On ven., 2011-10-14 at 23:26 +0200, Yves-Alexis Perez wrote: > On ven., 2011-10-14 at 09:10 +0200, Yves-Alexis Perez wrote: > > Here's the debdiff for Lenny. Since I got no news from the maintainer, I > > guess I'll prepare a 1.8.2 NMU with the 7a1471 patch backported for > > unstable. > > 1.8.3 is out but that makes a diff a bit too huge for an NMU maybe. > Backporting only the relevant patch makes it a bit smaller, so here's > the debdiff I'm gonna upload to DELAYED/2. > Fix for CVE-2011-3601 was missing so here's the debdiff to the -1.2 NMU, just uploaded to unstable.
Regards, -- Yves-Alexis
diff -u radvd-1.8/debian/changelog radvd-1.8/debian/changelog
--- radvd-1.8/debian/changelog
+++ radvd-1.8/debian/changelog
@@ -1,3 +1,13 @@
+radvd (1:1.8-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * debian/patches:
+ - add 0008-In-process_ra-ND_OPT_DNSSL_INFORMATION-option-parsin,
+ backported from upstream, fix a buffer overflow leading to privilege
+ escalation (CVE-2011-3601).
+
+ -- Yves-Alexis Perez <cor...@debian.org> Mon, 17 Oct 2011 18:24:08 +0200
+
radvd (1:1.8-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- radvd-1.8.orig/debian/patches/0008-In-process_ra-ND_OPT_DNSSL_INFORMATION-option-parsin.patch
+++ radvd-1.8/debian/patches/0008-In-process_ra-ND_OPT_DNSSL_INFORMATION-option-parsin.patch
@@ -0,0 +1,45 @@
+From 9dfaaaf740ce784541e76e68de4ae04dce2c0921 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <seg...@openwall.com>
+Date: Tue, 4 Oct 2011 00:31:15 -0700
+Subject: [PATCH] In process_ra() ND_OPT_DNSSL_INFORMATION option parsing
+ "label_len" is not checked for negativeness; it leads to
+ "suffix" buffer overflow, which leads to privilege
+ escalation (at least with -fno-stack-protector, I didn't
+ discover whether it's possible with -fstack-protector).
+
+---
+ process.c | 11 +++++++++--
+ 1 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/process.c b/process.c
+index 302bb4f..3307daa 100644
+--- a/process.c
++++ b/process.c
+@@ -280,7 +280,7 @@ process_ra(struct Interface *iface, unsigned char *msg, int len,
+ char prefix_str[INET6_ADDRSTRLEN];
+ char rdnss_str[INET6_ADDRSTRLEN];
+ char suffix[256];
+- int offset, label_len;
++ unsigned int offset, label_len;
+ uint32_t preferred, valid, count;
+
+ if (len < 2)
+@@ -434,7 +434,14 @@ process_ra(struct Interface *iface, unsigned char *msg, int len,
+ continue;
+ }
+
+- if ((sizeof(suffix) - strlen(suffix)) < (label_len + 2)) {
++ /*
++ * 1) must not overflow int: label + 2, offset + label_len
++ * 2) last byte of dnssli_suffix must not overflow opt_str + len
++ */
++ if ((sizeof(suffix) - strlen(suffix)) < (label_len + 2) ||
++ label_len > label_len + 2 ||
++ &dnsslinfo->nd_opt_dnssli_suffixes[offset+label_len] - (char*)opt_str >= len ||
++ offset + label_len < offset) {
+ flog(LOG_ERR, "oversized suffix in DNSSL option on %s from %s",
+ iface->Name, addr_str);
+ break;
+--
+1.7.7
+
signature.asc
Description: This is a digitally signed message part
