[kernel] r5473 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at costa.debian.org
Mon Jan 16 22:59:23 UTC 2006
Author: dannf
Date: Mon Jan 16 22:59:22 2006
New Revision: 5473
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sysctl-buffer-overflow.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* sysctl-buffer-overflow.dpatch:
[SECURITY] Fix a potential overflow in sysctl buffer termination code.
See CVE-2005-4618
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Mon Jan 16 22:59:22 2006
@@ -170,7 +170,11 @@
[SECURITY] Fix double increment of mqueue_mnt->mnt_count in sys_mq_open.
See CVE-2005-3356
- -- dann frazier <dannf at debian.org> Mon, 16 Jan 2006 15:29:26 -0700
+ * sysctl-buffer-overflow.dpatch:
+ [SECURITY] Fix a potential overflow in sysctl buffer termination code.
+ See CVE-2005-4618
+
+ -- dann frazier <dannf at debian.org> Mon, 16 Jan 2006 15:52:11 -0700
kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2 Mon Jan 16 22:59:22 2006
@@ -31,3 +31,4 @@
+ fs_coda_coverty.dpatch
+ io_edgeport_overflow.dpatch
+ mqueue-double-increment.dpatch
++ sysctl-buffer-overflow.dpatch
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sysctl-buffer-overflow.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sysctl-buffer-overflow.dpatch Mon Jan 16 22:59:22 2006
@@ -0,0 +1,35 @@
+From: Linus Torvalds <torvalds at g5.osdl.org>
+Date: Sat, 31 Dec 2005 01:18:53 +0000 (-0800)
+Subject: sysctl: don't overflow the user-supplied buffer with '\0'
+X-Git-Tag: v2.6.15
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c
+
+sysctl: don't overflow the user-supplied buffer with '\0'
+
+If the string was too long to fit in the user-supplied buffer,
+the sysctl layer would zero-terminate it by writing past the
+end of the buffer. Don't do that.
+
+Noticed by Yi Yang <yang.y.yi at gmail.com>
+
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int
+ if (get_user(len, oldlenp))
+ return -EFAULT;
+ if (len) {
+- l = strlen(table->data);
++ l = strlen(table->data)+1;
+ if (len > l) len = l;
+ if (len >= table->maxlen)
+ len = table->maxlen;
+ if(copy_to_user(oldval, table->data, len))
+ return -EFAULT;
+- if(put_user(0, ((char __user *) oldval) + len))
+- return -EFAULT;
+ if(put_user(len, oldlenp))
+ return -EFAULT;
+ }
More information about the Kernel-svn-changes
mailing list