Fix DoS against inetutils-ping via a crafted echo response

Patch cherry-picked from upstream.

Fixes: CVE-2010-2529

3 files changed, 36 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 468e489..7a74dd4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inetutils (2:1.9-2) UNRELEASED; urgency=medium
+
+  * Fix DoS against inetutils-ping via a crafted echo response.
+    Patch cherry-picked from upstream. CVE-2010-2529
+
+ -- Guillem Jover <guillem@debian.org>  Mon, 04 Feb 2013 00:33:08 +0100
+
 inetutils (2:1.9-1) unstable; urgency=low
 
   * New upstream release.
diff --git a/debian/patches/0001-ping-CVE-2010-2529.patch b/debian/patches/0001-ping-CVE-2010-2529.patch
new file mode 100644
index 0000000..ad8c048
--- /dev/null
+++ b/debian/patches/0001-ping-CVE-2010-2529.patch
@@ -0,0 +1,28 @@
+From d7ffe9ddf524b0ff13088b2685bd9cfde5e580f5 Mon Sep 17 00:00:00 2001
+From: Mats Erik Andersson <gnu@gisladisker.se>
+Date: Thu, 17 Jan 2013 10:34:55 +0100
+Subject: [PATCH] ping: CVE-2010-2529
+
+	CVE-2010-2529: Infinite loop.
+
+	* ping/ping_echo.c (print_ip_opt) <IPOPT_RR>: Break loop
+	if option is truncated or exhausted.
+
+---
+
+diff --git a/ping/ping_echo.c b/ping/ping_echo.c
+index 634e178..e83ccff 100644
+--- a/ping/ping_echo.c
++++ b/ping/ping_echo.c
+@@ -499,7 +499,7 @@ print_ip_opt (struct ip *ip, int hlen)
+ 	  i = j;
+ 	i -= IPOPT_MINOFF;
+ 	if (i <= 0)
+-	  continue;
++	  break;
+ 	if (i == old_rrlen
+ 	    && cp == (unsigned char *) (ip + 1) + 2
+ 	    && !memcmp ((char *) cp, old_rr, i) && !(options & OPT_FLOOD))
+-- 
+1.8.1.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 43c0d1d..3069639 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
 62_inetd_change_ipv6_protocol_semantics.patch
 70_ftbfs_non-linux.patch
 71_ftbfs_format_security.patch
+0001-ping-CVE-2010-2529.patch