[kernel] r7786 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 13 04:43:28 UTC 2006 

Author: dannf
Date: Mon Nov 13 05:43:27 2006
New Revision: 7786

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/237_smbfs-no-cap-unix.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
Log:
* 237_smbfs-no-cap-unix.diff
  [SECURITY] Disable SMB_CAP_UNIX if uid, gid, fmask or dmask are set.
  Now that smbfs supports CAP_UNIX, these options are ignored when
  connecting to a samba server in favor of passing through the Unix
  permissions from the remote server. This is a behavior change from
  woody that users likely will not expect, so disabling.
  Closes: #310982

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Mon Nov 13 05:43:27 2006
@@ -17,8 +17,15 @@
     remaining bytes of the kernel buffer after a fault on the userspace
     address in copy_from_user()
     See CVE-2006-5174
+  * 237_smbfs-no-cap-unix.diff
+    [SECURITY] Disable SMB_CAP_UNIX if uid, gid, fmask or dmask are set.
+    Now that smbfs supports CAP_UNIX, these options are ignored when
+    connecting to a samba server in favor of passing through the Unix
+    permissions from the remote server. This is a behavior change from
+    woody that users likely will not expect, so disabling.
+    Closes: #310982
 
- -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 20:58:14 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 21:12:42 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge4) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/237_smbfs-no-cap-unix.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/237_smbfs-no-cap-unix.diff	Mon Nov 13 05:43:27 2006
@@ -0,0 +1,45 @@
+diff -pru kernel-source-2.4.27.orig/include/linux/smb_mount.h kernel-source-2.4.27/include/linux/smb_mount.h
+--- kernel-source-2.4.27.orig/include/linux/smb_mount.h	2004-02-18 22:36:32.000000000 +0900
++++ kernel-source-2.4.27/include/linux/smb_mount.h	2005-07-07 11:27:51.000000000 +0900
+@@ -37,7 +37,9 @@ struct smb_mount_data {
+ #define SMB_MOUNT_OLDATTR	0x0002	/* Use core getattr (Win 95 speedup) */
+ #define SMB_MOUNT_DIRATTR	0x0004	/* Use find_first for getattr */
+ #define SMB_MOUNT_CASE		0x0008	/* Be case sensitive */
+-
++#define SMB_MOUNT_NO_CAP_UNIX	0x0010	/* Hack for Debian to disable 
++					   SMB_CAP_UNIX if uid, gid, fmask
++					   or dmask are set. See Bug#310982 */
+ 
+ struct smb_mount_data_kernel {
+ 	int version;
+diff -pru kernel-source-2.4.27.orig/fs/smbfs/inode.c kernel-source-2.4.27/fs/smbfs/inode.c
+--- kernel-source-2.4.27.orig/fs/smbfs/inode.c	2004-02-18 22:36:31.000000000 +0900
++++ kernel-source-2.4.27/fs/smbfs/inode.c	2005-07-07 10:50:56.000000000 +0900
+@@ -286,10 +286,10 @@ static struct option opts[] = {
+ 	{ "oldattr",	SMB_MOUNT_OLDATTR, 1 },
+ 	{ "dirattr",	SMB_MOUNT_DIRATTR, 1 },
+ 	{ "case",	SMB_MOUNT_CASE, 1 },
+-	{ "uid",	0, 'u' },
+-	{ "gid",	0, 'g' },
+-	{ "file_mode",	0, 'f' },
+-	{ "dir_mode",	0, 'd' },
++	{ "uid",	SMB_MOUNT_NO_CAP_UNIX, 'u' },
++	{ "gid",	SMB_MOUNT_NO_CAP_UNIX, 'g' },
++	{ "file_mode",	SMB_MOUNT_NO_CAP_UNIX, 'f' },
++	{ "dir_mode",	SMB_MOUNT_NO_CAP_UNIX, 'd' },
+ 	{ "iocharset",	0, 'i' },
+ 	{ "codepage",	0, 'c' },
+ 	{ "ttl",	0, 't' },
+diff -pru kernel-source-2.4.27.orig/fs/smbfs/proc.c kernel-source-2.4.27/fs/smbfs/proc.c
+--- kernel-source-2.4.27.orig/fs/smbfs/proc.c	2005-05-19 19:29:38.000000000 +0900
++++ kernel-source-2.4.27/fs/smbfs/proc.c	2005-07-07 10:49:35.000000000 +0900
+@@ -916,7 +916,8 @@ smb_newconn(struct smb_sb_info *server, 
+ 		VERBOSE("LFS enabled\n");
+ 	}
+ #ifndef CONFIG_SMB_UNIX
+-	server->opt.capabilities &= ~SMB_CAP_UNIX;
++	if (!server->mnt.flags & SMB_MOUNT_NO_CAP_UNIX)
++		server->opt.capabilities &= ~SMB_CAP_UNIX;
+ #endif
+ 	if (server->opt.capabilities & SMB_CAP_UNIX) {
+ 		struct inode *inode;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5	Mon Nov 13 05:43:27 2006
@@ -2,3 +2,4 @@
 + 234_atm-clip-freed-skb-deref.diff
 + 235_ppc-alignment-exception-table-check.diff
 + 236_s390-uaccess-memleak.diff
++ 237_smbfs-no-cap-unix.diff

More information about the Kernel-svn-changes mailing list