[kernel] r13820 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jun 15 04:05:28 UTC 2009


Author: dannf
Date: Mon Jun 15 04:05:26 2009
New Revision: 13820

Log:
nfs4: fix MAY_EXEC handling (CVE-2009-1630)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
      - copied unchanged from r13805, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Jun 15 04:05:14 2009	(r13819)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Jun 15 04:05:26 2009	(r13820)
@@ -2,6 +2,7 @@
 
   * e1000: add missing length check to e1000 receive routine (CVE-2009-1385)
   * r8169: fix crash when large packets are received (CVE-2009-1389)
+  * nfs4: fix MAY_EXEC handling (CVE-2009-1630)
 
  -- dann frazier <dannf at debian.org>  Sat, 06 Jun 2009 09:49:28 -0600
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch (from r13805, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch	Mon Jun 15 04:05:26 2009	(r13820, copy of r13805, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch)
@@ -0,0 +1,38 @@
+commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd
+Author: Frank Filz <ffilzlnx at us.ibm.com>
+Date:   Mon May 18 17:41:40 2009 -0400
+
+    nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
+    
+    The problem is that permission checking is skipped if atomic open is
+    possible, but when exec opens a file, it just opens it O_READONLY which
+    means EXEC permission will not be checked at that time.
+    
+    This problem is observed by the following sequence (executed as root):
+    
+      mount -t nfs4 server:/ /mnt4
+      echo "ls" >/mnt4/foo
+      chmod 744 /mnt4/foo
+      su guest -c "mnt4/foo"
+    
+    Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+    Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+    Cc: stable at kernel.org
+    Tested-by: Eugene Teo <eugeneteo at kernel.sg>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/nfs/dir.c linux-source-2.6.26/fs/nfs/dir.c
+--- linux-source-2.6.26.orig/fs/nfs/dir.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/nfs/dir.c	2009-05-24 14:36:52.000000000 -0600
+@@ -1949,7 +1949,8 @@ int nfs_permission(struct inode *inode, 
+ 			/* NFSv4 has atomic_open... */
+ 			if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
+ 					&& nd != NULL
+-					&& (nd->flags & LOOKUP_OPEN))
++					&& (nd->flags & LOOKUP_OPEN)
++					&& !(mask & MAY_EXEC))
+ 				goto out;
+ 			break;
+ 		case S_IFDIR:

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Mon Jun 15 04:05:14 2009	(r13819)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch2	Mon Jun 15 04:05:26 2009	(r13820)
@@ -1,2 +1,3 @@
 + bugfix/all/e1000-add-missing-length-check-to-e1000-receive-routine.patch
 + bugfix/all/r8169-fix-crash-when-large-packets-are-received.patch
++ bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch



More information about the Kernel-svn-changes mailing list