rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)

This commit is contained in:
Josh Boyer 2013-04-24 08:52:41 -04:00
parent c416a99578
commit aba5c507e3
2 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
kernel.spec
View File

@ -829,6 +829,9 @@ Patch25022: netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
#CVE-2013-3231 956094 956104
Patch25023: llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
#CVE-2013-3230 956088 956089
Patch25024: l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
# END OF PATCH DEFINITIONS
%endif
@ -1608,6 +1611,9 @@ ApplyPatch netrom-fix-invalid-use-of-sizeof-in-nr_recvmsg.patch
#CVE-2013-3231 956094 956104
ApplyPatch llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
#CVE-2013-3230 956088 956089
ApplyPatch l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch
# END OF PATCH APPLICATIONS
%endif
@ -2466,6 +2472,7 @@ fi
# || ||
%changelog
* Wed Apr 24 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-3230 l2tp: info leak in l2tp_ip6_recvmsg (rhbz 956088 956089)
- CVE-2013-3231 llc: Fix missing msg_namelen update in llc_ui_recvmsg (rhbz 956094 956104)
- CVE-2013-3232 netrom: information leak via msg_name in nr_recvmsg (rhbz 956110 956113)
- CVE-2013-3233 NFC: llcp: info leaks via msg_name in llcp_sock_recvmsg (rhbz 956125 956129)

32
l2tp-fix-info-leak-in-l2tp_ip6_recvmsg.patch Normal file
View File

@ -0,0 +1,32 @@
From b860d3cc62877fad02863e2a08efff69a19382d2 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sun, 7 Apr 2013 01:51:55 +0000
Subject: [PATCH] l2tp: fix info leak in l2tp_ip6_recvmsg()
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of
struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack
in l2tp_ip6_recvmsg() in case msg_name is set.
Initialize l2tp_conn_id with 0 to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/l2tp/l2tp_ip6.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index c74f5a9..b8a6039 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -690,6 +690,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
lsa->l2tp_addr = ipv6_hdr(skb)->saddr;
lsa->l2tp_flowinfo = 0;
lsa->l2tp_scope_id = 0;
+ lsa->l2tp_conn_id = 0;
if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
lsa->l2tp_scope_id = IP6CB(skb)->iif;
}
--
1.8.1.4