rpms/mipv6-daemon/devel mipv6-daemon-nd-opts-sanity-check.patch, NONE, 1.1 mipv6-daemon-netlink-msg-origin-check.patch, NONE, 1.1 mipv6-daemon.spec, 1.4, 1.5
Thomas Graf
tgraf at fedoraproject.org
Wed Jul 14 13:03:33 UTC 2010
- Previous message: rpms/xmlcopyeditor/devel xmlcopyeditor.spec,1.5,1.6
- Next message: rpms/openoffice.org/devel openoffice.org.spec, 1.2287, 1.2288 workspace.gtk3.patch, 1.8, 1.9 openoffice.org-3.0.0.ooo87970.vcl.samenamesubs.patch, 1.7, NONE openoffice.org-3.0.1.oooXXXXX.fpicker.allformatsonsave.patch, 1.3, NONE openoffice.org-3.2.0.ooo107151.sc.pop-empty-cell.patch, 1.2, NONE openoffice.org-3.2.0.ooo111886.sw.layout.workaround.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tgraf
Update of /cvs/pkgs/rpms/mipv6-daemon/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv29587
Modified Files:
mipv6-daemon.spec
Added Files:
mipv6-daemon-nd-opts-sanity-check.patch
mipv6-daemon-netlink-msg-origin-check.patch
Log Message:
- Fix CVE-2010-2522 and CVE-2010-2523 by including the patches:
- Additional sanity checks for ND options length
- Security fix: Check origin of netlink messages in netlink helpers.
mipv6-daemon-nd-opts-sanity-check.patch:
ha.c | 7 ++++++-
mn.c | 6 ++----
2 files changed, 8 insertions(+), 5 deletions(-)
--- NEW FILE mipv6-daemon-nd-opts-sanity-check.patch ---
From: Romain Kuntz <kuntz at lsiit.u-strasbg.fr>
Date: Sat, 24 Oct 2009 23:34:32 +0000 (+0200)
Subject: Additional sanity checks for ND options length
X-Git-Url: http://www.umip.org/gitweb?p=umip.git;a=commitdiff_plain;h=3fd3941434a0ee567f874e56c53a5d0855c945e3
Additional sanity checks for ND options length
---
diff --git a/src/ha.c b/src/ha.c
index a091490..8d37af9 100644
--- a/src/ha.c
+++ b/src/ha.c
@@ -106,7 +106,8 @@ static void ha_recv_ra(const struct icmp6_hdr *ih, ssize_t len,
if (opt[0] == ND_OPT_PREFIX_INFORMATION) {
struct nd_opt_prefix_info *p;
p = (struct nd_opt_prefix_info *)opt;
- if (p->nd_opt_pi_prefix_len > 128)
+
+ if (olen < sizeof(*p) || p->nd_opt_pi_prefix_len > 128)
return;
p->nd_opt_pi_valid_time =
ntohl(p->nd_opt_pi_valid_time);
@@ -119,6 +120,10 @@ static void ha_recv_ra(const struct icmp6_hdr *ih, ssize_t len,
ra->nd_ra_flags_reserved & ND_RA_FLAG_HOME_AGENT) {
struct nd_opt_homeagent_info *hainfo;
hainfo = (struct nd_opt_homeagent_info *)opt;
+
+ if (olen < sizeof(*hainfo))
+ return;
+
pref = ntohs(hainfo->nd_opt_hai_preference);
life = ntohs(hainfo->nd_opt_hai_lifetime);
flags = hainfo->nd_opt_hai_flags_reserved;
diff --git a/src/mn.c b/src/mn.c
index 4743472..cb88662 100644
--- a/src/mn.c
+++ b/src/mn.c
@@ -1815,10 +1815,8 @@ static int mn_recv_na(int fd, struct home_addr_info *hai,
iif = pkt_info.ipi6_ifindex;
na = (struct nd_neighbor_advert *)msg;
- if (iif != ifindex ||
- hoplimit < 255 || na->nd_na_code != 0 ||
- len < sizeof(struct nd_neighbor_advert) ||
- IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
+ if (iif != ifindex || hoplimit < 255 || len < sizeof(*na) ||
+ na->nd_na_code != 0 || IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
(na->nd_na_flags_reserved & ND_NA_FLAG_SOLICITED &&
IN6_IS_ADDR_MULTICAST(daddr)))
return 0;
mipv6-daemon-netlink-msg-origin-check.patch:
libnetlink.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
--- NEW FILE mipv6-daemon-netlink-msg-origin-check.patch ---
From: Arnaud Ebalard <arno at natisbad.org>
Date: Sat, 24 Oct 2009 10:11:58 +0000 (+0200)
Subject: Security fix: Check origin of netlink messages in netlink helpers.
X-Git-Url: http://www.umip.org/gitweb?p=umip.git;a=commitdiff_plain;h=0e67a61ffd37cc4e3dfa8add137a5d6cd8963a8e
Security fix: Check origin of netlink messages in netlink helpers.
Sending multicast Netlink messages requires some privileges. Sending
unicast ones can be done by common users. Then, this is up to the
receiver to filter incoming messages to verify the origin and prevent
security issues. See http://lwn.net/Articles/329266/ for more information.
As UMIP expects only kernel messages, this patch adds additional checks
where needed to verify the kernel is the emiiter of the message. Note that
this check needs to be done early (before checking if recvmsg() return
value is not 0) to prevent someone sending us an empty message and
returning.
This patch is based on an initial version by Romain.
---
diff --git a/libnetlink/libnetlink.c b/libnetlink/libnetlink.c
index e4f010e..b4a0aa5 100644
--- a/libnetlink/libnetlink.c
+++ b/libnetlink/libnetlink.c
@@ -185,6 +185,15 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
continue;
}
+ /* Everyone can send empty messages which will led to
+ * status == 0. Before checking if status == 0, check
+ * the origin. Here, we only allow messages from kernel.
+ * --arno */
+ if (nladdr.nl_pid != 0) {
+ NLDBG("Dropping non-kernel Netlink message.\n");
+ continue;
+ }
+
if (status == 0) {
NLDBG("EOF on netlink\n");
return -1;
@@ -287,14 +296,24 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
NLDBG_SYS("OVERRUN");
continue;
}
- if (status == 0) {
- NLDBG("EOF on netlink\n");
- return -1;
- }
+
if (msg.msg_namelen != sizeof(nladdr)) {
NLDBG("sender address length == %d\n", msg.msg_namelen);
return -2;
}
+ /* Everyone can send empty messages which will led to
+ * status == 0. Before checking if status == 0, check
+ * the origin. --arno */
+ if (nladdr.nl_pid != peer) {
+ NLDBG("Received Netlink message from unknown peer.\n");
+ continue;
+ }
+
+ if (status == 0) {
+ NLDBG("EOF on netlink\n");
+ return -1;
+ }
+
for (h = (struct nlmsghdr*)buf; status >= sizeof(*h); ) {
int err;
int len = h->nlmsg_len;
@@ -391,14 +410,23 @@ int rtnl_listen(struct rtnl_handle *rtnl,
NLDBG_SYS("OVERRUN");
continue;
}
- if (status == 0) {
- NLDBG("EOF on netlink\n");
- return -1;
- }
if (msg.msg_namelen != sizeof(nladdr)) {
NLDBG("Sender address length == %d\n", msg.msg_namelen);
return -2;
}
+ /* Everyone can send empty messages which will led to
+ * status == 0. Before checking if status == 0, check
+ * the origin. Here, we only allow messages from kernel.
+ * --arno */
+ if (nladdr.nl_pid != 0) {
+ NLDBG("Dropping non-kernel Netlink message.\n");
+ continue;
+ }
+
+ if (status == 0) {
+ NLDBG("EOF on netlink\n");
+ return -1;
+ }
for (h = (struct nlmsghdr*)buf; status >= sizeof(*h); ) {
int err;
int len = h->nlmsg_len;
Index: mipv6-daemon.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mipv6-daemon/devel/mipv6-daemon.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- mipv6-daemon.spec 25 May 2010 13:10:27 -0000 1.4
+++ mipv6-daemon.spec 14 Jul 2010 13:03:32 -0000 1.5
@@ -1,6 +1,6 @@
Name: mipv6-daemon
Version: 0.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Mobile IPv6 (MIPv6) Daemon
Group: System Environment/Daemons
@@ -12,6 +12,8 @@ Source2: mip6d.sysconfig
Source3: mip6d.conf
Patch0: mipv6-daemon-header-fix.patch
Patch1: mipv6-daemon-nemo.patch
+Patch2: mipv6-daemon-netlink-msg-origin-check.patch
+Patch3: mipv6-daemon-nd-opts-sanity-check.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: flex bison indent
@@ -25,6 +27,8 @@ reachable while moving around in the IPv
%setup -q -n mipv6-daemon-umip-%{version}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
%configure
@@ -70,6 +74,10 @@ fi
%{_mandir}/man7/*
%changelog
+* Wed Jul 14 2010 Thomas Graf <tgraf at, redhat.com> 0.4-5
+- Fix CVE-2010-2522 and CVE-2010-2523 by including the patches:
+ - Additional sanity checks for ND options length
+ - Security fix: Check origin of netlink messages in netlink helpers.
* Tue May 25 2010 Thomas Graf <tgraf at, redhat.com> 0.4-4
- Fixed initscript according to SysVInitScript guidelines:
- Corrected usage text
- Previous message: rpms/xmlcopyeditor/devel xmlcopyeditor.spec,1.5,1.6
- Next message: rpms/openoffice.org/devel openoffice.org.spec, 1.2287, 1.2288 workspace.gtk3.patch, 1.8, 1.9 openoffice.org-3.0.0.ooo87970.vcl.samenamesubs.patch, 1.7, NONE openoffice.org-3.0.1.oooXXXXX.fpicker.allformatsonsave.patch, 1.3, NONE openoffice.org-3.2.0.ooo107151.sc.pop-empty-cell.patch, 1.2, NONE openoffice.org-3.2.0.ooo111886.sw.layout.workaround.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list