[kernel] r6593 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Wed May 17 17:28:17 UTC 2006

Author: dannf
Date: Wed May 17 17:28:16 2006
New Revision: 6593

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-chroot-escape.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3

Log:
* smbfs-chroot-escape.dpatch
  [SECURITY] Fix directory traversal vulnerability in smbfs that permits
  local users to escape chroot restrictions
  See CVE-2006-1863

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Wed May 17 17:28:16 2006
@@ -24,8 +24,12 @@
     [SECURITY][ia64] Fix a potential local DoS on ia64 systems caused by
     an incorrect 'noreturn' attribute on die_if_kernel()
     See CVE-2006-0742
+  * smbfs-chroot-escape.dpatch
+    [SECURITY] Fix directory traversal vulnerability in smbfs that permits
+    local users to escape chroot restrictions
+    See CVE-2006-1863
 
- -- dann frazier <dannf at debian.org>  Wed, 17 May 2006 01:00:29 -0500
+ -- dann frazier <dannf at debian.org>  Wed, 17 May 2006 12:26:48 -0500
 
 kernel-source-2.6.8 (2.6.8-16sarge2) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-chroot-escape.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-chroot-escape.dpatch	Wed May 17 17:28:16 2006
@@ -0,0 +1,38 @@
+From: Steve French <sfrench at us.ibm.com>
+Date: Fri, 21 Apr 2006 18:18:37 +0000 (+0000)
+Subject: [CIFS] Don't allow a backslash in a path component
+X-Git-Tag: v2.6.17-rc3
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=296034f7de8bdf111984ce1630ac598a9c94a253
+
+[CIFS] Don't allow a backslash in a path component
+
+Unless Posix paths have been negotiated, the backslash, "\", is not a valid
+character in a path component.
+
+Signed-off-by: Dave Kleikamp <shaggy at austin.ibm.com>
+Signed-off-by: Steve French  <sfrench at us.ibm.com>
+---
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -436,6 +436,20 @@ cifs_lookup(struct inode *parent_dir_ino
+ 	cifs_sb = CIFS_SB(parent_dir_inode->i_sb);
+ 	pTcon = cifs_sb->tcon;
+ 
++	/*
++	 * Don't allow the separator character in a path component.
++	 * The VFS will not allow "/", but "\" is allowed by posix.
++	 */
++	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
++		int i;
++		for (i = 0; i < direntry->d_name.len; i++)
++			if (direntry->d_name.name[i] == '\\') {
++				cFYI(1, ("Invalid file name"));
++				FreeXid(xid);
++				return ERR_PTR(-EINVAL);
++			}
++	}
++
+ 	/* can not grab the rename sem here since it would
+ 	deadlock in the cases (beginning of sys_rename itself)
+ 	in which we already have the sb rename sem */

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge3	Wed May 17 17:28:16 2006
@@ -5,3 +5,4 @@
 + smbfs-chroot-escape.dpatch
 + perfmon-exit-race.dpatch
 + ia64-die_if_kernel-returns.dpatch
++ cifs-chroot-escape.dpatch

