From ef6fcfd7b8cb18a00eed9e02a2949c6ef34bbbb7 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 16 Sep 2013 07:50:18 -0500 Subject: [PATCH] Linux v3.10.12 --- ...sses-check-from-ipv6_create_tempaddr.patch | 63 ------------------- kernel.spec | 11 ++-- sources | 2 +- 3 files changed, 5 insertions(+), 71 deletions(-) delete mode 100644 ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch deleted file mode 100644 index 0c4fc2484..000000000 --- a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2712c283acc085b5438fa1b22053423a0158468d Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Fri, 16 Aug 2013 11:02:27 +0000 -Subject: [PATCH] ipv6: remove max_addresses check from ipv6_create_tempaddr - -Because of the max_addresses check attackers were able to disable privacy -extensions on an interface by creating enough autoconfigured addresses: - - - -But the check is not actually needed: max_addresses protects the -kernel to install too many ipv6 addresses on an interface and guards -addrconf_prefix_rcv to install further addresses as soon as this limit -is reached. We only generate temporary addresses in direct response of -a new address showing up. As soon as we filled up the maximum number of -addresses of an interface, we stop installing more addresses and thus -also stop generating more temp addresses. - -Even if the attacker tries to generate a lot of temporary addresses -by announcing a prefix and removing it again (lifetime == 0) we won't -install more temp addresses, because the temporary addresses do count -to the maximum number of addresses, thus we would stop installing new -autoconfigured addresses when the limit is reached. - -This patch fixes CVE-2013-0343 (but other layer-2 attacks are still -possible). - -Thanks to Ding Tianhong to bring this topic up again. - -Cc: Ding Tianhong -Cc: George Kargiotakis -Cc: P J P -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Acked-by: Ding Tianhong -Signed-off-by: David S. Miller ---- - net/ipv6/addrconf.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index fb8c94c..21b7a87 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -1124,12 +1124,10 @@ retry: - if (ifp->flags & IFA_F_OPTIMISTIC) - addr_flags |= IFA_F_OPTIMISTIC; - -- ift = !max_addresses || -- ipv6_count_addresses(idev) < max_addresses ? -- ipv6_add_addr(idev, &addr, tmp_plen, -+ ift = ipv6_add_addr(idev, &addr, tmp_plen, - ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, -- addr_flags) : NULL; -- if (IS_ERR_OR_NULL(ift)) { -+ addr_flags); -+ if (IS_ERR(ift)) { - in6_ifa_put(ifp); - in6_dev_put(idev); - pr_info("%s: retry temporary address regeneration\n", __func__); --- -1.8.3.1 - diff --git a/kernel.spec b/kernel.spec index 97781bc8b..ee6e15d30 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 12 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -766,9 +766,6 @@ Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-0343 rhbz 914664 999380 -Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch - #rhbz 1000679 Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch @@ -1489,9 +1486,6 @@ ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-0343 rhbz 914664 999380 -ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch - #CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 #CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 @@ -2352,6 +2346,9 @@ fi # ||----w | # || || %changelog +* Mon Sep 16 2013 Justin M. Forbes 3.10.12-100 +- Linux v3.10.12 + * Fri Sep 13 2013 Josh Boyer - CVE-2013-4350 net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) - CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) diff --git a/sources b/sources index fb3a8ac24..ec45c22e9 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -9aadf2325fed53e971fe59bc6c7c3b89 patch-3.10.11.xz +9bfba28fef36c6a7fc16fd896eab131b patch-3.10.12.xz