[kernel] r17938 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Tue Aug 16 04:40:29 UTC 2011

Author: dannf
Date: Tue Aug 16 04:40:26 2011
New Revision: 17938

Log:
comedi: fix infoleak to userspace (CVE-2011-2909)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Tue Aug 16 04:35:33 2011	(r17937)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Tue Aug 16 04:40:26 2011	(r17938)
@@ -12,6 +12,7 @@
   * nl80211: fix check for valid SSID size in scan operations
   * net_sched: Fix qdisc_notify() (CVE-2011-2525)
   * gro: Only reset frag0 when skb can be pulled (CVE-2011-2723)
+  * comedi: fix infoleak to userspace (CVE-2011-2909)
 
   [ Moritz Muehlenhoff ]
   * si4713-i2c: avoid potential buffer overflow on si4713 (CVE-2011-2700)

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/comedi-fix-infoleak-to-userspace.patch	Tue Aug 16 04:40:26 2011	(r17938)
@@ -0,0 +1,29 @@
+commit 819cbb120eaec7e014e5abd029260db1ca8c5735
+Author: Vasiliy Kulikov <segoon at openwall.com>
+Date:   Sun Jun 26 12:56:22 2011 +0400
+
+    staging: comedi: fix infoleak to userspace
+    
+    driver_name and board_name are pointers to strings, not buffers of size
+    COMEDI_NAMELEN.  Copying COMEDI_NAMELEN bytes of a string containing
+    less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes.
+    
+    Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
+index 15a209f..419976b 100644
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -383,8 +383,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev,
+ 	/* fill devinfo structure */
+ 	devinfo.version_code = COMEDI_VERSION_CODE;
+ 	devinfo.n_subdevs = dev->n_subdevices;
+-	memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
+-	memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
++	strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
++	strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
+ 
+ 	if (read_subdev)
+ 		devinfo.read_subdevice = read_subdev - dev->subdevices;

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Tue Aug 16 04:35:33 2011	(r17937)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze1	Tue Aug 16 04:40:26 2011	(r17938)
@@ -14,3 +14,4 @@
 + bugfix/all/nl80211-fix-overflow-in-ssid_len.patch
 + bugfix/all/net_sched-Fix-qdisc_notify.patch
 + bugfix/all/gro-only-reset-frag0-when-skb-can-be-pulled.patch
++ bugfix/all/comedi-fix-infoleak-to-userspace.patch

