[kernel] r14050 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Jul 30 17:25:57 UTC 2009
Author: dannf
Date: Thu Jul 30 17:25:55 2009
New Revision: 14050
Log:
* ecryptfs: check tag 11 literal data buffer size (CVE-2009-2406)
* ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
dists/sid/linux-2.6/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
dists/sid/linux-2.6/debian/patches/series/5
Modified:
dists/sid/linux-2.6/debian/changelog
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Thu Jul 30 12:46:25 2009 (r14049)
+++ dists/sid/linux-2.6/debian/changelog Thu Jul 30 17:25:55 2009 (r14050)
@@ -1,3 +1,10 @@
+linux-2.6 (2.6.30-5) UNRELEASED; urgency=low
+
+ * ecryptfs: check tag 11 literal data buffer size (CVE-2009-2406)
+ * ecryptfs: check tag 3 package encrypted size (CVE-2009-2407)
+
+ -- dann frazier <dannf at debian.org> Thu, 30 Jul 2009 11:10:47 -0600
+
linux-2.6 (2.6.30-4) unstable; urgency=low
[ Bastian Blank ]
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch Thu Jul 30 17:25:55 2009 (r14050)
@@ -0,0 +1,35 @@
+commit 6352a29305373ae6196491e6d4669f301e26492e
+Author: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+Date: Tue Jul 28 13:57:01 2009 -0500
+
+ eCryptfs: Check Tag 11 literal data buffer size
+
+ Tag 11 packets are stored in the metadata section of an eCryptfs file to
+ store the key signature(s) used to encrypt the file encryption key.
+ After extracting the packet length field to determine the key signature
+ length, a check is not performed to see if the length would exceed the
+ key signature buffer size that was passed into parse_tag_11_packet().
+
+ Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer.
+
+ Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+ Cc: stable at kernel.org (2.6.27 and 30)
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
+index af737bb..5414253 100644
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1449,6 +1449,12 @@ parse_tag_11_packet(unsigned char *data, unsigned char *contents,
+ rc = -EINVAL;
+ goto out;
+ }
++ if (unlikely((*tag_11_contents_size) > max_contents_bytes)) {
++ printk(KERN_ERR "Literal data section in tag 11 packet exceeds "
++ "expected size\n");
++ rc = -EINVAL;
++ goto out;
++ }
+ if (data[(*packet_size)++] != 0x62) {
+ printk(KERN_WARNING "Unrecognizable packet\n");
+ rc = -EINVAL;
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch Thu Jul 30 17:25:55 2009 (r14050)
@@ -0,0 +1,33 @@
+commit f151cd2c54ddc7714e2f740681350476cda03a28
+Author: Ramon de Carvalho Valle <ramon at risesecurity.org>
+Date: Tue Jul 28 13:58:22 2009 -0500
+
+ eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size
+
+ The parse_tag_3_packet function does not check if the tag 3 packet contains a
+ encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES.
+
+ Signed-off-by: Ramon de Carvalho Valle <ramon at risesecurity.org>
+ [tyhicks at linux.vnet.ibm.com: Added printk newline and changed goto to out_free]
+ Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+ Cc: stable at kernel.org (2.6.27 and 30)
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
+index 5414253..259525c 100644
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1303,6 +1303,13 @@ parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
+ }
+ (*new_auth_tok)->session_key.encrypted_key_size =
+ (body_size - (ECRYPTFS_SALT_SIZE + 5));
++ if ((*new_auth_tok)->session_key.encrypted_key_size
++ > ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES) {
++ printk(KERN_WARNING "Tag 3 packet contains key larger "
++ "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n");
++ rc = -EINVAL;
++ goto out_free;
++ }
+ if (unlikely(data[(*packet_size)++] != 0x04)) {
+ printk(KERN_WARNING "Unknown version number [%d]\n",
+ data[(*packet_size) - 1]);
Added: dists/sid/linux-2.6/debian/patches/series/5
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/series/5 Thu Jul 30 17:25:55 2009 (r14050)
@@ -0,0 +1,2 @@
++ bugfix/all/ecryptfs-parse_tag_3_packet-check-tag-3-package-encrypted-key-size.patch
++ bugfix/all/ecryptfs-check-tag-11-literal-data-buffer-size.patch
More information about the Kernel-svn-changes
mailing list