[kernel] r12241 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Fri Sep 19 17:36:14 UTC 2008 

Author: dannf
Date: Fri Sep 19 17:34:01 2008
New Revision: 12241

Log:
bugfix/wan-sbni_ioctl-cap-checks.patch
Add missing capability checks in sbni_ioctl
See CVE-2008-3525

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/22etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Fri Sep 19 17:34:01 2008
@@ -6,8 +6,11 @@
   * bugfix/dio-zero-struct-dio-with-kzalloc-instead-of-manually.patch
     Fix oops caused by uninitialized field in struct dio
     See CVE-2007-6716
+  * bugfix/wan-sbni_ioctl-cap-checks.patch
+    Add missing capability checks in sbni_ioctl
+    See CVE-2008-3525
 
- -- dann frazier <dannf at debian.org>  Sun, 07 Sep 2008 23:43:27 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 19 Sep 2008 11:03:22 -0600
 
 linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch	Fri Sep 19 17:34:01 2008
@@ -0,0 +1,75 @@
+commit f2455eb176ac87081bbfc9a44b21c7cd2bc1967e
+Author: Eugene Teo <eugeneteo at kernel.sg>
+Date:   Wed Aug 27 04:50:30 2008 -0700
+
+    wan: Missing capability checks in sbni_ioctl()
+    
+    There are missing capability checks in the following code:
+    
+    1300 static int
+    1301 sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd)
+    1302 {
+    [...]
+    1319     case  SIOCDEVRESINSTATS :
+    1320         if( current->euid != 0 )    /* root only */
+    1321             return  -EPERM;
+    [...]
+    1336     case  SIOCDEVSHWSTATE :
+    1337         if( current->euid != 0 )    /* root only */
+    1338             return  -EPERM;
+    [...]
+    1357     case  SIOCDEVENSLAVE :
+    1358         if( current->euid != 0 )    /* root only */
+    1359             return  -EPERM;
+    [...]
+    1372     case  SIOCDEVEMANSIPATE :
+    1373         if( current->euid != 0 )    /* root only */
+    1374             return  -EPERM;
+    
+    Here's my proposed fix:
+    
+    Missing capability checks.
+    
+    Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
+index e59255a..6596cd0 100644
+--- a/drivers/net/wan/sbni.c
++++ b/drivers/net/wan/sbni.c
+@@ -1317,7 +1317,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
+ 		break;
+ 
+ 	case  SIOCDEVRESINSTATS :
+-		if( current->euid != 0 )	/* root only */
++		if (!capable(CAP_NET_ADMIN))
+ 			return  -EPERM;
+ 		memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );
+ 		break;
+@@ -1334,7 +1334,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
+ 		break;
+ 
+ 	case  SIOCDEVSHWSTATE :
+-		if( current->euid != 0 )	/* root only */
++		if (!capable(CAP_NET_ADMIN))
+ 			return  -EPERM;
+ 
+ 		spin_lock( &nl->lock );
+@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
+ #ifdef CONFIG_SBNI_MULTILINE
+ 
+ 	case  SIOCDEVENSLAVE :
+-		if( current->euid != 0 )	/* root only */
++		if (!capable(CAP_NET_ADMIN))
+ 			return  -EPERM;
+ 
+ 		if (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))
+@@ -1370,7 +1370,7 @@ sbni_ioctl( struct net_device  *dev,  struct ifreq  *ifr,  int  cmd )
+ 		return  enslave( dev, slave_dev );
+ 
+ 	case  SIOCDEVEMANSIPATE :
+-		if( current->euid != 0 )	/* root only */
++		if (!capable(CAP_NET_ADMIN))
+ 			return  -EPERM;
+ 
+ 		return  emancipate( dev );

Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3	Fri Sep 19 17:34:01 2008
@@ -1,2 +1,3 @@
 + bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
 + bugfix/dio-zero-struct-dio-with-kzalloc-instead-of-manually.patch
++ bugfix/wan-sbni_ioctl-cap-checks.patch

More information about the Kernel-svn-changes mailing list