From 4343b5a2fa8a262c91406f2aa2cc1e78ff246d8c Mon Sep 17 00:00:00 2001 From: Michael Tokarev Date: Tue, 23 Apr 2013 08:35:41 +0400 Subject: [PATCH] Import Debian changes 1.0.19-3~bpo60+1 tinc (1.0.19-3~bpo60+1) squeeze-backports; urgency=high * Rebuild for squeeze-backports. * Build-depend on libvdeplug2-dev, not libvdeplug-dev, as it is how it is named in squeeze. tinc (1.0.19-3) unstable; urgency=high * Drop packets forwarded via TCP if they are too big (CVE-2013-1428). --- debian/changelog | 14 ++++++++++++++ debian/control | 3 ++- debian/patches/fix-CVE-2013-1428 | 29 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 debian/patches/fix-CVE-2013-1428 create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index f2fc02b..78c5c0a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +tinc (1.0.19-3~bpo60+1) squeeze-backports; urgency=high + + * Rebuild for squeeze-backports. + * Build-depend on libvdeplug2-dev, not libvdeplug-dev, + as it is how it is named in squeeze. + + -- Michael Tokarev Tue, 23 Apr 2013 08:35:41 +0400 + +tinc (1.0.19-3) unstable; urgency=high + + * Drop packets forwarded via TCP if they are too big (CVE-2013-1428). + + -- Guus Sliepen Fri, 12 Apr 2013 22:52:10 +0200 + tinc (1.0.19-2) unstable; urgency=low * Fix behaviour of tinc-pidfile. Closes: #679130 diff --git a/debian/control b/debian/control index ace6328..e223ccf 100644 --- a/debian/control +++ b/debian/control @@ -2,8 +2,9 @@ Source: tinc Section: net Priority: optional Maintainer: Guus Sliepen +Uploaders: Michael Tokarev Standards-Version: 3.9.3 -Build-Depends: libssl-dev, debhelper (>= 9), gettext, texi2html, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev +Build-Depends: libssl-dev, debhelper (>= 9), gettext, texi2html, texinfo, zlib1g-dev, liblzo2-dev, libvdeplug-dev | libvdeplug2-dev Homepage: http://www.tinc-vpn.org/ Package: tinc diff --git a/debian/patches/fix-CVE-2013-1428 b/debian/patches/fix-CVE-2013-1428 new file mode 100644 index 0000000..f49de8e --- /dev/null +++ b/debian/patches/fix-CVE-2013-1428 @@ -0,0 +1,29 @@ +From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001 +From: Guus Sliepen +Date: Fri, 12 Apr 2013 17:15:05 +0200 +Subject: [PATCH] Drop packets forwarded via TCP if they are too big + (CVE-2013-1428). + +Normally all requests sent via the meta connections are checked so that they +cannot be larger than the input buffer. However, when packets are forwarded via +meta connections, they are copied into a packet buffer without checking whether +it fits into it. Since the packet buffer is allocated on the stack, this in +effect allows an authenticated remote node to cause a stack overflow. + +This issue was found by Martin Schobert. +--- + src/net_packet.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/net_packet.c ++++ b/src/net_packet.c +@@ -378,6 +378,9 @@ + void receive_tcppacket(connection_t *c, const char *buffer, int len) { + vpn_packet_t outpkt; + ++ if(len > sizeof outpkt.data) ++ return; ++ + outpkt.len = len; + if(c->options & OPTION_TCPONLY) + outpkt.priority = 0; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..f301124 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +fix-CVE-2013-1428