[kernel] r12289 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Oct 7 06:12:24 UTC 2008
Author: dannf
Date: Tue Oct 7 06:12:22 2008
New Revision: 12289
Log:
bugfix/remove-SUID-when-splicing-into-an-inode.patch
Remove SUID when splicing into an inode
See CVE-2008-3833
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/remove-SUID-when-splicing-into-an-inode.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/22etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Oct 7 06:12:22 2008
@@ -15,8 +15,11 @@
* bugfix/splice-fix-bad-unlock_page-in-error-case.patch
Don't attempt to unlock a page if add_to_page_cache_lru fails
See CVE-2008-4302
+ * bugfix/remove-SUID-when-splicing-into-an-inode.patch
+ Remove SUID when splicing into an inode
+ See CVE-2008-3833
- -- dann frazier <dannf at debian.org> Fri, 03 Oct 2008 16:51:58 -0600
+ -- dann frazier <dannf at debian.org> Fri, 03 Oct 2008 17:22:53 -0600
linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/remove-SUID-when-splicing-into-an-inode.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/remove-SUID-when-splicing-into-an-inode.patch Tue Oct 7 06:12:22 2008
@@ -0,0 +1,51 @@
+commit 8c34e2d63231d4bf4852bac8521883944d770fe3
+Author: Jens Axboe <jens.axboe at oracle.com>
+Date: Tue Oct 17 19:43:22 2006 +0200
+
+ [PATCH] Remove SUID when splicing into an inode
+
+ Originally from Mark Fasheh <mark.fasheh at oracle.com>
+
+ generic_file_splice_write() does not remove S_ISUID or S_ISGID. This is
+ inconsistent with the way we generally write to files.
+
+ Signed-off-by: Mark Fasheh <mark.fasheh at oracle.com>
+ Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+--- linux-source-2.6.18.orig/fs/splice.c 2008-10-03 17:14:24.000000000 -0600
++++ linux-source-2.6.18/fs/splice.c 2008-10-03 17:18:35.000000000 -0600
+@@ -827,12 +827,21 @@
+ loff_t *ppos, size_t len, unsigned int flags)
+ {
+ struct address_space *mapping = out->f_mapping;
++ struct inode *inode = mapping->host;
+ ssize_t ret;
++ int err;
++
++ err = should_remove_suid(out->f_dentry);
++ if (unlikely(err)) {
++ mutex_lock(&inode->i_mutex);
++ err = __remove_suid(out->f_dentry, err);
++ mutex_unlock(&inode->i_mutex);
++ if (err)
++ return err;
++ }
+
+ ret = splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_file);
+ if (ret > 0) {
+- struct inode *inode = mapping->host;
+-
+ *ppos += ret;
+
+ /*
+@@ -840,8 +849,6 @@
+ * sync it.
+ */
+ if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) {
+- int err;
+-
+ mutex_lock(&inode->i_mutex);
+ err = generic_osync_inode(inode, mapping,
+ OSYNC_METADATA|OSYNC_DATA);
Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3 Tue Oct 7 06:12:22 2008
@@ -4,3 +4,4 @@
+ bugfix/lockless-helpers-for-remove_suid.patch
+ bugfix/open-allows-sgid-in-sgid-directory.patch
+ bugfix/splice-fix-bad-unlock_page-in-error-case.patch
++ bugfix/remove-SUID-when-splicing-into-an-inode.patch
More information about the Kernel-svn-changes
mailing list