[kernel] r12383 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Nov 13 18:22:39 UTC 2008
Author: dannf
Date: Thu Nov 13 18:22:38 2008
New Revision: 12383
Log:
* Fix stack corruption in hfs
- bugfix/hfs-fix-namelength-memory-corruption.patch
See CVE-2008-5025
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/23etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Thu Nov 13 18:22:38 2008
@@ -27,8 +27,11 @@
* Fix BUG() in hfsplus
- bugfix/hfsplus-check_read_mapping_page-return-value.patch
See CVE-2008-4934
+ * Fix stack corruption in hfs
+ - bugfix/hfs-fix-namelength-memory-corruption.patch
+ See CVE-2008-5025
- -- dann frazier <dannf at debian.org> Wed, 12 Nov 2008 18:43:35 -0700
+ -- dann frazier <dannf at debian.org> Thu, 13 Nov 2008 11:20:11 -0700
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch Thu Nov 13 18:22:38 2008
@@ -0,0 +1,31 @@
+commit d38b7aa7fc3371b52d036748028db50b585ade2e
+Author: Eric Sesterhenn <snakebyte at gmx.de>
+Date: Wed Oct 15 22:04:11 2008 -0700
+
+ hfs: fix namelength memory corruption
+
+ Fix a stack corruption caused by a corrupted hfs filesystem. If the
+ catalog name length is corrupted the memcpy overwrites the catalog btree
+ structure. Since the field is limited to HFS_NAMELEN bytes in the
+ structure and the file format, we throw an error if it is too long.
+
+ Cc: Roman Zippel <zippel at linux-m68k.org>
+ Signed-off-by: Eric Sesterhenn <snakebyte at gmx.de>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
+index ba85157..6d98f11 100644
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block *sb, u32 cnid,
+
+ fd->search_key->cat.ParID = rec.thread.ParID;
+ len = fd->search_key->cat.CName.len = rec.thread.CName.len;
++ if (len > HFS_NAMELEN) {
++ printk(KERN_ERR "hfs: bad catalog namelength\n");
++ return -EIO;
++ }
+ memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
+ return hfs_brec_find(fd);
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1 Thu Nov 13 18:22:38 2008
@@ -7,3 +7,4 @@
+ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
+ bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
+ bugfix/hfsplus-check_read_mapping_page-return-value.patch
++ bugfix/hfs-fix-namelength-memory-corruption.patch
More information about the Kernel-svn-changes
mailing list