[kernel] r12532 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 25 21:51:29 UTC 2008
Author: dannf
Date: Thu Dec 25 21:51:28 2008
New Revision: 12532
Log:
* Fix buffer underflow in the ib700wdt watchdog driver:
- bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
See CVE-2008-5702
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
dists/etch-security/linux-2.6/debian/patches/series/23etch2
Modified:
dists/etch-security/linux-2.6/debian/changelog
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Thu Dec 25 21:51:28 2008
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.18.dfsg.1-23etch2) UNRELEASED; urgency=high
+
+ * Fix buffer underflow in the ib700wdt watchdog driver:
+ - bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
+ See CVE-2008-5702
+
+ -- dann frazier <dannf at debian.org> Thu, 25 Dec 2008 14:47:31 -0700
+
linux-2.6 (2.6.18.dfsg.1-23etch1) stable-security; urgency=high
* Fix missing boundary checks in syscall/syscall32_nopage():
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/watchdog-ib700wdt-buffer_underflow.patch Thu Dec 25 21:51:28 2008
@@ -0,0 +1,31 @@
+commit 7c2500f17d65092d93345f3996cf82ebca17e9ff
+Author: Wim Van Sebroeck <wim at iguana.be>
+Date: Wed Oct 15 08:53:06 2008 +0000
+
+ [WATCHDOG] ib700wdt.c - fix buffer_underflow bug
+
+ This fixes Bug 11399:
+ if ibwdt_set_heartbeat(int t) is called with value 30 then
+ the check "if ((t < 0) || (t > 30))" in ibwdt_set_heartbeat
+ is not going to fail because t == 30, but in the loop, the
+ check wd_times[i] > t is never going to be true because
+ none of the wd_times are greater than the value of t (i.e. 30).
+ So we are exiting the loop with i == -1 and therefore setting
+ wd_margin to -1 which is wrong.
+
+ Reported-by: Zvonimir Rakamaric <zrakamar at cs.ubc.ca>
+ Signed-off-by: Wim Van Sebroeck <wim at iguana.be>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+--- linux-source-2.6.18/drivers/char/watchdog/ib700wdt.c.orig 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/drivers/char/watchdog/ib700wdt.c 2008-12-25 14:44:26.000000000 -0700
+@@ -188,7 +188,7 @@ ibwdt_ioctl(struct inode *inode, struct
+ if ((new_margin < 0) || (new_margin > 30))
+ return -EINVAL;
+ for (i = 0x0F; i > -1; i--)
+- if (wd_times[i] > new_margin)
++ if (wd_times[i] >= new_margin)
+ break;
+ wd_margin = i;
+ ibwdt_ping();
Added: dists/etch-security/linux-2.6/debian/patches/series/23etch2
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch2 Thu Dec 25 21:51:28 2008
@@ -0,0 +1 @@
++ bugfix/all/watchdog-ib700wdt-buffer_underflow.patch
More information about the Kernel-svn-changes
mailing list