[kernel] r18040 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Sep 1 05:52:44 UTC 2011
Author: dannf
Date: Thu Sep 1 05:52:42 2011
New Revision: 18040
Log:
befs: Validate length of long symbolic links (CVE-2011-2928)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
- copied unchanged from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Sep 1 05:28:08 2011 (r18039)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Sep 1 05:52:42 2011 (r18040)
@@ -10,6 +10,7 @@
* net_sched: Fix qdisc_notify() (CVE-2011-2525)
* Fix overflow in auerswald driver (CVE-2009-4067)
* restrict access to /proc/pid/* after setuid exec (CVE-2011-1020)
+ * befs: Validate length of long symbolic links (CVE-2011-2928)
[ Moritz Muehlenhoff ]
* ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch Thu Sep 1 05:52:42 2011 (r18040)
@@ -0,0 +1,36 @@
+commit 7df5fa06de89a4ac311957e0cb9c1d87552b4325
+Author: Duane Griffin <duaneg at dghda.com>
+Date: Fri Dec 19 20:47:18 2008 +0000
+
+ befs: ensure fast symlinks are NUL-terminated
+
+ Ensure fast symlink targets are NUL-terminated, even if corrupted
+ on-disk.
+
+ Cc: Sergey S. Kostyliov <rathamahata at php4.ru>
+ Signed-off-by: Duane Griffin <duaneg at dghda.com>
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index b6dfee3..d06cb02 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -378,7 +378,8 @@ static struct inode *befs_iget(struct super_block *sb, unsigned long ino)
+ inode->i_size = 0;
+ inode->i_blocks = befs_sb->block_size / VFS_BLOCK_SIZE;
+ strncpy(befs_ino->i_data.symlink, raw_inode->data.symlink,
+- BEFS_SYMLINK_LEN);
++ BEFS_SYMLINK_LEN - 1);
++ befs_ino->i_data.symlink[BEFS_SYMLINK_LEN - 1] = '\0';
+ } else {
+ int num_blks;
+
+@@ -477,6 +478,8 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ kfree(link);
+ befs_error(sb, "Failed to read entire long symlink");
+ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch (from r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch Thu Sep 1 05:52:42 2011 (r18040, copy of r18037, dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/befs-validate-length-of-long-symbolic-links.patch)
@@ -0,0 +1,45 @@
+commit 338d0f0a6fbc82407864606f5b64b75aeb3c70f2
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Wed Aug 17 17:59:56 2011 +0200
+
+ befs: Validate length of long symbolic links.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
+index 54b8c28..720d885 100644
+--- a/fs/befs/linuxvfs.c
++++ b/fs/befs/linuxvfs.c
+@@ -474,17 +474,22 @@ befs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ befs_data_stream *data = &befs_ino->i_data.ds;
+ befs_off_t len = data->size;
+
+- befs_debug(sb, "Follow long symlink");
+-
+- link = kmalloc(len, GFP_NOFS);
+- if (!link) {
+- link = ERR_PTR(-ENOMEM);
+- } else if (befs_read_lsymlink(sb, data, link, len) != len) {
+- kfree(link);
+- befs_error(sb, "Failed to read entire long symlink");
++ if (len == 0) {
++ befs_error(sb, "Long symlink with illegal length");
+ link = ERR_PTR(-EIO);
+ } else {
+- link[len - 1] = '\0';
++ befs_debug(sb, "Follow long symlink");
++
++ link = kmalloc(len, GFP_NOFS);
++ if (!link) {
++ link = ERR_PTR(-ENOMEM);
++ } else if (befs_read_lsymlink(sb, data, link, len) != len) {
++ kfree(link);
++ befs_error(sb, "Failed to read entire long symlink");
++ link = ERR_PTR(-EIO);
++ } else {
++ link[len - 1] = '\0';
++ }
+ }
+ } else {
+ link = befs_ino->i_data.symlink;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny4
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Thu Sep 1 05:28:08 2011 (r18039)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny4 Thu Sep 1 05:52:42 2011 (r18040)
@@ -17,3 +17,5 @@
+ bugfix/all/proc-map-report-errors-sanely.patch
+ bugfix/all/close-race-in-proc-pid-environ.patch
+ bugfix/all/auxv-require-the-target-or-self-to-be-traceable.patch
++ bugfix/all/befs-ensure-fast-symlinks-are-NUL-terminated.patch
++ bugfix/all/befs-validate-length-of-long-symbolic-links.patch
More information about the Kernel-svn-changes
mailing list