[kernel] r10533 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Wed Feb 13 21:14:08 UTC 2008 

Author: dannf
Date: Wed Feb 13 21:14:07 2008
New Revision: 10533

Log:
* bugfix/cifs-honor-umask.dpatch
  [SECURITY] Make CIFS honor a process' umask
  See CVE-2007-3740

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Wed Feb 13 21:14:07 2008
@@ -44,8 +44,11 @@
   * [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
     into address space reserved for hugetlb pages.
     See CVE-2007-3739
+  * bugfix/cifs-honor-umask.dpatch
+    [SECURITY] Make CIFS honor a process' umask
+    See CVE-2007-3740
 
- -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 14:01:28 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 13 Feb 2008 14:12:35 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch	Wed Feb 13 21:14:07 2008
@@ -0,0 +1,81 @@
+From: Steve French <sfrench at us.ibm.com>
+Date: Fri, 8 Jun 2007 14:55:14 +0000 (+0000)
+Subject: [CIFS] CIFS should honour umask
+X-Git-Tag: v2.6.22-rc5~50^2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f
+
+[CIFS] CIFS should honour umask
+
+This patch makes CIFS honour a process' umask like other filesystems.
+Of course the server is still free to munge the permissions if it wants
+to; but the client will send the "right" permissions to begin with.
+
+A few caveats:
+
+1) It only applies to filesystems that have CAP_UNIX (aka support unix
+extensions)
+2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms()
+after remote creation
+
+When mode to CIFS/NTFS ACL mapping is complete we can do the
+same thing for that case for servers which do not
+support the Unix Extensions.
+
+Signed-off-by: Matt Keenen <matt at opcode-solutions.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at hp.com>
+
+diff -urpN kernel-source-2.6.8.orig/fs/cifs/dir.c kernel-source-2.6.8/fs/cifs/dir.c
+--- kernel-source-2.6.8.orig/fs/cifs/dir.c	2007-05-26 02:54:39.000000000 -0600
++++ kernel-source-2.6.8/fs/cifs/dir.c	2008-02-13 14:05:50.000000000 -0700
+@@ -242,7 +242,8 @@ cifs_create(struct inode *inode, struct 
+ 		/* If Open reported that we actually created a file
+ 		then we now have to set the mode if possible */
+ 		if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) &&
+-			(oplock & CIFS_CREATE_ACTION))
++			(oplock & CIFS_CREATE_ACTION)) {
++			mode &= ~current->fs->umask;
+ 			if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 				CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode,
+ 					(__u64)current->euid,
+@@ -256,7 +257,7 @@ cifs_create(struct inode *inode, struct 
+ 					0 /* dev */,
+ 					cifs_sb->local_nls);
+ 			}
+-		else {
++		} else {
+ 			/* BB implement via Windows security descriptors */
+ 			/* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/
+ 			/* could set r/o dos attribute if mode & 0222 == 0 */
+@@ -356,6 +357,7 @@ int cifs_mknod(struct inode *inode, stru
+ 		rc = -ENOMEM;
+ 	
+ 	if (full_path && (pTcon->ses->capabilities & CAP_UNIX)) {
++		mode &= ~current->fs->umask;
+ 		if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 			rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path,
+ 				mode,(__u64)current->euid,(__u64)current->egid,
+diff -urpN kernel-source-2.6.8.orig/fs/cifs/inode.c kernel-source-2.6.8/fs/cifs/inode.c
+--- kernel-source-2.6.8.orig/fs/cifs/inode.c	2004-08-13 23:36:11.000000000 -0600
++++ kernel-source-2.6.8/fs/cifs/inode.c	2008-02-13 14:07:24.000000000 -0700
+@@ -480,7 +480,8 @@ cifs_mkdir(struct inode *inode, struct d
+ 		d_instantiate(direntry, newinode);
+ 		if(direntry->d_inode)
+ 			direntry->d_inode->i_nlink = 2;
+-		if (cifs_sb->tcon->ses->capabilities & CAP_UNIX)
++		if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) {
++			mode &= ~current->fs->umask;
+ 			if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 				CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode,
+ 						(__u64)current->euid,  
+@@ -494,7 +495,7 @@ cifs_mkdir(struct inode *inode, struct d
+ 						0 /* dev_t */,
+ 						cifs_sb->local_nls);
+ 			}
+-		else { /* BB to be implemented via Windows secrty descriptors*/
++		} else { /* BB to be implemented via Windows secrty descriptors*/
+ 		/* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/
+ 		}
+ 	}

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Wed Feb 13 21:14:07 2008
@@ -12,3 +12,4 @@
 + minixfs-printk-hang.dpatch
 + isdn-net-overflow.dpatch
 + prevent-stack-growth-into-hugetlb-region.dpatch
++ cifs-honor-umask.dpatch

More information about the Kernel-svn-changes mailing list