[kernel] r16853 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Jan 26 02:07:33 UTC 2011
Author: dannf
Date: Wed Jan 26 02:07:20 2011
New Revision: 16853
Log:
av7110: check for negative array offset (CVE-2011-0521)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
- copied unchanged from r16852, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/31
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Tue Jan 25 05:46:20 2011 (r16852)
+++ dists/sid/linux-2.6/debian/changelog Wed Jan 26 02:07:20 2011 (r16853)
@@ -15,6 +15,7 @@
[ dann frazier ]
* xfs: fix information leak using stale NFS handle (CVE-2010-2943)
+ * av7110: check for negative array offset (CVE-2011-0521)
-- Ian Campbell <ijc at hellion.org.uk> Thu, 13 Jan 2011 07:07:54 +0000
Copied: dists/sid/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch (from r16852, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch Wed Jan 26 02:07:20 2011 (r16853, copy of r16852, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch)
@@ -0,0 +1,25 @@
+commit cb26a24ee9706473f31d34cc259f4dcf45cd0644
+Author: Dan Carpenter <error27 at gmail.com>
+Date: Fri Jan 7 16:41:54 2011 -0300
+
+ [media] [v3,media] av7110: check for negative array offset
+
+ info->num comes from the user. It's type int. If the user passes
+ in a negative value that would cause memory corruption.
+
+ Signed-off-by: Dan Carpenter <error27 at gmail.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
+index 122c728..9fc1dd0 100644
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
+ {
+ ca_slot_info_t *info=(ca_slot_info_t *)parg;
+
+- if (info->num > 1)
++ if (info->num < 0 || info->num > 1)
+ return -EINVAL;
+ av7110->ci_slot[info->num].num = info->num;
+ av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
Modified: dists/sid/linux-2.6/debian/patches/series/31
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/31 Tue Jan 25 05:46:20 2011 (r16852)
+++ dists/sid/linux-2.6/debian/patches/series/31 Wed Jan 26 02:07:20 2011 (r16853)
@@ -10,3 +10,4 @@
+ bugfix/all/xfs-remove-block-number-from-inode-lookup-code.patch
+ bugfix/all/xfs-fix-untrusted-inode-number-lookup.patch
+ bugfix/all/r8169-keep-firmware-in-memory.patch
++ bugfix/all/av7110-check-for-negative-array-offset.patch
More information about the Kernel-svn-changes
mailing list