[kernel] r17555 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Jun 1 05:34:23 UTC 2011
Author: dannf
Date: Wed Jun 1 05:34:22 2011
New Revision: 17555
Log:
serial: Fix information leak in TIOCGICOUNT ioctl (CVE-2010-4075)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Tue May 31 00:47:12 2011 (r17554)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Jun 1 05:34:22 2011 (r17555)
@@ -27,10 +27,12 @@
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo (CVE-2011-1182)
* proc: protect mm start_code/end_code in /proc/pid/stat (CVE-2011-0726)
* cifs: Fix cache stuffing issue in the dns_resolver keyring (CVE-2010-2524)
+ * serial: Fix information leak in TIOCGICOUNT ioctl (CVE-2010-4075)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
+
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
linux-2.6 (2.6.26-26lenny2) stable-security; urgency=high
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/serial_core-clean-data-before-filling-it.patch Wed Jun 1 05:34:22 2011 (r17555)
@@ -0,0 +1,42 @@
+From: Mauro Carvalho Chehab <mchehab at redhat.com>
+Date: Mon, 29 Nov 2010 20:42:27 -0500
+Subject: [serial] serial_core: clean data before filling it
+Message-id: <4CF41033.7040103 at redhat.com>
+Patchwork-id: 29669
+O-Subject: [PATCH RHEL5.6] CVE-2010-4075 (BZ#648701): clean data before filling
+ it
+Bugzilla: 648701
+CVE: CVE-2010-4075
+RH-Acked-by: Jarod Wilson <jarod at redhat.com>
+RH-Acked-by: Prarit Bhargava <prarit at redhat.com>
+
+Backport proposed patch for 2.6.35:
+
+http://www.openwall.com/lists/oss-security/2010/10/06/6
+http://lkml.indiana.edu/hypermail//linux/kernel/1009.1/03388.html
+
+Upstream patch is more complex and breaks kABI.
+
+>From the proposed patch, from Dan Rosenberg:
+
+The TIOCGICOUNT device ioctl allows unprivileged users to read
+uninitialized stack memory, because the "reserved" member of the
+serial_icounter_struct struct declared on the stack is not altered or
+zeroed before being copied back to the user. This patch takes care of
+it.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+Signed-off-by: Jarod Wilson <jarod at redhat.com>
+
+diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
+index b80c760..69c6544 100644
+--- a/drivers/serial/serial_core.c
++++ b/drivers/serial/serial_core.c
+@@ -1046,6 +1046,7 @@ static int uart_get_count(struct uart_state *state,
+ struct uart_icount cnow;
+ struct uart_port *port = state->port;
+
++ memset(&icount, 0, sizeof(struct serial_icounter_struct));
+ spin_lock_irq(&port->lock);
+ memcpy(&cnow, &port->icount, sizeof(struct uart_icount));
+ spin_unlock_irq(&port->lock);
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Tue May 31 00:47:12 2011 (r17554)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Wed Jun 1 05:34:22 2011 (r17555)
@@ -25,3 +25,4 @@
+ bugfix/all/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
+ bugfix/all/security-keys-new-key-flag-for-add_key-from-userspace.patch
+ bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
++ bugfix/all/serial_core-clean-data-before-filling-it.patch
More information about the Kernel-svn-changes
mailing list