From d2fe984f0704db8ab188f127a8195218e3d78596 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Gonzalez Date: Wed, 19 Aug 2015 19:10:28 +0200 Subject: d/patches: add CVE-2015-6496.patch Add patch to address CVE-2015-6496. Closes: #796103 Signed-off-by: Arturo Borrero Gonzalez --- debian/patches/CVE-2015-6496.patch | 70 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 71 insertions(+) create mode 100644 debian/patches/CVE-2015-6496.patch create mode 100644 debian/patches/series (limited to 'debian') diff --git a/debian/patches/CVE-2015-6496.patch b/debian/patches/CVE-2015-6496.patch new file mode 100644 index 0000000..9773a40 --- /dev/null +++ b/debian/patches/CVE-2015-6496.patch @@ -0,0 +1,70 @@ +Description: CVE-2015-6496 fix + This upstream patch fixes CVE-2015-6496. +Author: Pablo Neira Ayuso +Origin: upstream, http://git.netfilter.org/conntrack-tools/commit/?id=c392c159605956c7bd4a264ab4490e2b2704c0cd +Bug: http://bugzilla.netfilter.org/show_bug.cgi?id=910 +Bug-Debian: https://bugs.debian.org/796103 +Last-Update: 2015-08-19 + +--- conntrack-1.4.2.orig/src/build.c ++++ conntrack-1.4.2/src/build.c +@@ -105,14 +105,14 @@ static enum nf_conntrack_attr nat_type[] + ATTR_ORIG_NAT_SEQ_OFFSET_AFTER, ATTR_REPL_NAT_SEQ_CORRECTION_POS, + ATTR_REPL_NAT_SEQ_OFFSET_BEFORE, ATTR_REPL_NAT_SEQ_OFFSET_AFTER }; + ++/* ICMP, UDP and TCP are always loaded with nf_conntrack_ipv4 */ + static void build_l4proto_tcp(const struct nf_conntrack *ct, struct nethdr *n) + { +- ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT, +- sizeof(struct nfct_attr_grp_port)); +- + if (!nfct_attr_is_set(ct, ATTR_TCP_STATE)) + return; + ++ ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT, ++ sizeof(struct nfct_attr_grp_port)); + ct_build_u8(ct, ATTR_TCP_STATE, n, NTA_TCP_STATE); + if (CONFIG(sync).tcp_window_tracking) { + ct_build_u8(ct, ATTR_TCP_WSCALE_ORIG, n, NTA_TCP_WSCALE_ORIG); +@@ -122,12 +122,12 @@ static void build_l4proto_tcp(const stru + + static void build_l4proto_sctp(const struct nf_conntrack *ct, struct nethdr *n) + { +- ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT, +- sizeof(struct nfct_attr_grp_port)); +- ++ /* SCTP is optional, make sure nf_conntrack_sctp is loaded */ + if (!nfct_attr_is_set(ct, ATTR_SCTP_STATE)) + return; + ++ ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT, ++ sizeof(struct nfct_attr_grp_port)); + ct_build_u8(ct, ATTR_SCTP_STATE, n, NTA_SCTP_STATE); + ct_build_u32(ct, ATTR_SCTP_VTAG_ORIG, n, NTA_SCTP_VTAG_ORIG); + ct_build_u32(ct, ATTR_SCTP_VTAG_REPL, n, NTA_SCTP_VTAG_REPL); +@@ -135,18 +135,22 @@ static void build_l4proto_sctp(const str + + static void build_l4proto_dccp(const struct nf_conntrack *ct, struct nethdr *n) + { +- ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT, +- sizeof(struct nfct_attr_grp_port)); +- ++ /* DCCP is optional, make sure nf_conntrack_dccp is loaded */ + if (!nfct_attr_is_set(ct, ATTR_DCCP_STATE)) + return; + ++ ct_build_group(ct, ATTR_GRP_ORIG_PORT, n, NTA_PORT, ++ sizeof(struct nfct_attr_grp_port)); + ct_build_u8(ct, ATTR_DCCP_STATE, n, NTA_DCCP_STATE); + ct_build_u8(ct, ATTR_DCCP_ROLE, n, NTA_DCCP_ROLE); + } + + static void build_l4proto_icmp(const struct nf_conntrack *ct, struct nethdr *n) + { ++ /* This is also used by ICMPv6 and nf_conntrack_ipv6 is optional */ ++ if (!nfct_attr_is_set(ct, ATTR_ICMP_TYPE)) ++ return; ++ + ct_build_u8(ct, ATTR_ICMP_TYPE, n, NTA_ICMP_TYPE); + ct_build_u8(ct, ATTR_ICMP_CODE, n, NTA_ICMP_CODE); + ct_build_u16(ct, ATTR_ICMP_ID, n, NTA_ICMP_ID); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..7527499 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2015-6496.patch -- cgit v1.2.3