CVE-2006-0036 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e497502ab [NETFILTER]: Fix crash in ip_nat_pptp When an inbound PPTP_IN_CALL_REQUEST packet is received the PPTP NAT helper uses a NULL pointer in pointer arithmentic to calculate the offset in the packet which needs to be mangled and corrupts random memory or crashes. CVE-2006-0037 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710 [NETFILTER]: Fix another crash in ip_nat_pptp The PPTP NAT helper calculates the offset at which the packet needs to be mangled as difference between two pointers to the header. With non-linear skbs however the pointers may point to two seperate buffers on the stack and the calculation results in a wrong offset beeing used.
Fixed in: * genpatches-2.6.14-9 patchset * genpatches-2.6.15-2 patchset * hardened-sources-2.6.14-r4
CCing maintainers: gentoo-sources-2.6: dsd hppa-sources-2.6: GMSoft mips-sources-2.6.1[34]: `Kumba rsbac-sources-2.6: kang usermode-sources-2.6: kern-sec xbox-sources-2.6: gimli
usermode and gentoo include 2.6.15.1
All fixed, resolving bug.