rpms/mipv6-daemon/F-11 mipv6-daemon-nd-opts-sanity-check.patch, NONE, 1.1 mipv6-daemon-netlink-msg-origin-check.patch, NONE, 1.1 mipv6-daemon.spec, 1.2, 1.3
Thomas Graf
tgraf at fedoraproject.org
Wed Jul 14 14:34:18 UTC 2010
- Previous message: rpms/mfiler2/devel dead.package, NONE, 1.1 Makefile, 1.2, NONE mfiler2-4.0.0-use-external.patch, 1.1, NONE mfiler2.spec, 1.23, NONE sources, 1.21, NONE
- Next message: [pkgdb] mfiler2 (un)retirement
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tgraf
Update of /cvs/pkgs/rpms/mipv6-daemon/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv12153
Modified Files:
mipv6-daemon.spec
Added Files:
mipv6-daemon-nd-opts-sanity-check.patch
mipv6-daemon-netlink-msg-origin-check.patch
Log Message:
- Fix CVE-2010-2522 and CVE-2010-2523 by including the patches:
- Additional sanity checks for ND options length
- Security fix: Check origin of netlink messages in netlink helpers.
mipv6-daemon-nd-opts-sanity-check.patch:
ha.c | 7 ++++++-
mn.c | 6 ++----
2 files changed, 8 insertions(+), 5 deletions(-)
--- NEW FILE mipv6-daemon-nd-opts-sanity-check.patch ---
diff -Nru mipv6-daemon-umip-0.4.orig/src/ha.c mipv6-daemon-umip-0.4/src/ha.c
--- mipv6-daemon-umip-0.4.orig/src/ha.c 2010-07-14 16:18:33.721547523 +0200
+++ mipv6-daemon-umip-0.4/src/ha.c 2010-07-14 16:19:03.935040609 +0200
@@ -105,7 +105,8 @@
if (opt[0] == ND_OPT_PREFIX_INFORMATION) {
struct nd_opt_prefix_info *p;
p = (struct nd_opt_prefix_info *)opt;
- if (p->nd_opt_pi_prefix_len > 128)
+
+ if (olen < sizeof(*p) || p->nd_opt_pi_prefix_len > 128)
return;
p->nd_opt_pi_valid_time =
ntohl(p->nd_opt_pi_valid_time);
@@ -118,6 +119,10 @@
ra->nd_ra_flags_reserved & ND_RA_FLAG_HOME_AGENT) {
struct nd_opt_homeagent_info *hainfo;
hainfo = (struct nd_opt_homeagent_info *)opt;
+
+ if (olen < sizeof(*hainfo))
+ return;
+
pref = ntohs(hainfo->nd_opt_hai_preference);
life = ntohs(hainfo->nd_opt_hai_lifetime);
}
diff -Nru mipv6-daemon-umip-0.4.orig/src/mn.c mipv6-daemon-umip-0.4/src/mn.c
--- mipv6-daemon-umip-0.4.orig/src/mn.c 2010-07-14 16:18:33.724547328 +0200
+++ mipv6-daemon-umip-0.4/src/mn.c 2010-07-14 16:21:50.318547906 +0200
@@ -1639,10 +1639,8 @@
iif = pkt_info.ipi6_ifindex;
na = (struct nd_neighbor_advert *)msg;
- if (iif != ifindex ||
- hoplimit < 255 || na->nd_na_code != 0 ||
- len < sizeof(struct nd_neighbor_advert) ||
- IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
+ if (iif != ifindex || hoplimit < 255 || len < sizeof(*na) ||
+ na->nd_na_code != 0 || IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
(na->nd_na_flags_reserved & ND_NA_FLAG_SOLICITED &&
IN6_IS_ADDR_MULTICAST(daddr)))
return 0;
mipv6-daemon-netlink-msg-origin-check.patch:
libnetlink.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
--- NEW FILE mipv6-daemon-netlink-msg-origin-check.patch ---
From: Arnaud Ebalard <arno at natisbad.org>
Date: Sat, 24 Oct 2009 10:11:58 +0000 (+0200)
Subject: Security fix: Check origin of netlink messages in netlink helpers.
X-Git-Url: http://www.umip.org/gitweb?p=umip.git;a=commitdiff_plain;h=0e67a61ffd37cc4e3dfa8add137a5d6cd8963a8e
Security fix: Check origin of netlink messages in netlink helpers.
Sending multicast Netlink messages requires some privileges. Sending
unicast ones can be done by common users. Then, this is up to the
receiver to filter incoming messages to verify the origin and prevent
security issues. See http://lwn.net/Articles/329266/ for more information.
As UMIP expects only kernel messages, this patch adds additional checks
where needed to verify the kernel is the emiiter of the message. Note that
this check needs to be done early (before checking if recvmsg() return
value is not 0) to prevent someone sending us an empty message and
returning.
This patch is based on an initial version by Romain.
---
diff --git a/libnetlink/libnetlink.c b/libnetlink/libnetlink.c
index e4f010e..b4a0aa5 100644
--- a/libnetlink/libnetlink.c
+++ b/libnetlink/libnetlink.c
@@ -185,6 +185,15 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
continue;
}
+ /* Everyone can send empty messages which will led to
+ * status == 0. Before checking if status == 0, check
+ * the origin. Here, we only allow messages from kernel.
+ * --arno */
+ if (nladdr.nl_pid != 0) {
+ NLDBG("Dropping non-kernel Netlink message.\n");
+ continue;
+ }
+
if (status == 0) {
NLDBG("EOF on netlink\n");
return -1;
@@ -287,14 +296,24 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
NLDBG_SYS("OVERRUN");
continue;
}
- if (status == 0) {
- NLDBG("EOF on netlink\n");
- return -1;
- }
+
if (msg.msg_namelen != sizeof(nladdr)) {
NLDBG("sender address length == %d\n", msg.msg_namelen);
return -2;
}
+ /* Everyone can send empty messages which will led to
+ * status == 0. Before checking if status == 0, check
+ * the origin. --arno */
+ if (nladdr.nl_pid != peer) {
+ NLDBG("Received Netlink message from unknown peer.\n");
+ continue;
+ }
+
+ if (status == 0) {
+ NLDBG("EOF on netlink\n");
+ return -1;
+ }
+
for (h = (struct nlmsghdr*)buf; status >= sizeof(*h); ) {
int err;
int len = h->nlmsg_len;
@@ -391,14 +410,23 @@ int rtnl_listen(struct rtnl_handle *rtnl,
NLDBG_SYS("OVERRUN");
continue;
}
- if (status == 0) {
- NLDBG("EOF on netlink\n");
- return -1;
- }
if (msg.msg_namelen != sizeof(nladdr)) {
NLDBG("Sender address length == %d\n", msg.msg_namelen);
return -2;
}
+ /* Everyone can send empty messages which will led to
+ * status == 0. Before checking if status == 0, check
+ * the origin. Here, we only allow messages from kernel.
+ * --arno */
+ if (nladdr.nl_pid != 0) {
+ NLDBG("Dropping non-kernel Netlink message.\n");
+ continue;
+ }
+
+ if (status == 0) {
+ NLDBG("EOF on netlink\n");
+ return -1;
+ }
for (h = (struct nlmsghdr*)buf; status >= sizeof(*h); ) {
int err;
int len = h->nlmsg_len;
Index: mipv6-daemon.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mipv6-daemon/F-11/mipv6-daemon.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- mipv6-daemon.spec 20 Aug 2009 10:04:58 -0000 1.2
+++ mipv6-daemon.spec 14 Jul 2010 14:34:18 -0000 1.3
@@ -1,6 +1,6 @@
Name: mipv6-daemon
Version: 0.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Mobile IPv6 (MIPv6) Daemon
Group: System Environment/Daemons
@@ -11,6 +11,8 @@ Source1: mip6d.init
Source2: mip6d.sysconfig
Source3: mip6d.conf
Patch0: mipv6-daemon-header-fix.patch
+Patch1: mipv6-daemon-netlink-msg-origin-check.patch
+Patch2: mipv6-daemon-nd-opts-sanity-check.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: flex bison indent
@@ -23,6 +25,8 @@ reachable while moving around in the IPv
%prep
%setup -q -n mipv6-daemon-umip-%{version}
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
%configure
@@ -68,5 +72,11 @@ fi
%{_mandir}/man7/*
%changelog
+* Wed Jul 14 2010 Thomas Graf <tgraf at, redhat.com> 0.4-3
+- Fix CVE-2010-2522 and CVE-2010-2523 by including the patches:
+ - Additional sanity checks for ND options length
+ - Security fix: Check origin of netlink messages in netlink helpers.
+* Wed Mar 24 2010 Thomas Graf <tgraf at, redhat.com> 0.4-2
+- Inclusion of NEPL patch (NEMO support)
* Tue Aug 17 2009 Thomas Graf <tgraf at, redhat.com> 0.4-1
- initial package release
- Previous message: rpms/mfiler2/devel dead.package, NONE, 1.1 Makefile, 1.2, NONE mfiler2-4.0.0-use-external.patch, 1.1, NONE mfiler2.spec, 1.23, NONE sources, 1.21, NONE
- Next message: [pkgdb] mfiler2 (un)retirement
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list