Browse Source

Sebastian Jaenicke <tsa@jaenicke.org>:

Additional patches to the zebra package to close a locally exploitable
and a remotely exploitable denial of service vulnerability.


git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@1756 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
rocklinux
Sebastian Jaenicke 21 years ago
parent
commit
5693589242
3 changed files with 98 additions and 0 deletions
  1. +4
    -0
      Documentation/Developers/CHANGELOG-RENE
  2. +71
    -0
      package/tsa/zebra/50zebra-0.91a-netlink.patch
  3. +23
    -0
      package/tsa/zebra/60zebra-0.91a-remote_dos.patch

+ 4
- 0
Documentation/Developers/CHANGELOG-RENE

@ -1,4 +1,8 @@
*) 2003-11-13 (2.0.0-rc2 - 2.0.0-rc3)
- Sebastian Jaenicke: added zebra security patches
*) 2003-11-12 (2.0.0-rc2 - 2.0.0-rc3)
- Juergen Sawinski: fixed rene/nxcomp to only install the major library

+ 71
- 0
package/tsa/zebra/50zebra-0.91a-netlink.patch

@ -0,0 +1,71 @@
--- zebra-0.91a/zebra/rt_netlink.c.netlink Tue Jan 23 03:10:04 2001
+++ zebra-0.91a/zebra/rt_netlink.c Wed Oct 29 22:46:44 2003
@@ -46,9 +46,8 @@
int seq;
struct sockaddr_nl snl;
char *name;
-} netlink = { -1, 0, {0}, "netlink-listen" }, /* kernel messages */
- netlink_cmd = { -1, 0, {0}, "netlink-cmd" }, /* command channel */
- netlink_addr = {-1, 0, {0}, "netlink-addr" }; /* address channel */
+} netlink_sock ={ -1, 0, {0}, "netlink-listen" }, /* kernel messages */
+ netlink_cmd = { -1, 0, {0}, "netlink-cmd" }; /* command channel */
struct message nlmsg_str[] =
{
@@ -206,6 +205,13 @@
return -1;
}
+ /* JF: Ignore messages that aren't from the kernel */
+ if ( snl.nl_pid != 0 )
+ {
+ zlog ( NULL, LOG_ERR, "Ignoring message from pid %u", snl.nl_pid );
+ continue;
+ }
+
for (h = (struct nlmsghdr *) buf; NLMSG_OK (h, status);
h = NLMSG_NEXT (h, status))
{
@@ -1052,7 +1058,7 @@
snl.nl_family = AF_NETLINK;
/* Talk to netlink socket. */
- ret = netlink_talk (&req.n, &netlink);
+ ret = netlink_talk (&req.n, &netlink_sock);
if (ret < 0)
return -1;
@@ -1270,7 +1276,7 @@
if (family == AF_INET)
nl = &netlink_cmd;
else
- nl = &netlink;
+ nl = &netlink_sock;
/* Talk to netlink socket. */
return netlink_talk (&req.n, nl);
@@ -1384,8 +1390,8 @@
int sock;
sock = THREAD_FD (thread);
- ret = netlink_parse_info (netlink_information_fetch, &netlink);
- thread_add_read (master, kernel_read, NULL, netlink.sock);
+ ret = netlink_parse_info (netlink_information_fetch, &netlink_sock);
+ thread_add_read (master, kernel_read, NULL, netlink_sock.sock);
return 0;
}
@@ -1401,10 +1407,10 @@
#ifdef HAVE_IPV6
groups |= RTMGRP_IPV6_ROUTE|RTMGRP_IPV6_IFADDR;
#endif /* HAVE_IPV6 */
- netlink_socket (&netlink, groups);
+ netlink_socket (&netlink_sock, groups);
netlink_socket (&netlink_cmd, 0);
/* Register kernel socket. */
- if (netlink.sock > 0)
- thread_add_read (master, kernel_read, NULL, netlink.sock);
+ if (netlink_sock.sock > 0)
+ thread_add_read (master, kernel_read, NULL, netlink_sock.sock);
}

+ 23
- 0
package/tsa/zebra/60zebra-0.91a-remote_dos.patch

@ -0,0 +1,23 @@
--- zebra-0.91a/lib/vty.c.orig Thu Feb 1 02:18:05 2001
+++ zebra-0.91a/lib/vty.c Wed Oct 15 19:50:34 2003
@@ -1103,13 +1103,16 @@
break;
case SE:
{
- char *buffer = (char *)vty->sb_buffer->head->data;
- int length = vty->sb_buffer->length;
+ char *buffer;
+ int length;
- if (buffer == NULL)
+ if (!vty->iac_sb_in_progress)
return 0;
- if (!vty->iac_sb_in_progress)
+ buffer = (char *)vty->sb_buffer->head->data;
+ length = vty->sb_buffer->length;
+
+ if (buffer == NULL)
return 0;
if (buffer[0] == '\0')

Loading…
Cancel
Save