (-0800) +Subject: [IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). +X-Git-Tag: v2.6.21-rc4~99^2~7 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=286930797d74b2c9a5beae84836044f6a836235f + +[IPV6]: Handle np->opt being NULL in ipv6_getsockopt_sticky(). + +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c +index 286c867..4e0561a 100644 +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -795,11 +795,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname, + EXPORT_SYMBOL(compat_ipv6_setsockopt); + #endif + +-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr, ++static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt, + char __user *optval, int len) + { +- if (!hdr) ++ struct ipv6_opt_hdr *hdr; ++ ++ if (!opt || !opt->hopopt) + return 0; ++ hdr = opt->hopopt; ++ + len = min_t(int, len, ipv6_optlen(hdr)); + if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) + return -EFAULT; +@@ -940,7 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, + { + + lock_sock(sk); +- len = ipv6_getsockopt_sticky(sk, np->opt->hopopt, ++ len = ipv6_getsockopt_sticky(sk, np->opt, + optval, len); + release_sock(sk); + return put_user(len, optlen); diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch new file mode 100644 index 0000000..9875900 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/keys-serial-num-collision.patch @@ -0,0 +1,92 @@ +From: David Howells <dhowells@redhat.com> +Date: Tue, 6 Feb 2007 13:45:51 +0000 (+0000) +Subject: [PATCH] Keys: Fix key serial number collision handling +X-Git-Tag: v2.6.21-rc2~42^2~22 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9ad0830f307bcd8dc285cfae58998d43b21727f4 + +[PATCH] Keys: Fix key serial number collision handling + +Fix the key serial number collision avoidance code in key_alloc_serial(). + +This didn't use to be so much of a problem as the key serial numbers were +allocated from a simple incremental counter, and it would have to go through +two billion keys before it could possibly encounter a collision. However, now +that random numbers are used instead, collisions are much more likely. + +This is fixed by finding a hole in the rbtree where the next unused serial +number ought to be and using that by going almost back to the top of the +insertion routine and redoing the insertion with the new serial number rather +than trying to be clever and attempting to work out the insertion point +pointer directly. + +This fixes kernel BZ #7727. + +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +diff --git a/security/keys/key.c b/security/keys/key.c +index ac9326c..700400d 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -188,6 +188,7 @@ static inline void key_alloc_serial(struct key *key) + + spin_lock(&key_serial_lock); + ++attempt_insertion: + parent = NULL; + p = &key_serial_tree.rb_node; + +@@ -202,39 +203,33 @@ static inline void key_alloc_serial(struct key *key) + else + goto serial_exists; + } +- goto insert_here; ++ ++ /* we've found a suitable hole - arrange for this key to occupy it */ ++ rb_link_node(&key->serial_node, parent, p); ++ rb_insert_color(&key->serial_node, &key_serial_tree); ++ ++ spin_unlock(&key_serial_lock); ++ return; + + /* we found a key with the proposed serial number - walk the tree from + * that point looking for the next unused serial number */ + serial_exists: + for (;;) { + key->serial++; +- if (key->serial < 2) +- key->serial = 2; +- +- if (!rb_parent(parent)) +- p = &key_serial_tree.rb_node; +- else if (rb_parent(parent)->rb_left == parent) +- p = &(rb_parent(parent)->rb_left); +- else +- p = &(rb_parent(parent)->rb_right); ++ if (key->serial < 3) { ++ key->serial = 3; ++ goto attempt_insertion; ++ } + + parent = rb_next(parent); + if (!parent) +- break; ++ goto attempt_insertion; + + xkey = rb_entry(parent, struct key, serial_node); + if (key->serial < xkey->serial) +- goto insert_here; ++ goto attempt_insertion; + } + +- /* we've found a suitable hole - arrange for this key to occupy it */ +-insert_here: +- rb_link_node(&key->serial_node, parent, p); +- rb_insert_color(&key->serial_node, &key_serial_tree); +- +- spin_unlock(&key_serial_lock); +- + } /* end key_alloc_serial() */ + + /*****************************************************************************/ diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch new file mode 100644 index 0000000..df76325 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/netlink-infinite-recursion.patch @@ -0,0 +1,65 @@ +From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> +Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000) +Subject: [PATCH] NETLINK: Infinite recursion in netlink. +X-Git-Tag: v2.6.20.8~1 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad + +[PATCH] NETLINK: Infinite recursion in netlink. + +[NETLINK]: Infinite recursion in netlink. + +Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel, +which resulted in infinite recursion and stack overflow. + +The bug is present in all kernel versions since the feature appeared. + +The patch also makes some minimal cleanup: + +1. Return something consistent (-ENOENT) when fib table is missing +2. Do not crash when queue is empty (does not happen, but yet) +3. Put result of lookup + +Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + +diff -urN linux-source-2.6.18.orig/net/ipv4/fib_frontend.c linux-source-2.6.18/net/ipv4/fib_frontend.c +--- linux-source-2.6.18.orig/net/ipv4/fib_frontend.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/ipv4/fib_frontend.c 2007-05-01 15:21:37.000000000 -0600 +@@ -524,6 +524,8 @@ + .fwmark = frn->fl_fwmark, + .tos = frn->fl_tos, + .scope = frn->fl_scope } } }; ++ ++ frn->err = -ENOENT; + if (tb) { + local_bh_disable(); + +@@ -535,6 +537,7 @@ + frn->nh_sel = res.nh_sel; + frn->type = res.type; + frn->scope = res.scope; ++ fib_res_put(&res); + } + local_bh_enable(); + } +@@ -549,6 +552,9 @@ + struct fib_table *tb; + + skb = skb_dequeue(&sk->sk_receive_queue); ++ if (skb == NULL) ++ return; ++ + nlh = (struct nlmsghdr *)skb->data; + if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len || + nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) { +@@ -561,7 +567,7 @@ + + nl_fib_lookup(frn, tb); + +- pid = nlh->nlmsg_pid; /*pid of sending process */ ++ pid = NETLINK_CB(skb).pid; /* pid of sending process */ + NETLINK_CB(skb).pid = 0; /* from kernel */ + NETLINK_CB(skb).dst_pid = pid; + NETLINK_CB(skb).dst_group = 0; /* unicast */ diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch new file mode 100644 index 0000000..f540a67 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nf_conntrack-set-nfctinfo.patch @@ -0,0 +1,35 @@ +From: Patrick McHardy <kaber@trash.net> +Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100) +Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED +X-Git-Tag: v2.6.20.3~11 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 + +nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED + +[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED + +The individual fragments of a packet reassembled by conntrack have the +conntrack reference from the reassembled packet attached, but nfctinfo +is not copied. This leaves it initialized to 0, which unfortunately is +the value of IP_CT_ESTABLISHED. + +The result is that all IPv6 fragments are tracked as ESTABLISHED, +allowing them to bypass a usual ruleset which accepts ESTABLISHED +packets early. + +Signed-off-by: Patrick McHardy <kaber@trash.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + +diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +index a20615f..6155b80 100644 +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum, + } + nf_conntrack_get(reasm->nfct); + (*pskb)->nfct = reasm->nfct; ++ (*pskb)->nfctinfo = reasm->nfctinfo; + return NF_ACCEPT; + } + diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch new file mode 100644 index 0000000..b86a409 --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nfnetlink_log-null-deref.patch @@ -0,0 +1,37 @@ +From: Michal Miroslaw <mirq-linux@rere.qmqm.pl> +Date: Sun, 4 Mar 2007 23:59:20 +0000 (-0800) +Subject: [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference +X-Git-Tag: v2.6.21~469^2~10 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd16704eba171b32ef0cded3a4f562b33b911066 + +[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference + +Eliminate possible NULL pointer dereference in nfulnl_recv_config(). + +Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl> +Signed-off-by: Patrick McHardy <kaber@trash.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c +index 1b94051..b669db5 100644 +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -858,6 +858,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, + ret = -EINVAL; + break; + } ++ ++ if (!inst) ++ goto out; + } else { + if (!inst) { + UDEBUG("no config command, and no instance for " +@@ -911,6 +914,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb, + + out_put: + instance_put(inst); ++out: + return ret; + } + diff --git a/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch new file mode 100644 index 0000000..c0547fa --- /dev/null +++ b/tags/2.6.18/debian-security-patches-2.6.18.1-12etch2/nl_fib_lookup-oops.patch @@ -0,0 +1,34 @@ +From: Sergey Vlasov <vsu@altlinux.ru> +Date: Fri, 27 Apr 2007 09:18:35 +0000 (-0700) +Subject: IPV4: Fix OOPS'er added to netlink fib. +X-Git-Tag: v2.6.20.10~2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=6af3412cff50b9a7b12b7b9cf6f01b34fbae4624 + +IPV4: Fix OOPS'er added to netlink fib. + +[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res) + +When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup() +needs to initialize the res.r field before fib_res_put(&res) - unlike +fib_lookup(), a direct call to ->tb_lookup does not set this field. + +Signed-off-by: Sergey Vlasov <vsu@altlinux.ru> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index fa2cb8c..30aae76 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -773,6 +773,10 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb ) + .tos = frn->fl_tos, + .scope = frn->fl_scope } } }; + ++#ifdef CONFIG_IP_MULTIPLE_TABLES ++ res.r = NULL; ++#endif ++ + frn->err = -ENOENT; + if (tb) { + local_bh_disable(); |