[kernel] r12383 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Thu Nov 13 18:22:39 UTC 2008

Author: dannf
Date: Thu Nov 13 18:22:38 2008
New Revision: 12383

Log:
* Fix stack corruption in hfs
   - bugfix/hfs-fix-namelength-memory-corruption.patch
  See CVE-2008-5025

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/23etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Nov 13 18:22:38 2008
@@ -27,8 +27,11 @@
   * Fix BUG() in hfsplus
      - bugfix/hfsplus-check_read_mapping_page-return-value.patch
     See CVE-2008-4934
+  * Fix stack corruption in hfs
+     - bugfix/hfs-fix-namelength-memory-corruption.patch
+    See CVE-2008-5025
 
- -- dann frazier <dannf at debian.org>  Wed, 12 Nov 2008 18:43:35 -0700
+ -- dann frazier <dannf at debian.org>  Thu, 13 Nov 2008 11:20:11 -0700
 
 linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch	Thu Nov 13 18:22:38 2008
@@ -0,0 +1,31 @@
+commit d38b7aa7fc3371b52d036748028db50b585ade2e
+Author: Eric Sesterhenn <snakebyte at gmx.de>
+Date:   Wed Oct 15 22:04:11 2008 -0700
+
+    hfs: fix namelength memory corruption
+    
+    Fix a stack corruption caused by a corrupted hfs filesystem.  If the
+    catalog name length is corrupted the memcpy overwrites the catalog btree
+    structure.  Since the field is limited to HFS_NAMELEN bytes in the
+    structure and the file format, we throw an error if it is too long.
+    
+    Cc: Roman Zippel <zippel at linux-m68k.org>
+    Signed-off-by: Eric Sesterhenn <snakebyte at gmx.de>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
+index ba85157..6d98f11 100644
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block *sb, u32 cnid,
+ 
+ 	fd->search_key->cat.ParID = rec.thread.ParID;
+ 	len = fd->search_key->cat.CName.len = rec.thread.CName.len;
++	if (len > HFS_NAMELEN) {
++		printk(KERN_ERR "hfs: bad catalog namelength\n");
++		return -EIO;
++	}
+ 	memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
+ 	return hfs_brec_find(fd);
+ }

Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1	Thu Nov 13 18:22:38 2008
@@ -7,3 +7,4 @@
 + bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
 + bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
 + bugfix/hfsplus-check_read_mapping_page-return-value.patch
++ bugfix/hfs-fix-namelength-memory-corruption.patch

