Author: dannf
Date: Fri Feb 1 20:59:18 2008
New Revision: 10366
Log:
* 256_i4l-isdn_ioctl-mem-overrun.diff
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Fri Feb 1 20:59:18 2008
@@ -53,8 +53,11 @@
[SECURITY] Add some sanity checking for a corrupted i_size in
ext2_find_entry()
See CVE-2006-6054
+ * 256_i4l-isdn_ioctl-mem-overrun.diff
+ [SECURITY] Fix potential isdn ioctl memory overrun
+ See CVE-2007-6151
- -- dann frazier <[EMAIL PROTECTED]> Mon, 21 Jan 2008 01:00:19 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Fri, 01 Feb 2008 14:48:58 -0600
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/256_i4l-isdn_ioctl-mem-overrun.diff
Fri Feb 1 20:59:18 2008
@@ -0,0 +1,59 @@
+commit eb0a06330df97dd9bbaf966cf29d755eff90ecd6
+Author: Willy Tarreau <[EMAIL PROTECTED]>
+Date: Mon Dec 17 00:10:45 2007 +0100
+
+ [PATCH] isdn: fix isdn_ioctl memory overrun vulnerability
+
+ Backport of 2.6 commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a by Karsten
Keil
+
+ I4L: fix isdn_ioctl memory overrun vulnerability
+
+ Fix possible memory overrun issue in the isdn ioctl code.
+
+ Found by ADLAB <[EMAIL PROTECTED]>
+
+ Signed-off-by: Karsten Keil <[EMAIL PROTECTED]>
+ Cc: ADLAB <[EMAIL PROTECTED]>
+ Cc: <[EMAIL PROTECTED]>
+ Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+ Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+ Signed-off-by: Willy Tarreau <[EMAIL PROTECTED]>
+
+diff --git a/drivers/isdn/isdn_common.c b/drivers/isdn/isdn_common.c
+index 3155dc8..d251886 100644
+--- a/drivers/isdn/isdn_common.c
++++ b/drivers/isdn/isdn_common.c
+@@ -1442,6 +1442,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ if (copy_from_user((char *) &iocts,
(char *) arg,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid,
',')))
+ *p = 0;
+@@ -1527,6 +1528,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ (char *) arg,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ drvidx = -1;
+ for (i = 0; i <
ISDN_MAX_DRIVERS; i++)
+@@ -1571,7 +1573,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ } else {
+ p = (char *) iocts.arg;
+ for (i = 0; i < 10; i++) {
+- sprintf(bname, "%s%s",
++ snprintf(bname,
sizeof(bname), "%s%s",
+
strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+
dev->drv[drvidx]->msn2eaz[i] : "_",
+ (i < 9) ? "," :
"\0");
+@@ -1601,6 +1603,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ char *p;
+ if (copy_from_user((char *) &iocts,
(char *) arg, sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid,
',')))
+ *p = 0;
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Fri Feb 1 20:59:18 2008
@@ -15,3 +15,4 @@
+ 253_coredump-only-to-same-uid.diff
+ 254_cramfs-check-block-length.diff
+ 255_ext2-skip-pages-past-num-blocks.diff
++ 256_i4l-isdn_ioctl-mem-overrun.diff
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
