[kernel] r19252 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Jul 14 15:04:40 UTC 2012 

Author: dannf
Date: Sat Jul 14 15:04:35 2012
New Revision: 19252

Log:
hfsplus: Fix potential buffer overflows (CVE-2012-2319)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sat Jul 14 15:04:27 2012	(r19251)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sat Jul 14 15:04:35 2012	(r19252)
@@ -3,6 +3,7 @@
   * net: sock: validate data_len before allocating skb in
     sock_alloc_send_pskb() (CVE-2012-2136)
   * dl2k: Clean up rio_ioctl, add missing CAP_NET_ADMIN checks (CVE-2012-2313)
+  * hfsplus: Fix potential buffer overflows (CVE-2012-2319)
 
  -- dann frazier <dannf at debian.org>  Tue, 12 Jun 2012 16:56:29 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch	Sat Jul 14 15:04:35 2012	(r19252)
@@ -0,0 +1,72 @@
+commit 6f24f892871acc47b40dd594c63606a17c714f77
+Author: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Date:   Fri May 4 12:09:39 2012 -0700
+
+    hfsplus: Fix potential buffer overflows
+    
+    Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
+    potential buffer overflows in the hfs filesystem.  But as Timo Warns
+    pointed out, these changes also need to be made on the hfsplus
+    filesystem as well.
+    
+    Reported-by: Timo Warns <warns at pre-sense.de>
+    Acked-by: WANG Cong <amwang at redhat.com>
+    Cc: Alexey Khoroshilov <khoroshilov at ispras.ru>
+    Cc: Miklos Szeredi <mszeredi at suse.cz>
+    Cc: Sage Weil <sage at newdream.net>
+    Cc: Eugene Teo <eteo at redhat.com>
+    Cc: Roman Zippel <zippel at linux-m68k.org>
+    Cc: Al Viro <viro at zeniv.linux.org.uk>
+    Cc: Christoph Hellwig <hch at lst.de>
+    Cc: Alexey Dobriyan <adobriyan at gmail.com>
+    Cc: Dave Anderson <anderson at redhat.com>
+    Cc: stable <stable at vger.kernel.org>
+    Cc: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
+index f6874ac..a0786c6 100644
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
+ 	err = hfs_brec_find(&src_fd);
+ 	if (err)
+ 		goto out;
++	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++		err = -EIO;
++		goto out;
++	}
+ 
+ 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ 				src_fd.entrylength);
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index 5f40236..f4300ff 100644
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 		filp->f_pos++;
+ 		/* fall through */
+ 	case 1:
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+ 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 			err = -EIO;
+ 			goto out;
+ 		}
++
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ 		type = be16_to_cpu(entry.type);
+ 		len = HFSPLUS_MAX_STRLEN;

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1	Sat Jul 14 15:04:27 2012	(r19251)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/45squeeze1	Sat Jul 14 15:04:35 2012	(r19252)
@@ -1,3 +1,4 @@
 + bugfix/all/net-sock-validate-data_len-before-allocating-skb-in-sock_alloc_send_pskb.patch
 + bugfix/all/dl2k-use-standard-defines-from-mii.h.patch
 + bugfix/all/dl2k-Clean-up-rio_ioctl.patch
++ bugfix/all/hfsplus-Fix-potential-buffer-overflows.patch

More information about the Kernel-svn-changes mailing list