[kernel] r10366 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Fri Feb 1 20:59:19 UTC 2008 

Author: dannf
Date: Fri Feb  1 20:59:18 2008
New Revision: 10366

Log:
* 256_i4l-isdn_ioctl-mem-overrun.diff
  [SECURITY] Fix potential isdn ioctl memory overrun
  See CVE-2007-6151

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Fri Feb  1 20:59:18 2008
@@ -53,8 +53,11 @@
     [SECURITY] Add some sanity checking for a corrupted i_size in
     ext2_find_entry()
     See CVE-2006-6054
+  * 256_i4l-isdn_ioctl-mem-overrun.diff
+    [SECURITY] Fix potential isdn ioctl memory overrun
+    See CVE-2007-6151
 
- -- dann frazier <dannf at debian.org>  Mon, 21 Jan 2008 01:00:19 -0700
+ -- dann frazier <dannf at debian.org>  Fri, 01 Feb 2008 14:48:58 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff	Fri Feb  1 20:59:18 2008
@@ -0,0 +1,59 @@
+commit eb0a06330df97dd9bbaf966cf29d755eff90ecd6
+Author: Willy Tarreau <w at 1wt.eu>
+Date:   Mon Dec 17 00:10:45 2007 +0100
+
+    [PATCH] isdn: fix isdn_ioctl memory overrun vulnerability
+    
+    Backport of 2.6 commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a by Karsten Keil
+    
+        I4L: fix isdn_ioctl memory overrun vulnerability
+    
+        Fix possible memory overrun issue in the isdn ioctl code.
+    
+        Found by ADLAB <adlab at venustech.com.cn>
+    
+        Signed-off-by: Karsten Keil <kkeil at suse.de>
+        Cc: ADLAB <adlab at venustech.com.cn>
+        Cc: <stable at kernel.org>
+        Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+        Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    
+    Signed-off-by: Willy Tarreau <w at 1wt.eu>
+
+diff --git a/drivers/isdn/isdn_common.c b/drivers/isdn/isdn_common.c
+index 3155dc8..d251886 100644
+--- a/drivers/isdn/isdn_common.c
++++ b/drivers/isdn/isdn_common.c
+@@ -1442,6 +1442,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ 					if (copy_from_user((char *) &iocts, (char *) arg,
+ 					     sizeof(isdn_ioctl_struct)))
+ 						return -EFAULT;
++					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ 					if (strlen(iocts.drvid)) {
+ 						if ((p = strchr(iocts.drvid, ',')))
+ 							*p = 0;
+@@ -1527,6 +1528,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ 							    (char *) arg,
+ 					     sizeof(isdn_ioctl_struct)))
+ 						return -EFAULT;
++					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ 					if (strlen(iocts.drvid)) {
+ 						drvidx = -1;
+ 						for (i = 0; i < ISDN_MAX_DRIVERS; i++)
+@@ -1571,7 +1573,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ 					} else {
+ 						p = (char *) iocts.arg;
+ 						for (i = 0; i < 10; i++) {
+-							sprintf(bname, "%s%s",
++							snprintf(bname, sizeof(bname), "%s%s",
+ 								strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+ 								dev->drv[drvidx]->msn2eaz[i] : "_",
+ 								(i < 9) ? "," : "\0");
+@@ -1601,6 +1603,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ 					char *p;
+ 					if (copy_from_user((char *) &iocts, (char *) arg, sizeof(isdn_ioctl_struct)))
+ 						return -EFAULT;
++					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ 					if (strlen(iocts.drvid)) {
+ 						if ((p = strchr(iocts.drvid, ',')))
+ 							*p = 0;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Fri Feb  1 20:59:18 2008
@@ -15,3 +15,4 @@
 + 253_coredump-only-to-same-uid.diff
 + 254_cramfs-check-block-length.diff
 + 255_ext2-skip-pages-past-num-blocks.diff
++ 256_i4l-isdn_ioctl-mem-overrun.diff

More information about the Kernel-svn-changes mailing list