Commit 49db5a63 authored by Dann Frazier's avatar Dann Frazier

merge in 2.6.18.dfsg.1-12etch2

svn path=/dists/etch/linux-2.6/; revision=8563
parents d82113e1 85760906
......@@ -36,6 +36,24 @@ linux-2.6 (2.6.18.dfsg.1-13) UNRELEASED; urgency=high
-- dann frazier <dannf@debian.org> Tue, 01 May 2007 19:11:48 -0600
linux-2.6 (2.6.18.dfsg.1-12etch2) stable-security; urgency=high
* bugfix/nfnetlink_log-null-deref.patch
[SECURITY] Fix remotely exploitable NULL pointer dereference in
nfulnl_recv_config()
See CVE-2007-1496
* bugfix/nf_conntrack-set-nfctinfo.patch
[SECURITY] Fix incorrect classification of IPv6 fragments as ESTABLISHED,
which allows remote attackers to bypass certain rulesets
See CVE-2007-1497
* bugfix/netlink-infinite-recursion.patch
[SECURITY] Fix infinite recursion bug in netlink
See CVE-2007-1861
* bugfix/nl_fib_lookup-oops.patch
Add fix for oops bug added by previous patch
-- dann frazier <dannf@debian.org> Tue, 01 May 2007 08:34:18 -0600
linux-2.6 (2.6.18.dfsg.1-12etch1) stable-security; urgency=high
* bugfix/core-dump-unreadable-PT_INTERP.patch
......
From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Date: Wed, 25 Apr 2007 20:59:03 +0000 (+0000)
Subject: [PATCH] NETLINK: Infinite recursion in netlink.
X-Git-Tag: v2.6.20.8~1
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=9bc1779885f4ce1a4257c5640c70b75d2ae124ad
[PATCH] NETLINK: Infinite recursion in netlink.
[NETLINK]: Infinite recursion in netlink.
Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
which resulted in infinite recursion and stack overflow.
The bug is present in all kernel versions since the feature appeared.
The patch also makes some minimal cleanup:
1. Return something consistent (-ENOENT) when fib table is missing
2. Do not crash when queue is empty (does not happen, but yet)
3. Put result of lookup
Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
diff -urN linux-source-2.6.18.orig/net/ipv4/fib_frontend.c linux-source-2.6.18/net/ipv4/fib_frontend.c
--- linux-source-2.6.18.orig/net/ipv4/fib_frontend.c 2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/net/ipv4/fib_frontend.c 2007-05-01 15:21:37.000000000 -0600
@@ -524,6 +524,8 @@
.fwmark = frn->fl_fwmark,
.tos = frn->fl_tos,
.scope = frn->fl_scope } } };
+
+ frn->err = -ENOENT;
if (tb) {
local_bh_disable();
@@ -535,6 +537,7 @@
frn->nh_sel = res.nh_sel;
frn->type = res.type;
frn->scope = res.scope;
+ fib_res_put(&res);
}
local_bh_enable();
}
@@ -549,6 +552,9 @@
struct fib_table *tb;
skb = skb_dequeue(&sk->sk_receive_queue);
+ if (skb == NULL)
+ return;
+
nlh = (struct nlmsghdr *)skb->data;
if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
@@ -561,7 +567,7 @@
nl_fib_lookup(frn, tb);
- pid = nlh->nlmsg_pid; /*pid of sending process */
+ pid = NETLINK_CB(skb).pid; /* pid of sending process */
NETLINK_CB(skb).pid = 0; /* from kernel */
NETLINK_CB(skb).dst_pid = pid;
NETLINK_CB(skb).dst_group = 0; /* unicast */
From: Patrick McHardy <kaber@trash.net>
Date: Wed, 7 Mar 2007 21:34:42 +0000 (+0100)
Subject: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
X-Git-Tag: v2.6.20.3~11
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index a20615f..6155b80 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -257,6 +257,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
}
nf_conntrack_get(reasm->nfct);
(*pskb)->nfct = reasm->nfct;
+ (*pskb)->nfctinfo = reasm->nfctinfo;
return NF_ACCEPT;
}
From: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Date: Sun, 4 Mar 2007 23:59:20 +0000 (-0800)
Subject: [NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
X-Git-Tag: v2.6.21~469^2~10
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=dd16704eba171b32ef0cded3a4f562b33b911066
[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference
Eliminate possible NULL pointer dereference in nfulnl_recv_config().
Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 1b94051..b669db5 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -858,6 +858,9 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
ret = -EINVAL;
break;
}
+
+ if (!inst)
+ goto out;
} else {
if (!inst) {
UDEBUG("no config command, and no instance for "
@@ -911,6 +914,7 @@ nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
out_put:
instance_put(inst);
+out:
return ret;
}
From: Sergey Vlasov <vsu@altlinux.ru>
Date: Fri, 27 Apr 2007 09:18:35 +0000 (-0700)
Subject: IPV4: Fix OOPS'er added to netlink fib.
X-Git-Tag: v2.6.20.10~2
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.20.y.git;a=commitdiff_plain;h=6af3412cff50b9a7b12b7b9cf6f01b34fbae4624
IPV4: Fix OOPS'er added to netlink fib.
[IPV4] nl_fib_lookup: Initialise res.r before fib_res_put(&res)
When CONFIG_IP_MULTIPLE_TABLES is enabled, the code in nl_fib_lookup()
needs to initialize the res.r field before fib_res_put(&res) - unlike
fib_lookup(), a direct call to ->tb_lookup does not set this field.
Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index fa2cb8c..30aae76 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -773,6 +773,10 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb )
.tos = frn->fl_tos,
.scope = frn->fl_scope } } };
+#ifdef CONFIG_IP_MULTIPLE_TABLES
+ res.r = NULL;
+#endif
+
frn->err = -ENOENT;
if (tb) {
local_bh_disable();
+ bugfix/nfnetlink_log-null-deref.patch
+ bugfix/nf_conntrack-set-nfctinfo.patch
+ bugfix/netlink-infinite-recursion.patch
+ bugfix/nl_fib_lookup-oops.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment