[kernel] r5473 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at costa.debian.org
Mon Jan 16 22:59:23 UTC 2006 

Author: dannf
Date: Mon Jan 16 22:59:22 2006
New Revision: 5473

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sysctl-buffer-overflow.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
Log:
* sysctl-buffer-overflow.dpatch:
  [SECURITY] Fix a potential overflow in sysctl buffer termination code.
  See CVE-2005-4618

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Mon Jan 16 22:59:22 2006
@@ -170,7 +170,11 @@
     [SECURITY] Fix double increment of mqueue_mnt->mnt_count in sys_mq_open.
     See CVE-2005-3356
 
- -- dann frazier <dannf at debian.org>  Mon, 16 Jan 2006 15:29:26 -0700
+  * sysctl-buffer-overflow.dpatch:
+    [SECURITY] Fix a potential overflow in sysctl buffer termination code.
+    See CVE-2005-4618
+
+ -- dann frazier <dannf at debian.org>  Mon, 16 Jan 2006 15:52:11 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge1) stable-security; urgency=high
 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge2	Mon Jan 16 22:59:22 2006
@@ -31,3 +31,4 @@
 + fs_coda_coverty.dpatch
 + io_edgeport_overflow.dpatch
 + mqueue-double-increment.dpatch
++ sysctl-buffer-overflow.dpatch

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sysctl-buffer-overflow.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/sysctl-buffer-overflow.dpatch	Mon Jan 16 22:59:22 2006
@@ -0,0 +1,35 @@
+From: Linus Torvalds <torvalds at g5.osdl.org>
+Date: Sat, 31 Dec 2005 01:18:53 +0000 (-0800)
+Subject: sysctl: don't overflow the user-supplied buffer with '\0'
+X-Git-Tag: v2.6.15
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c
+
+sysctl: don't overflow the user-supplied buffer with '\0'
+
+If the string was too long to fit in the user-supplied buffer,
+the sysctl layer would zero-terminate it by writing past the
+end of the buffer. Don't do that.
+
+Noticed by Yi Yang <yang.y.yi at gmail.com>
+
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2201,14 +2201,12 @@ int sysctl_string(ctl_table *table, int 
+ 		if (get_user(len, oldlenp))
+ 			return -EFAULT;
+ 		if (len) {
+-			l = strlen(table->data);
++			l = strlen(table->data)+1;
+ 			if (len > l) len = l;
+ 			if (len >= table->maxlen)
+ 				len = table->maxlen;
+ 			if(copy_to_user(oldval, table->data, len))
+ 				return -EFAULT;
+-			if(put_user(0, ((char __user *) oldval) + len))
+-				return -EFAULT;
+ 			if(put_user(len, oldlenp))
+ 				return -EFAULT;
+ 		}

More information about the Kernel-svn-changes mailing list