On mer., 2011-10-12 at 15:56 +0200, Yves-Alexis Perez wrote: > On mer., 2011-10-12 at 15:00 +0200, Yves-Alexis Perez wrote: > > On ven., 2011-10-07 at 16:38 +0200, Yves-Alexis Perez wrote: > > > On ven., 2011-10-07 at 13:35 +0200, Yves-Alexis Perez wrote: > > > > I'm reporting only one bug for all the issues, which can be fixed by > > > > uploading 1.8.2-1 to unstable. For squeeze, backporting the patches > > > > should be fairly straightforward. > > > > > > Attached is an attempted debdiff for stable-security. > > > > > An updated fix for CVE-2011-3603 is available at > > https://github.com/reubenhwk/radvd/commit/7a1471b62da88373e8f4209d503307c5d841b81f > > > > so I'll make an updated package for stable-security. 1.8.3 should be > > released soon for the same reason. > > Here's the updated debdiff.
Here's the debdiff for Lenny. Since I got no news from the maintainer, I guess I'll prepare a 1.8.2 NMU with the 7a1471 patch backported for unstable. Regards, -- Yves-Alexis
diff -u radvd-1.1/debian/changelog radvd-1.1/debian/changelog
--- radvd-1.1/debian/changelog
+++ radvd-1.1/debian/changelog
@@ -1,3 +1,24 @@
+radvd (1:1.1-3.1) oldstable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * debian/patches: backport patches from upstream to fix various security
+ issues: closes: #644614
+ - 0001-set_interface_var-doesn-t-check-interface-name-and-b fix arbitrary
+ file overwrite (CVE-2011-3602)
+ - 0002-main-must-fail-on-privsep_init-errors-it-must-not-ru,
+ 0003-privsep_read_loop-should-return-on-unprivileged-daem and
+ 0004-Really-exit-on-privsep-init-failure fix failure to check return
+ code of privilege dropping function (CVE-2011-3603)
+ - 0005-process_ra-has-numerous-missed-len-checks.-It-leads- fix multiple
+ buffer overreads (CVE-2011-3604)
+ - 0006-removing-mdelay-in-unicast-only-case fix a denial of service
+ (CVE-2011-3605)
+ - 0007-checking-iface-name-more-carefully on top of
+ 0001-set_interface_var-doesn-t-check-interface-name-and-b
+ (CVE-2011-3602)
+
+ -- Yves-Alexis Perez <cor...@debian.org> Fri, 14 Oct 2011 08:58:40 +0200
+
radvd (1:1.1-3) unstable; urgency=low
* Check for ipv6 forwarding in initscript (Closes: #498038)
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0006-removing-mdelay-in-unicast-only-case.patch
+++ radvd-1.1/debian/patches/0006-removing-mdelay-in-unicast-only-case.patch
@@ -0,0 +1,21 @@
+From 2591d0189257caeaae2057dfed0a260310497a61 Mon Sep 17 00:00:00 2001
+From: Reuben Hawkins <reuben...@gmail.com>
+Date: Tue, 4 Oct 2011 13:18:47 -0700
+Subject: [PATCH] removing mdelay in unicast only case
+
+---
+ process.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+Index: radvd-1.1/process.c
+===================================================================
+--- radvd-1.1.orig/process.c 2011-10-14 09:06:02.000000000 +0200
++++ radvd-1.1/process.c 2011-10-14 09:06:36.419442708 +0200
+@@ -191,7 +191,6 @@
+ dlog(LOG_DEBUG, 3, "random mdelay for %s: %.2f", iface->Name, delay);
+
+ if (iface->UnicastOnly) {
+- mdelay(delay);
+ send_ra(sock, iface, &addr->sin6_addr);
+ }
+ else if ((tv.tv_sec + tv.tv_usec / 1000000.0) - (iface->last_multicast_sec +
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0004-Really-exit-on-privsep-init-failure.patch
+++ radvd-1.1/debian/patches/0004-Really-exit-on-privsep-init-failure.patch
@@ -0,0 +1,28 @@
+From 7dc53cc3b792775369bf0b2f053a3f4ed5d87e3d Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Tue, 4 Oct 2011 18:12:26 +0400
+Subject: [PATCH] Really exit on privsep init failure.
+
+---
+ radvd.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/radvd.c b/radvd.c
+index 3962d24..109b83a 100644
+--- a/radvd.c
++++ b/radvd.c
+@@ -270,8 +270,10 @@ main(int argc, char *argv[])
+ if (username) {
+ if (!singleprocess) {
+ dlog(LOG_DEBUG, 3, "Initializing privsep");
+- if (privsep_init() < 0)
++ if (privsep_init() < 0) {
+ perror("Failed to initialize privsep.");
++ exit(1);
++ }
+ }
+
+ if (drop_root_privileges(username) < 0) {
+--
+1.7.6.3
+
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0001-set_interface_var-doesn-t-check-interface-name-and-b.patch
+++ radvd-1.1/debian/patches/0001-set_interface_var-doesn-t-check-interface-name-and-b.patch
@@ -0,0 +1,36 @@
+From 92e22ca23e52066da2258df8c76a2dca8a428bcc Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Tue, 4 Oct 2011 00:33:15 -0700
+Subject: [PATCH] set_interface_var() doesn't check interface name and blindly
+ does fopen(path "/" ifname, "w") on it. As "ifname" is an
+ untrusted input, it should be checked for ".." and/or "/"
+ in it. Otherwise, an infected unprivileged daemon may
+ overwrite contents of file named "mtu", "hoplimit", etc. in
+ arbitrary location with arbitrary 32-bit value in decimal
+ representation ("%d"). If an attacker has a local account
+ or may create arbitrary symlinks with these names in any
+ location (e.g. /tmp), any file may be overwritten with a
+ decimal value.
+
+---
+ device-linux.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/device-linux.c b/device-linux.c
+index 3bb0beb..709eebc 100644
+--- a/device-linux.c
++++ b/device-linux.c
+@@ -243,6 +243,10 @@ set_interface_var(const char *iface,
+ if (snprintf(spath, sizeof(spath), var, iface) >= sizeof(spath))
+ return -1;
+
++ /* No path traversal */
++ if (strstr(name, "..") || strchr(name, '/'))
++ return -1;
++
+ if (access(spath, F_OK) != 0)
+ return -1;
+
+--
+1.7.6.3
+
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0007-checking-iface-name-more-carefully.patch
+++ radvd-1.1/debian/patches/0007-checking-iface-name-more-carefully.patch
@@ -0,0 +1,26 @@
+From 7a1471b62da88373e8f4209d503307c5d841b81f Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Sat, 8 Oct 2011 09:26:58 -0700
+Subject: [PATCH] checking iface name more carefully
+
+modified: device-linux.c
+---
+ device-linux.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/device-linux.c b/device-linux.c
+index c836f93..9187b4e 100644
+--- a/device-linux.c
++++ b/device-linux.c
+@@ -244,7 +244,7 @@ set_interface_var(const char *iface,
+ return -1;
+
+ /* No path traversal */
+- if (strstr(name, "..") || strchr(name, '/'))
++ if (!iface[0] || !strcmp(iface, ".") || !strcmp(iface, "..") || strchr(iface, '/'))
+ return -1;
+
+ if (access(spath, F_OK) != 0)
+--
+1.7.7
+
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0002-main-must-fail-on-privsep_init-errors-it-must-not-ru.patch
+++ radvd-1.1/debian/patches/0002-main-must-fail-on-privsep_init-errors-it-must-not-ru.patch
@@ -0,0 +1,26 @@
+From 2c50375043186e133f15135f4c93ca964238ee60 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Tue, 4 Oct 2011 00:35:20 -0700
+Subject: [PATCH] main() must fail on privsep_init() errors, it must not run
+ without privilege separation as privsep is expected.
+
+---
+ radvd.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/radvd.c b/radvd.c
+index af74f17..3962d24 100644
+--- a/radvd.c
++++ b/radvd.c
+@@ -271,7 +271,7 @@ main(int argc, char *argv[])
+ if (!singleprocess) {
+ dlog(LOG_DEBUG, 3, "Initializing privsep");
+ if (privsep_init() < 0)
+- flog(LOG_WARNING, "Failed to initialize privsep.");
++ perror("Failed to initialize privsep.");
+ }
+
+ if (drop_root_privileges(username) < 0) {
+--
+1.7.6.3
+
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0003-privsep_read_loop-should-return-on-unprivileged-daem.patch
+++ radvd-1.1/debian/patches/0003-privsep_read_loop-should-return-on-unprivileged-daem.patch
@@ -0,0 +1,27 @@
+From 074816cd0b37aac7b3209987e6e998f0a847b275 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Tue, 4 Oct 2011 00:43:20 -0700
+Subject: [PATCH] privsep_read_loop() should return on unprivileged daemon
+ death / socket close(), not loop forever with polling
+ read() getting -1.
+
+---
+ privsep-linux.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/privsep-linux.c b/privsep-linux.c
+index d6717bf..15a9e1b 100644
+--- a/privsep-linux.c
++++ b/privsep-linux.c
+@@ -63,7 +63,7 @@ privsep_read_loop(void)
+ }
+ if (ret != sizeof(cmd)) {
+ /* Short read, ignore */
+- continue;
++ return;
+ }
+
+ cmd.iface[IFNAMSIZ-1] = '\0';
+--
+1.7.6.3
+
only in patch2:
unchanged:
--- radvd-1.1.orig/debian/patches/0005-process_ra-has-numerous-missed-len-checks.-It-leads-.patch
+++ radvd-1.1/debian/patches/0005-process_ra-has-numerous-missed-len-checks.-It-leads-.patch
@@ -0,0 +1,44 @@
+From 7de1b9abf87b747ee2611c0d2a94dfeee79878b4 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Tue, 4 Oct 2011 00:35:57 -0700
+Subject: [PATCH] process_ra() has numerous missed len checks. It leads to
+ buffer overreads.
+
+---
+ process.c | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/process.c b/process.c
+index 3307daa..f30d147 100644
+--- a/process.c
++++ b/process.c
+@@ -310,6 +310,8 @@ process_ra(struct Interface *iface, unsigned char *msg, int len,
+ {
+ case ND_OPT_MTU:
+ mtu = (struct nd_opt_mtu *)opt_str;
++ if (len < sizeof(*mtu))
++ return;
+
+ if (iface->AdvLinkMTU && (ntohl(mtu->nd_opt_mtu_mtu) != iface->AdvLinkMTU))
+ {
+@@ -319,6 +321,8 @@ process_ra(struct Interface *iface, unsigned char *msg, int len,
+ break;
+ case ND_OPT_PREFIX_INFORMATION:
+ pinfo = (struct nd_opt_prefix_info *) opt_str;
++ if (len < sizeof(*pinfo))
++ return;
+ preferred = ntohl(pinfo->nd_opt_pi_preferred_time);
+ valid = ntohl(pinfo->nd_opt_pi_valid_time);
+
+@@ -373,6 +377,8 @@ process_ra(struct Interface *iface, unsigned char *msg, int len,
+ break;
+ case ND_OPT_RDNSS_INFORMATION:
+ rdnssinfo = (struct nd_opt_rdnss_info_local *) opt_str;
++ if (len < sizeof(*rdnssinfo))
++ return;
+ count = rdnssinfo->nd_opt_rdnssi_len;
+
+ /* Check the RNDSS addresses received */
+--
+1.7.6.3
+
signature.asc
Description: This is a digitally signed message part
