Import Debian changes 1.0.13-1+squeeze1

tinc (1.0.13-1+squeeze1) squeeze-security; urgency=high

  * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).

debian/changelog

@@ -1,3 +1,9 @@
+tinc (1.0.13-1+squeeze1) squeeze-security; urgency=high
+
+  * Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
+
+ -- Guus Sliepen <guus@debian.org>  Fri, 12 Apr 2013 20:40:15 +0000
+
 tinc (1.0.13-1) unstable; urgency=low
 
   * New upstream release.

debian/patches/fix-CVE-2013-1428

@@ -0,0 +1,31 @@
+From 17a33dfd95b1a29e90db76414eb9622df9632320 Mon Sep 17 00:00:00 2001
+From: Guus Sliepen <guus@tinc-vpn.org>
+Date: Fri, 12 Apr 2013 17:15:05 +0200
+Subject: [PATCH] Drop packets forwarded via TCP if they are too big
+ (CVE-2013-1428).
+
+Normally all requests sent via the meta connections are checked so that they
+cannot be larger than the input buffer. However, when packets are forwarded via
+meta connections, they are copied into a packet buffer without checking whether
+it fits into it. Since the packet buffer is allocated on the stack, this in
+effect allows an authenticated remote node to cause a stack overflow.
+
+This issue was found by Martin Schobert.
+---
+ src/net_packet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: tinc-1.0.13/src/net_packet.c
+===================================================================
+--- tinc-1.0.13.orig/src/net_packet.c	2010-03-13 17:53:33.000000000 +0000
++++ tinc-1.0.13/src/net_packet.c	2013-04-12 20:34:17.395183282 +0000
+@@ -347,6 +347,9 @@
+ void receive_tcppacket(connection_t *c, char *buffer, int len) {
+ 	vpn_packet_t outpkt;
+ 
++	if(len > sizeof outpkt.data)
++		return;
++
+ 	outpkt.len = len;
+ 	if(c->options & OPTION_TCPONLY)
+ 		outpkt.priority = 0;

debian/patches/series

@@ -0,0 +1 @@
+fix-CVE-2013-1428