[kernel] r7174 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Thu Aug 17 03:07:15 UTC 2006 

Author: dannf
Date: Thu Aug 17 03:07:14 2006
New Revision: 7174

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-handle-long-symlinks.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5

Log:
* nfs-handle-long-symlinks.dpatch
  [SECURITY] Fix buffer overflow in NFS readline handling that allows a
  remote server to cause a denial of service (crash) via a long symlink
  See CVE-2005-4798

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Thu Aug 17 03:07:14 2006
@@ -9,8 +9,12 @@
   * direct-io-write-mem-leak.dpatch
     [SECURITY] Fix memory leak in O_DIRECT write.
     See CVE-2004-2660
+  * nfs-handle-long-symlinks.dpatch
+    [SECURITY] Fix buffer overflow in NFS readline handling that allows a
+    remote server to cause a denial of service (crash) via a long symlink
+    See CVE-2005-4798
 
- -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 14:00:11 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 16 Aug 2006 20:24:10 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-handle-long-symlinks.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-handle-long-symlinks.dpatch	Thu Aug 17 03:07:14 2006
@@ -0,0 +1,24 @@
+diff -urpN kernel-source-2.6.8.orig/fs/nfs/nfs2xdr.c kernel-source-2.6.8/fs/nfs/nfs2xdr.c
+--- kernel-source-2.6.8.orig/fs/nfs/nfs2xdr.c	2004-08-13 23:36:56.000000000 -0600
++++ kernel-source-2.6.8/fs/nfs/nfs2xdr.c	2006-08-16 20:21:08.934617717 -0600
+@@ -547,7 +547,7 @@ nfs_xdr_readlinkres(struct rpc_rqst *req
+ 	strlen = (u32*)kmap_atomic(rcvbuf->pages[0], KM_USER0);
+ 	/* Convert length of symlink */
+ 	len = ntohl(*strlen);
+-	if (len > rcvbuf->page_len) {
++	if (len >= rcvbuf->page_len - sizeof(u32) || len > NFS2_MAXPATHLEN) {
+ 		dprintk(KERN_WARNING "nfs: server returned giant symlink!\n");
+ 		kunmap_atomic(strlen, KM_USER0);
+ 		return -ENAMETOOLONG;
+diff -urpN kernel-source-2.6.8.orig/fs/nfs/nfs3xdr.c kernel-source-2.6.8/fs/nfs/nfs3xdr.c
+--- kernel-source-2.6.8.orig/fs/nfs/nfs3xdr.c	2004-08-13 23:38:10.000000000 -0600
++++ kernel-source-2.6.8/fs/nfs/nfs3xdr.c	2006-08-16 20:21:51.351645815 -0600
+@@ -742,7 +742,7 @@ nfs3_xdr_readlinkres(struct rpc_rqst *re
+ 	strlen = (u32*)kmap_atomic(rcvbuf->pages[0], KM_USER0);
+ 	/* Convert length of symlink */
+ 	len = ntohl(*strlen);
+-	if (len > rcvbuf->page_len) {
++	if (len >= rcvbuf->page_len - sizeof(u32)) {
+ 		dprintk(KERN_WARNING "nfs: server returned giant symlink!\n");
+ 		kunmap_atomic(strlen, KM_USER0);
+ 		return -ENAMETOOLONG;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	Thu Aug 17 03:07:14 2006
@@ -1,2 +1,3 @@
 + fs-ext3-bad-nfs-handle.dpatch
 + direct-io-write-mem-leak.dpatch
++ nfs-handle-long-symlinks.dpatch

More information about the Kernel-svn-changes mailing list