Dear Security Team, This bug was reopened because the original fix from upstream was found to be incomplete.
Please may I upload to wheezy-security with the attached debdiff, replacing the CVE-2015-1414 patch with the new one, and also patching CVE-2015-2923 (Debian Bug #782735). I've been running kfreebsd-9 with these patches for some weeks, and they are applied already to kfreebsd-10 in sid/jessie-kfreebsd. Thanks, Regards, -- Steven Chamberlain ste...@pyro.eu.org
diff -Nru kfreebsd-9-9.0/debian/changelog kfreebsd-9-9.0/debian/changelog --- kfreebsd-9-9.0/debian/changelog 2015-02-25 13:13:10.000000000 +0000 +++ kfreebsd-9-9.0/debian/changelog 2015-05-10 19:53:49.000000000 +0000 @@ -1,3 +1,13 @@ +kfreebsd-9 (9.0-10+deb70.10) wheezy-security; urgency=high + + * Pick SVN r281231 from FreeBSD 9-STABLE to fix: + - SA-15:04: integer overflow in IGMP protocol (CVE-2015-1414) + updated patch from advisory revision 1.1 (Closes: #779201) + - SA-15:09: Denial of Service with IPv6 Router Advertisements + (CVE-2015-2923) (Closes: #782735) + + -- Steven Chamberlain <ste...@pyro.eu.org> Thu, 16 Apr 2015 21:45:05 +0000 + kfreebsd-9 (9.0-10+deb70.9) wheezy-security; urgency=medium * Upstream patch for FreeBSD-SA-15:04.igmp / CVE-2015-1414 (Closes: #779201) diff -Nru kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch --- kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/SA-15_04.igmp.patch 2015-04-16 21:44:56.000000000 +0000 @@ -0,0 +1,41 @@ +Description: + Fix integer overflow in IGMP protocol [SA-15:04] (CVE-2015-1414) + . + Updated patch from advisory revision 1.1 +Origin: vendor, https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch +Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc +Bug-Debian: https://bugs.debian.org/779201 +Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=281231 + +--- a/sys/netinet/igmp.c ++++ b/sys/netinet/igmp.c +@@ -1532,8 +1532,7 @@ + case IGMP_VERSION_3: { + struct igmpv3 *igmpv3; + uint16_t igmpv3len; +- uint16_t srclen; +- int nsrc; ++ uint16_t nsrc; + + IGMPSTAT_INC(igps_rcv_v3_queries); + igmpv3 = (struct igmpv3 *)igmp; +@@ -1541,8 +1540,8 @@ + * Validate length based on source count. + */ + nsrc = ntohs(igmpv3->igmp_numsrc); +- srclen = sizeof(struct in_addr) * nsrc; +- if (nsrc * sizeof(in_addr_t) > srclen) { ++ if (nsrc * sizeof(in_addr_t) > ++ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) { + IGMPSTAT_INC(igps_rcv_tooshort); + return; + } +@@ -1551,7 +1550,7 @@ + * this scope. + */ + igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN + +- srclen; ++ sizeof(struct in_addr) * nsrc; + if ((m->m_flags & M_EXT || + m->m_len < igmpv3len) && + (m = m_pullup(m, igmpv3len)) == NULL) { diff -Nru kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch --- kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch 1970-01-01 00:00:00.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/SA-15_09.ipv6.patch 2015-04-16 21:36:56.000000000 +0000 @@ -0,0 +1,28 @@ +Description: + Fix Denial of Service with IPv6 Router Advertisements [SA-15:09] (CVE-2015-2923) +Origin: vendor, https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch +Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc +Bug-Debian: https://bugs.debian.org/782735 +Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=281231 + +--- a/sys/netinet6/nd6_rtr.c ++++ b/sys/netinet6/nd6_rtr.c +@@ -293,8 +293,16 @@ + } + if (nd_ra->nd_ra_retransmit) + ndi->retrans = ntohl(nd_ra->nd_ra_retransmit); +- if (nd_ra->nd_ra_curhoplimit) +- ndi->chlim = nd_ra->nd_ra_curhoplimit; ++ if (nd_ra->nd_ra_curhoplimit) { ++ if (ndi->chlim < nd_ra->nd_ra_curhoplimit) ++ ndi->chlim = nd_ra->nd_ra_curhoplimit; ++ else if (ndi->chlim != nd_ra->nd_ra_curhoplimit) { ++ log(LOG_ERR, "RA with a lower CurHopLimit sent from " ++ "%s on %s (current = %d, received = %d). " ++ "Ignored.\n", ip6_sprintf(ip6bufs, &ip6->ip6_src), ++ if_name(ifp), ndi->chlim, nd_ra->nd_ra_curhoplimit); ++ } ++ } + dr = defrtrlist_update(&dr0); + } + diff -Nru kfreebsd-9-9.0/debian/patches/series kfreebsd-9-9.0/debian/patches/series --- kfreebsd-9-9.0/debian/patches/series 2015-02-25 13:01:55.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/series 2015-05-10 19:52:09.000000000 +0000 @@ -24,6 +24,8 @@ SA-14_17.kern.patch SA-14_22.namei.patch SA-14_25.setlogin.patch +SA-15_04.igmp.patch +SA-15_09.ipv6.patch # Other patches that might or might not be mergeable 001_misc.diff @@ -59,4 +61,3 @@ 950_no_stack_protector.diff 999_config.diff 999_firmware.diff -svn279263-FreeBSD-SA-15:04.igmp diff -Nru kfreebsd-9-9.0/debian/patches/svn279263-FreeBSD-SA-15:04.igmp kfreebsd-9-9.0/debian/patches/svn279263-FreeBSD-SA-15:04.igmp --- kfreebsd-9-9.0/debian/patches/svn279263-FreeBSD-SA-15:04.igmp 2015-02-25 13:05:17.000000000 +0000 +++ kfreebsd-9-9.0/debian/patches/svn279263-FreeBSD-SA-15:04.igmp 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Index: 9/sys/netinet/igmp.c -=================================================================== ---- 9/sys/netinet/igmp.c (revision 279262) -+++ 9/sys/netinet/igmp.c (revision 279263) -@@ -1533,8 +1533,8 @@ - case IGMP_VERSION_3: { - struct igmpv3 *igmpv3; - uint16_t igmpv3len; -- uint16_t srclen; -- int nsrc; -+ uint16_t nsrc; -+ int srclen; - - IGMPSTAT_INC(igps_rcv_v3_queries); - igmpv3 = (struct igmpv3 *)igmp;
signature.asc
Description: Digital signature
