[kernel] r6741 -
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches
Dann Frazier
dannf at costa.debian.org
Mon May 29 01:14:20 UTC 2006
Author: dannf
Date: Mon May 29 01:14:19 2006
New Revision: 6741
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff
Log:
extract the patch from marcelo's tree, instead of our backport
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff Mon May 29 01:14:19 2006
@@ -1,13 +1,33 @@
---- kernel-source-2.4.27-2.4.27/fs/smbfs/dir.c.orig 2006-05-16 22:33:21.000000000 +0200
-+++ kernel-source-2.4.27-2.4.27/fs/smbfs/dir.c 2006-05-16 22:34:42.000000000 +0200
-@@ -416,6 +416,11 @@
+From: Olaf Kirch <okir at suse.de>
+Date: Fri, 5 May 2006 01:40:41 +0000 (-0700)
+Subject: [PATCH] smbfs chroot issue (CVE-2006-1864)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=aaf1e07ac554b9674bf22394911ec8dd3a927826
+
+[PATCH] smbfs chroot issue (CVE-2006-1864)
+
+Mark Moseley reported that a chroot environment on a SMB share can be
+left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
+is for smbfs.
+
+Steven French <sfrench at us.ibm.com> wrote:
+
+Looks fine to me. This should catch the slash on lookup or equivalent,
+which will be all obvious paths of interest.
+
+Back-ported to 2.4 by Willy Tarreau.
+Signed-off-by: Willy Tarreau <willy at w.ods.org>
+---
+
+--- a/fs/smbfs/dir.c
++++ b/fs/smbfs/dir.c
+@@ -416,6 +416,11 @@ smb_lookup(struct inode *dir, struct den
if (dentry->d_name.len > SMB_MAXNAMELEN)
goto out;
-+ /*Do not allow lookup of names with backslashes in */
-+ error = -EINVAL;
-+ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
-+ goto out;
++ /* Do not allow lookup of names with backslashes in */
++ error = -EINVAL;
++ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
++ goto out;
+
error = smb_proc_getattr(dentry, &finfo);
#ifdef SMBFS_PARANOIA
More information about the Kernel-svn-changes
mailing list