[kernel] r10366 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Feb 1 20:59:19 UTC 2008
Author: dannf
Date: Fri Feb 1 20:59:18 2008
New Revision: 10366
Log:
* 256_i4l-isdn_ioctl-mem-overrun.diff
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Fri Feb 1 20:59:18 2008
@@ -53,8 +53,11 @@
[SECURITY] Add some sanity checking for a corrupted i_size in
ext2_find_entry()
See CVE-2006-6054
+ * 256_i4l-isdn_ioctl-mem-overrun.diff
+ [SECURITY] Fix potential isdn ioctl memory overrun
+ See CVE-2007-6151
- -- dann frazier <dannf at debian.org> Mon, 21 Jan 2008 01:00:19 -0700
+ -- dann frazier <dannf at debian.org> Fri, 01 Feb 2008 14:48:58 -0600
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff Fri Feb 1 20:59:18 2008
@@ -0,0 +1,59 @@
+commit eb0a06330df97dd9bbaf966cf29d755eff90ecd6
+Author: Willy Tarreau <w at 1wt.eu>
+Date: Mon Dec 17 00:10:45 2007 +0100
+
+ [PATCH] isdn: fix isdn_ioctl memory overrun vulnerability
+
+ Backport of 2.6 commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a by Karsten Keil
+
+ I4L: fix isdn_ioctl memory overrun vulnerability
+
+ Fix possible memory overrun issue in the isdn ioctl code.
+
+ Found by ADLAB <adlab at venustech.com.cn>
+
+ Signed-off-by: Karsten Keil <kkeil at suse.de>
+ Cc: ADLAB <adlab at venustech.com.cn>
+ Cc: <stable at kernel.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+ Signed-off-by: Willy Tarreau <w at 1wt.eu>
+
+diff --git a/drivers/isdn/isdn_common.c b/drivers/isdn/isdn_common.c
+index 3155dc8..d251886 100644
+--- a/drivers/isdn/isdn_common.c
++++ b/drivers/isdn/isdn_common.c
+@@ -1442,6 +1442,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ if (copy_from_user((char *) &iocts, (char *) arg,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
+@@ -1527,6 +1528,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ (char *) arg,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ drvidx = -1;
+ for (i = 0; i < ISDN_MAX_DRIVERS; i++)
+@@ -1571,7 +1573,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ } else {
+ p = (char *) iocts.arg;
+ for (i = 0; i < 10; i++) {
+- sprintf(bname, "%s%s",
++ snprintf(bname, sizeof(bname), "%s%s",
+ strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+ dev->drv[drvidx]->msn2eaz[i] : "_",
+ (i < 9) ? "," : "\0");
+@@ -1601,6 +1603,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
+ char *p;
+ if (copy_from_user((char *) &iocts, (char *) arg, sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid, ',')))
+ *p = 0;
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Fri Feb 1 20:59:18 2008
@@ -15,3 +15,4 @@
+ 253_coredump-only-to-same-uid.diff
+ 254_cramfs-check-block-length.diff
+ 255_ext2-skip-pages-past-num-blocks.diff
++ 256_i4l-isdn_ioctl-mem-overrun.diff
More information about the Kernel-svn-changes
mailing list