[kernel] r7172 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: patches patches/series

Thu Aug 17 03:04:06 UTC 2006

Author: dannf
Date: Thu Aug 17 03:04:04 2006
New Revision: 7172

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/224_cdrom-bad-cgc.buflen-assign.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4

Log:
* 224_cdrom-bad-cgc.buflen-assign.diff
  [SECURITY] Fix buffer overflow in dvd_read_bca which could potentially
  be used by a local user to trigger a buffer overflow via a specially
  crafted DVD, USB stick, or similar automatically mounted device.
  See CVE-2006-2935

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================

--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Thu Aug 17 03:04:04 2006
@@ -3,8 +3,13 @@
   * 223_nfs-handle-long-symlinks.diff
     [SECURITY] Fix buffer overflow in NFS readline handling that allows a
     remote server to cause a denial of service (crash) via a long symlink
+  * 224_cdrom-bad-cgc.buflen-assign.diff
+    [SECURITY] Fix buffer overflow in dvd_read_bca which could potentially
+    be used by a local user to trigger a buffer overflow via a specially
+    crafted DVD, USB stick, or similar automatically mounted device.
+    See CVE-2006-2935
 
- -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 19:13:03 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 20:59:54 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/224_cdrom-bad-cgc.buflen-assign.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/224_cdrom-bad-cgc.buflen-assign.diff	Thu Aug 17 03:04:04 2006
@@ -0,0 +1,28 @@
+From: Jens Axboe <axboe at suse.de>
+Date: Mon, 10 Jul 2006 11:44:08 +0000 (-0700)
+Subject: [PATCH] cdrom: fix bad cgc.buflen assignment
+X-Git-Tag: v2.6.18-rc2
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=454d6fbc48374be8f53b9bafaa86530cf8eb3bc1
+
+[PATCH] cdrom: fix bad cgc.buflen assignment
+
+The code really means to mask off the high bits, not assign 0xff.
+
+Signed-off-by: Jens Axboe <axboe at suse.de>
+Cc: Marcus Meissner <meissner at suse.de>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -1837,7 +1837,7 @@ static int dvd_read_bca(struct cdrom_dev
+ 	init_cdrom_command(&cgc, buf, sizeof(buf), CGC_DATA_READ);
+ 	cgc.cmd[0] = GPCMD_READ_DVD_STRUCTURE;
+ 	cgc.cmd[7] = s->type;
+-	cgc.cmd[9] = cgc.buflen = 0xff;
++	cgc.cmd[9] = cgc.buflen & 0xff;
+ 
+ 	if ((ret = cdo->generic_packet(cdi, &cgc)))
+ 		return ret;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4	Thu Aug 17 03:04:04 2006
@@ -1 +1,2 @@
 + 223_nfs-handle-long-symlinks.diff
++ 224_cdrom-bad-cgc.buflen-assign.diff

