[kernel] r14479 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/hppa patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Oct 28 04:44:07 UTC 2009
Author: dannf
Date: Wed Oct 28 04:44:05 2009
New Revision: 14479
Log:
[parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch
- copied unchanged from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Wed Oct 28 04:41:47 2009 (r14478)
+++ dists/etch-security/linux-2.6.24/debian/changelog Wed Oct 28 04:44:05 2009 (r14479)
@@ -1,3 +1,9 @@
+linux-2.6.24 (2.6.24-6~etchnhalf.8etch4) UNRELEASED; urgency=high
+
+ * [parisc] isa-eeprom - Fix loff_t usage (CVE-2009-2846)
+
+ -- dann frazier <dannf at debian.org> Tue, 27 Oct 2009 22:41:25 -0600
+
linux-2.6.24 (2.6.24-6~etchnhalf.8etch3) oldstable-security; urgency=high
* Make sock_sendpage() use kernel_sendpage() (CVE-2009-2692)
Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch (from r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch Wed Oct 28 04:44:05 2009 (r14479, copy of r14470, dists/lenny-security/linux-2.6/debian/patches/bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch)
@@ -0,0 +1,28 @@
+commit 6b4dbcd86a9d464057fcc7abe4d0574093071fcc
+Author: Michael Buesch <mb at bu3sch.de>
+Date: Mon Jul 20 22:58:44 2009 +0000
+
+ parisc: isa-eeprom - Fix loff_t usage
+
+ loff_t is a signed type. If userspace passes a negative ppos, the "count"
+ range check is weakened. "count"s bigger than HPEE_MAX_LENGTH will pass the check.
+ Also, if ppos is negative, the readb(eisa_eeprom_addr + *ppos) will poke in random
+ memory.
+
+ Signed-off-by: Michael Buesch <mb at bu3sch.de>
+ Cc: stable at kernel.org
+ Signed-off-by: Helge Deller <deller at gmx.de>
+
+diff --git a/drivers/parisc/eisa_eeprom.c b/drivers/parisc/eisa_eeprom.c
+index 685d94e..8c0b26e 100644
+--- a/drivers/parisc/eisa_eeprom.c
++++ b/drivers/parisc/eisa_eeprom.c
+@@ -55,7 +55,7 @@ static ssize_t eisa_eeprom_read(struct file * file,
+ ssize_t ret;
+ int i;
+
+- if (*ppos >= HPEE_MAX_LENGTH)
++ if (*ppos < 0 || *ppos >= HPEE_MAX_LENGTH)
+ return 0;
+
+ count = *ppos + count < HPEE_MAX_LENGTH ? count : HPEE_MAX_LENGTH - *ppos;
Added: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Oct 28 04:44:05 2009 (r14479)
@@ -0,0 +1 @@
++ bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch
More information about the Kernel-svn-changes
mailing list