[kernel] r14039 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Tue Jul 28 23:55:06 UTC 2009

Author: dannf
Date: Tue Jul 28 23:54:09 2009
New Revision: 14039

Log:
* ecryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
* ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	Tue Jul 28 10:58:39 2009	(r14038)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Tue Jul 28 23:54:09 2009	(r14039)
@@ -1,4 +1,4 @@
-linux-2.6.24 (2.6.24-6~etchnhalf.8etch2) UNRELEASED; urgency=high
+linux-2.6.24 (2.6.24-6~etchnhalf.8etch2) oldstable-security; urgency=high
 
   * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
   * r8169: fix crash when large packets are received (CVE-2009-1389)
@@ -8,8 +8,10 @@
     (CVE-2009-1914)
   * splice: fix deadlock in ocfs2 (CVE-2009-1961)
   * personality: fix PER_CLEAR_ON_SETID (CVE-2009-1895)
+  * ecryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406)
+  * ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)
 
- -- dann frazier <dannf at debian.org>  Sat, 06 Jun 2009 09:49:28 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 25 Jul 2009 15:38:54 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.8etch1) oldstable-security; urgency=high
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch	Tue Jul 28 23:54:09 2009	(r14039)
@@ -0,0 +1,30 @@
+Tag 11 packets are stored in the metadata section of an eCryptfs file to
+store the key signature(s) used to encrypt the file encryption key.
+After extracting the packet length field to determine the key signature
+length, a check is not performed to see if the length would exceed the
+key signature buffer size that was passed into parse_tag_11_packet().
+
+Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
+
+Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+---
+ fs/ecryptfs/keystore.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org
+diff -urpN linux-source-2.6.24.orig/fs/ecryptfs/keystore.c linux-source-2.6.24/fs/ecryptfs/keystore.c
+--- linux-source-2.6.24.orig/fs/ecryptfs/keystore.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/fs/ecryptfs/keystore.c	2009-07-25 15:31:56.000000000 -0600
+@@ -870,6 +870,12 @@ parse_tag_11_packet(unsigned char *data,
+ 		rc = -EINVAL;
+ 		goto out;
+ 	}
++	if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
++		printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
++		       "expected size\n");
++		rc = -EINVAL;
++		goto out;
++	}
+ 	if (data[(*packet_size)++] != 0x62) {
+ 		printk(KERN_WARNING "Unrecognizable packet\n");
+ 		rc = -EINVAL;

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch	Tue Jul 28 23:54:09 2009	(r14039)
@@ -0,0 +1,28 @@
+The parse_tag_3_packet function does not check if the tag 3 packet contains a
+encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
+
+Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
+Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+---
+ fs/ecryptfs/keystore.c |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/fs/ecryptfs/keystore.c linux-source-2.6.24/fs/ecryptfs/keystore.c
+--- linux-source-2.6.24.orig/fs/ecryptfs/keystore.c	2009-07-25 15:31:56.000000000 -0600
++++ linux-source-2.6.24/fs/ecryptfs/keystore.c	2009-07-25 15:37:12.000000000 -0600
+@@ -724,6 +724,13 @@ parse_tag_3_packet(struct ecryptfs_crypt
+ 	}
+ 	(*new_auth_tok)->session_key.encrypted_key_size =
+ 		(body_size - (ECRYPTFS_SALT_SIZE + 5));
++	if ((*new_auth_tok)->session_key.encrypted_key_size
++	    > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
++		printk(KERN_WARNING "Tag 3 packet contains key larger "
++		       "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
++		rc = -EINVAL;
++		goto out_free;
++	}
+ 	if (unlikely(data[(*packet_size)++] != 0x04)) {
+ 		printk(KERN_WARNING "Unknown version number [%d]\n",
+ 		       data[(*packet_size) - 1]);

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Tue Jul 28 10:58:39 2009	(r14038)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Tue Jul 28 23:54:09 2009	(r14039)
@@ -5,3 +5,5 @@
 + bugfix/all/cifs-increase-size-of-tmp_buf-in-cifs_readdir-to-avoid-potential-overflows.patch
 + bugfix/sparc/sparc64-Fix-crash-with-proc-iomem.patch
 + bugfix/all/personality-fix-PER_CLEAR_ON_SETID.patch
++ bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
++ bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch

