[kernel] r6741 - dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches

Dann Frazier dannf at costa.debian.org
Mon May 29 01:14:20 UTC 2006 

Author: dannf
Date: Mon May 29 01:14:19 2006
New Revision: 6741

Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff

Log:
extract the patch from marcelo's tree, instead of our backport


Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/207_smbfs-chroot-escape.diff	Mon May 29 01:14:19 2006
@@ -1,13 +1,33 @@
---- kernel-source-2.4.27-2.4.27/fs/smbfs/dir.c.orig	2006-05-16 22:33:21.000000000 +0200
-+++ kernel-source-2.4.27-2.4.27/fs/smbfs/dir.c	2006-05-16 22:34:42.000000000 +0200
-@@ -416,6 +416,11 @@
+From: Olaf Kirch <okir at suse.de>
+Date: Fri, 5 May 2006 01:40:41 +0000 (-0700)
+Subject: [PATCH] smbfs chroot issue (CVE-2006-1864)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=aaf1e07ac554b9674bf22394911ec8dd3a927826
+
+[PATCH] smbfs chroot issue (CVE-2006-1864)
+
+Mark Moseley reported that a chroot environment on a SMB share can be
+left via "cd ..\\".  Similar to CVE-2006-1863 issue with cifs, this fix
+is for smbfs.
+
+Steven French <sfrench at us.ibm.com> wrote:
+
+Looks fine to me.  This should catch the slash on lookup or equivalent,
+which will be all obvious paths of interest.
+
+Back-ported to 2.4 by Willy Tarreau.
+Signed-off-by: Willy Tarreau <willy at w.ods.org>
+---
+
+--- a/fs/smbfs/dir.c
++++ b/fs/smbfs/dir.c
+@@ -416,6 +416,11 @@ smb_lookup(struct inode *dir, struct den
  	if (dentry->d_name.len > SMB_MAXNAMELEN)
  		goto out;
  
-+        /*Do not allow lookup of names with backslashes in */
-+        error = -EINVAL;
-+        if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
-+                goto out;
++	/* Do not allow lookup of names with backslashes in */
++	error = -EINVAL;
++	if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
++		goto out;
 +
  	error = smb_proc_getattr(dentry, &finfo);
  #ifdef SMBFS_PARANOIA

More information about the Kernel-svn-changes mailing list