[kernel] r12188 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Fri Sep 5 18:06:59 UTC 2008 

Author: dannf
Date: Fri Sep  5 18:06:58 2008
New Revision: 12188

Log:
Fix buffer overrun decoding NFSv4 acl (CVE-2008-3915)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Fri Sep  5 18:06:58 2008
@@ -10,8 +10,9 @@
   * Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
   * Fix kernel BUG in tmpfs (CVE-2008-3534)
   * Fix off-by-one error in iov_iter_advance() (CVE-2008-3535)
+  * Fix buffer overrun decoding NFSv4 acl (CVE-2008-3915)
 
- -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 11:11:02 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 11:38:20 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch	Fri Sep  5 18:06:58 2008
@@ -0,0 +1,27 @@
+commit 91b80969ba466ba4b915a4a1d03add8c297add3f
+Author: J. Bruce Fields <bfields at citi.umich.edu>
+Date:   Fri Aug 29 19:18:45 2008 -0400
+
+    nfsd: fix buffer overrun decoding NFSv4 acl
+    
+    The array we kmalloc() here is not large enough.
+    
+    Thanks to Johann Dahm and David Richter for bug report and testing.
+    
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+    Cc: David Richter <richterd at citi.umich.edu>
+    Tested-by: Johann Dahm <jdahm at umich.edu>
+
+diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
+index b6ed383..54b8b41 100644
+--- a/fs/nfsd/nfs4acl.c
++++ b/fs/nfsd/nfs4acl.c
+@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
+ 	 * enough space for either:
+ 	 */
+ 	alloc = sizeof(struct posix_ace_state_array)
+-		+ cnt*sizeof(struct posix_ace_state);
++		+ cnt*sizeof(struct posix_user_ace_state);
+ 	state->users = kzalloc(alloc, GFP_KERNEL);
+ 	if (!state->users)
+ 		return -ENOMEM;

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	Fri Sep  5 18:06:58 2008
@@ -7,3 +7,4 @@
 + bugfix/sctp-auth-key-length-check.patch
 + bugfix/tmpfs-fix-kernel-bug-in-shmem_delete_inode.patch
 + bugfix/iov_iter_advance-off-by-one.patch
++ bugfix/nfsd-fix-buffer-overrun-decoding-nfsv4-acl.patch

More information about the Kernel-svn-changes mailing list