[kernel] r12741 - in dists/sid/linux-2.6/debian: . patches/bugfix/x86 patches/series

[Dann Frazier]

Author: dannf
Date: Tue Feb 10 04:52:34 2009
New Revision: 12741

Log:
dell_rbu: use scnprintf instead of less secure sprintf (CVE-2009-0322)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/x86/dell_rbu-use-scnprintf-instead-of-sprintf.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/14

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Tue Feb 10 04:52:34 2009
@@ -22,6 +22,7 @@
   * Fix softlockups in sungem driver (Closes: #514624)
   * security: introduce missing kfree (CVE-2009-0031)
   * eCryptfs: check readlink result for error before use (CVE-2009-0269)
+  * dell_rbu: use scnprintf instead of less secure sprintf (CVE-2009-0322)
 
   [ Martin Michlmayr ]
   * rt2x00: Fix VGC lower bound initialization. (Closes: #510607)
@@ -32,7 +33,7 @@
   * [sparc] Revert: Reintroduce dummy PCI host controller to workaround broken
     X.org. Not supportable and breaks to many things.
 
- -- dann frazier <dannf at debian.org>  Mon, 09 Feb 2009 21:39:16 -0700
+ -- dann frazier <dannf at debian.org>  Mon, 09 Feb 2009 21:47:45 -0700
 
 linux-2.6 (2.6.26-13) unstable; urgency=high
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/x86/dell_rbu-use-scnprintf-instead-of-sprintf.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/x86/dell_rbu-use-scnprintf-instead-of-sprintf.patch	Tue Feb 10 04:52:34 2009
@@ -0,0 +1,36 @@
+commit 81156928f8fe31621e467490b9d441c0285998c3
+Author: Pavel Roskin <proski at gnu.org>
+Date:   Sat Jan 17 13:33:03 2009 -0500
+
+    dell_rbu: use scnprintf() instead of less secure sprintf()
+    
+    Reading 0 bytes from /sys/devices/platform/dell_rbu/image_type or
+    /sys/devices/platform/dell_rbu/packet_size by an ordinary user causes an
+    oops.
+    
+    Signed-off-by: Pavel Roskin <proski at gnu.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/firmware/dell_rbu.c linux-source-2.6.26/drivers/firmware/dell_rbu.c
+--- linux-source-2.6.26.orig/drivers/firmware/dell_rbu.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/firmware/dell_rbu.c	2009-02-09 21:44:12.000000000 -0700
+@@ -598,7 +598,7 @@ static ssize_t read_rbu_image_type(struc
+ {
+ 	int size = 0;
+ 	if (!pos)
+-		size = sprintf(buffer, "%s\n", image_type);
++		size = scnprintf(buffer, count, "%s\n", image_type);
+ 	return size;
+ }
+ 
+@@ -670,7 +670,7 @@ static ssize_t read_rbu_packet_size(stru
+ 	int size = 0;
+ 	if (!pos) {
+ 		spin_lock(&rbu_data.lock);
+-		size = sprintf(buffer, "%lu\n", rbu_data.packetsize);
++		size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
+ 		spin_unlock(&rbu_data.lock);
+ 	}
+ 	return size;

Modified: dists/sid/linux-2.6/debian/patches/series/14
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/14	(original)
+++ dists/sid/linux-2.6/debian/patches/series/14	Tue Feb 10 04:52:34 2009
@@ -63,3 +63,4 @@
 + bugfix/sparc/sungem-soft-lockup-fix.patch
 + bugfix/all/security-keyctl-missing-kfree.patch
 + bugfix/all/ecryptfs-check-readlink-result-before-use.patch
++ bugfix/x86/dell_rbu-use-scnprintf-instead-of-sprintf.patch