[kernel] r12241 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Sep 19 17:36:14 UTC 2008
Author: dannf
Date: Fri Sep 19 17:34:01 2008
New Revision: 12241
Log:
bugfix/wan-sbni_ioctl-cap-checks.patch
Add missing capability checks in sbni_ioctl
See CVE-2008-3525
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/22etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Fri Sep 19 17:34:01 2008
@@ -6,8 +6,11 @@
* bugfix/dio-zero-struct-dio-with-kzalloc-instead-of-manually.patch
Fix oops caused by uninitialized field in struct dio
See CVE-2007-6716
+ * bugfix/wan-sbni_ioctl-cap-checks.patch
+ Add missing capability checks in sbni_ioctl
+ See CVE-2008-3525
- -- dann frazier <dannf at debian.org> Sun, 07 Sep 2008 23:43:27 -0600
+ -- dann frazier <dannf at debian.org> Fri, 19 Sep 2008 11:03:22 -0600
linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/wan-sbni_ioctl-cap-checks.patch Fri Sep 19 17:34:01 2008
@@ -0,0 +1,75 @@
+commit f2455eb176ac87081bbfc9a44b21c7cd2bc1967e
+Author: Eugene Teo <eugeneteo at kernel.sg>
+Date: Wed Aug 27 04:50:30 2008 -0700
+
+ wan: Missing capability checks in sbni_ioctl()
+
+ There are missing capability checks in the following code:
+
+ 1300 static int
+ 1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)
+ 1302 {
+ [...]
+ 1319 case SIOCDEVRESINSTATS :
+ 1320 if( current->euid != 0 ) /* root only */
+ 1321 return -EPERM;
+ [...]
+ 1336 case SIOCDEVSHWSTATE :
+ 1337 if( current->euid != 0 ) /* root only */
+ 1338 return -EPERM;
+ [...]
+ 1357 case SIOCDEVENSLAVE :
+ 1358 if( current->euid != 0 ) /* root only */
+ 1359 return -EPERM;
+ [...]
+ 1372 case SIOCDEVEMANSIPATE :
+ 1373 if( current->euid != 0 ) /* root only */
+ 1374 return -EPERM;
+
+ Here's my proposed fix:
+
+ Missing capability checks.
+
+ Signed-off-by: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
+index e59255a..6596cd0 100644
+--- a/drivers/net/wan/sbni.c
++++ b/drivers/net/wan/sbni.c
+@@ -1317,7 +1317,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
+ break;
+
+ case SIOCDEVRESINSTATS :
+- if( current->euid != 0 ) /* root only */
++ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+ memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );
+ break;
+@@ -1334,7 +1334,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
+ break;
+
+ case SIOCDEVSHWSTATE :
+- if( current->euid != 0 ) /* root only */
++ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
+ spin_lock( &nl->lock );
+@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
+ #ifdef CONFIG_SBNI_MULTILINE
+
+ case SIOCDEVENSLAVE :
+- if( current->euid != 0 ) /* root only */
++ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))
+@@ -1370,7 +1370,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
+ return enslave( dev, slave_dev );
+
+ case SIOCDEVEMANSIPATE :
+- if( current->euid != 0 ) /* root only */
++ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
+
+ return emancipate( dev );
Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3 Fri Sep 19 17:34:01 2008
@@ -1,2 +1,3 @@
+ bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
+ bugfix/dio-zero-struct-dio-with-kzalloc-instead-of-manually.patch
++ bugfix/wan-sbni_ioctl-cap-checks.patch
More information about the Kernel-svn-changes
mailing list