[kernel] r13668 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 25 16:57:59 UTC 2009
Author: dannf
Date: Mon May 25 16:57:57 2009
New Revision: 13668
Log:
nfs4: fix MAY_EXEC handling (CVE-2009-1630)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/15lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun May 24 21:10:11 2009 (r13667)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon May 25 16:57:57 2009 (r13668)
@@ -4,6 +4,7 @@
(Closes: #528860)
* xen: Fix missing check of interrupted code's code selector
(CVE-2009-1758)
+ * nfs4: fix MAY_EXEC handling (CVE-2009-1630)
-- dann frazier <dannf at debian.org> Thu, 21 May 2009 09:20:47 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch Mon May 25 16:57:57 2009 (r13668)
@@ -0,0 +1,38 @@
+commit 7ee2cb7f32b299c2b06a31fde155457203e4b7dd
+Author: Frank Filz <ffilzlnx at us.ibm.com>
+Date: Mon May 18 17:41:40 2009 -0400
+
+ nfs: Fix NFS v4 client handling of MAY_EXEC in nfs_permission.
+
+ The problem is that permission checking is skipped if atomic open is
+ possible, but when exec opens a file, it just opens it O_READONLY which
+ means EXEC permission will not be checked at that time.
+
+ This problem is observed by the following sequence (executed as root):
+
+ mount -t nfs4 server:/ /mnt4
+ echo "ls" >/mnt4/foo
+ chmod 744 /mnt4/foo
+ su guest -c "mnt4/foo"
+
+ Signed-off-by: Frank Filz <ffilzlnx at us.ibm.com>
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Cc: stable at kernel.org
+ Tested-by: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/nfs/dir.c linux-source-2.6.26/fs/nfs/dir.c
+--- linux-source-2.6.26.orig/fs/nfs/dir.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/nfs/dir.c 2009-05-24 14:36:52.000000000 -0600
+@@ -1949,7 +1949,8 @@ int nfs_permission(struct inode *inode,
+ /* NFSv4 has atomic_open... */
+ if (nfs_server_capable(inode, NFS_CAP_ATOMIC_OPEN)
+ && nd != NULL
+- && (nd->flags & LOOKUP_OPEN))
++ && (nd->flags & LOOKUP_OPEN)
++ && !(mask & MAY_EXEC))
+ goto out;
+ break;
+ case S_IFDIR:
Modified: dists/lenny-security/linux-2.6/debian/patches/series/15lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/15lenny3 Sun May 24 21:10:11 2009 (r13667)
+++ dists/lenny-security/linux-2.6/debian/patches/series/15lenny3 Mon May 25 16:57:57 2009 (r13668)
@@ -1 +1,2 @@
+ bugfix/all/unreached-code-in-selinux_ip_postroute_iptables_compat-2.patch
++ bugfix/all/nfs-v4-client-fix-MAY_EXEC-handling.patch
More information about the Kernel-svn-changes
mailing list