Bug#457781: (no subject)

Nico Golde Tue, 25 Dec 2007 14:38:46 -0800

Hi,
the previous patch was missing a part of the fix in 
sockprot.cpp. I uploaded a fixed version, patch attached and 
available on:
http://people.debian.org/~nion/nmu-diff/tcpreen-1.4.3-0.1_1.4.3-0.2.patch


Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u tcpreen-1.4.3/debian/changelog tcpreen-1.4.3/debian/changelog
--- tcpreen-1.4.3/debian/changelog
+++ tcpreen-1.4.3/debian/changelog
@@ -1,3 +1,21 @@
+tcpreen (1.4.3-0.3) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * Add missing part of the previous security fix in
+    sockprot.cpp (Closes: #457781).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Tue, 25 Dec 2007 23:22:57 +0100
+
+tcpreen (1.4.3-0.2) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issue:
+    - remote buffer-overflow vulnerability in bridge.cpp because
+      tcpreen fails to check user supplied data passed to
+      the monitor_bridge function (Closes: #457781).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Tue, 25 Dec 2007 17:32:38 +0100
+
 tcpreen (1.4.3-0.1) unstable; urgency=low
 
   * NMU, with permission from maintainer.
--- tcpreen-1.4.3.orig/libsolve/sockprot.cpp
+++ tcpreen-1.4.3/libsolve/sockprot.cpp
@@ -229,14 +229,19 @@
 			if (nonblock)
 				return fd;
 
+#ifndef WIN32
+			if (fd >= FD_SETSIZE)
+			{
+				close (fd);
+				errno = EMFILE;
+			}
+#endif
+
 			/* Waits until connection is established */
 			fd_set s;
 			FD_ZERO (&s);
 			FD_SET (fd, &s);
 
-			int err = 0;
-			socklen_t len = sizeof (err);
-
 			if (select (fd + 1, NULL, &s, NULL, NULL) != 1)
 			{
 				SetError ();
@@ -248,6 +253,9 @@
 				continue;
 			}
 
+			int err = 0;
+			socklen_t len = sizeof (err);
+
 			if (getsockopt (fd, SOL_SOCKET, SO_ERROR, &err, &len))
 			{
 				SetError ();
only in patch2:
unchanged:
--- tcpreen-1.4.3.orig/src/bridge.cpp
+++ tcpreen-1.4.3/src/bridge.cpp
@@ -23,6 +23,7 @@
 # include <config.h>
 #endif
 
+#include <errno.h>
 #include <string.h> // memmove()
 #include <limits.h> // LONG_MAX
 #include <sys/types.h>
@@ -115,6 +116,14 @@
 	long totalcount = 0;
 	bridge b[2];
 
+#ifndef WIN32
+	if ((fds[0] >= FD_SETSIZE) || (fds[1] >= FD_SETSIZE))
+	{
+		errno = EINVAL;
+		return -1;
+	}
+#endif
+
 	b[0].outfd = b[1].infd = fds[0];
 	b[0].infd = b[1].outfd = fds[1];
 	b[0].buflen = b[1].buflen = 0;

pgpccrm35Y9Jm.pgp
Description: PGP signature

Bug#457781: (no subject)

Reply via email to