[kernel] r12532 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Dec 25 21:51:29 UTC 2008 

Author: dannf
Date: Thu Dec 25 21:51:28 2008
New Revision: 12532

Log:
* Fix buffer underflow in the ib700wdt watchdog driver:
   - bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
  See CVE-2008-5702

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
   dists/etch-security/linux-2.6/debian/patches/series/23etch2
Modified:
   dists/etch-security/linux-2.6/debian/changelog

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Dec 25 21:51:28 2008
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.18.dfsg.1-23etch2) UNRELEASED; urgency=high
+
+  * Fix buffer underflow in the ib700wdt watchdog driver:
+     - bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
+    See CVE-2008-5702
+
+ -- dann frazier <dannf at debian.org>  Thu, 25 Dec 2008 14:47:31 -0700
+
 linux-2.6 (2.6.18.dfsg.1-23etch1) stable-security; urgency=high
 
   * Fix missing boundary checks in syscall/syscall32_nopage():

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch	Thu Dec 25 21:51:28 2008
@@ -0,0 +1,31 @@
+commit 7c2500f17d65092d93345f3996cf82ebca17e9ff
+Author: Wim Van Sebroeck <wim at iguana.be>
+Date:   Wed Oct 15 08:53:06 2008 +0000
+
+    [WATCHDOG] ib700wdt.c - fix buffer_underflow bug
+    
+    This fixes Bug 11399:
+    if ibwdt_set_heartbeat(int t) is called with value 30 then
+    the check "if ((t < 0) || (t > 30))" in ibwdt_set_heartbeat
+    is not going to fail because t == 30, but in the loop, the
+    check wd_times[i] > t is never going to be true because
+    none of the wd_times are greater than the value of t (i.e. 30).
+    So we are exiting the loop with i == -1 and therefore setting
+    wd_margin to -1 which is wrong.
+    
+    Reported-by: Zvonimir Rakamaric <zrakamar at cs.ubc.ca>
+    Signed-off-by: Wim Van Sebroeck <wim at iguana.be>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+--- linux-source-2.6.18/drivers/char/watchdog/ib700wdt.c.orig	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/char/watchdog/ib700wdt.c	2008-12-25 14:44:26.000000000 -0700
+@@ -188,7 +188,7 @@ ibwdt_ioctl(struct inode *inode, struct 
+ 	  if ((new_margin < 0) || (new_margin > 30))
+ 		  return -EINVAL;
+ 	  for (i = 0x0F; i > -1; i--)
+-		  if (wd_times[i] > new_margin)
++		  if (wd_times[i] >= new_margin)
+ 			  break;
+ 	  wd_margin = i;
+ 	  ibwdt_ping();

Added: dists/etch-security/linux-2.6/debian/patches/series/23etch2
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch2	Thu Dec 25 21:51:28 2008
@@ -0,0 +1 @@
++ bugfix/all/watchdog-ib700wdt-buffer_underflow.patch

More information about the Kernel-svn-changes mailing list