Author: dannf Date: Fri Feb 1 20:59:18 2008 New Revision: 10366 Log: * 256_i4l-isdn_ioctl-mem-overrun.diff [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Fri Feb 1 20:59:18 2008 @@ -53,8 +53,11 @@ [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 + * 256_i4l-isdn_ioctl-mem-overrun.diff + [SECURITY] Fix potential isdn ioctl memory overrun + See CVE-2007-6151 - -- dann frazier <[EMAIL PROTECTED]> Mon, 21 Jan 2008 01:00:19 -0700 + -- dann frazier <[EMAIL PROTECTED]> Fri, 01 Feb 2008 14:48:58 -0600 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff Fri Feb 1 20:59:18 2008 @@ -0,0 +1,59 @@ +commit eb0a06330df97dd9bbaf966cf29d755eff90ecd6 +Author: Willy Tarreau <[EMAIL PROTECTED]> +Date: Mon Dec 17 00:10:45 2007 +0100 + + [PATCH] isdn: fix isdn_ioctl memory overrun vulnerability + + Backport of 2.6 commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a by Karsten Keil + + I4L: fix isdn_ioctl memory overrun vulnerability + + Fix possible memory overrun issue in the isdn ioctl code. + + Found by ADLAB <[EMAIL PROTECTED]> + + Signed-off-by: Karsten Keil <[EMAIL PROTECTED]> + Cc: ADLAB <[EMAIL PROTECTED]> + Cc: <[EMAIL PROTECTED]> + Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> + Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> + + Signed-off-by: Willy Tarreau <[EMAIL PROTECTED]> + +diff --git a/drivers/isdn/isdn_common.c b/drivers/isdn/isdn_common.c +index 3155dc8..d251886 100644 +--- a/drivers/isdn/isdn_common.c ++++ b/drivers/isdn/isdn_common.c +@@ -1442,6 +1442,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + if (copy_from_user((char *) &iocts, (char *) arg, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; +@@ -1527,6 +1528,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + (char *) arg, + sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + drvidx = -1; + for (i = 0; i < ISDN_MAX_DRIVERS; i++) +@@ -1571,7 +1573,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + } else { + p = (char *) iocts.arg; + for (i = 0; i < 10; i++) { +- sprintf(bname, "%s%s", ++ snprintf(bname, sizeof(bname), "%s%s", + strlen(dev->drv[drvidx]->msn2eaz[i]) ? + dev->drv[drvidx]->msn2eaz[i] : "_", + (i < 9) ? "," : "\0"); +@@ -1601,6 +1603,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) + char *p; + if (copy_from_user((char *) &iocts, (char *) arg, sizeof(isdn_ioctl_struct))) + return -EFAULT; ++ iocts.drvid[sizeof(iocts.drvid)-1] = 0; + if (strlen(iocts.drvid)) { + if ((p = strchr(iocts.drvid, ','))) + *p = 0; Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Fri Feb 1 20:59:18 2008 @@ -15,3 +15,4 @@ + 253_coredump-only-to-same-uid.diff + 254_cramfs-check-block-length.diff + 255_ext2-skip-pages-past-num-blocks.diff ++ 256_i4l-isdn_ioctl-mem-overrun.diff _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes