Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=010960856720283a1a3872d79a9f4750d5f1b390

commit 010960856720283a1a3872d79a9f4750d5f1b390
Author: Miklos Vajna <vmik...@frugalware.org>
Date:   Mon Apr 12 01:23:31 2010 +0200

kernel-2.6.33-2-i686

- update to patchlevel ".2"
- add CVE-2010-1146.patch
- closes #4175

diff --git a/source/base/kernel/CVE-2010-1146.patch 
b/source/base/kernel/CVE-2010-1146.patch
new file mode 100644
index 0000000..e97fcd0
--- /dev/null
+++ b/source/base/kernel/CVE-2010-1146.patch
@@ -0,0 +1,81 @@
+From http://marc.info/?l=linux-kernel&m=127076012022155&q=raw.
+
+ Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a removed the magic
+ from the lookup code to hide the .reiserfs_priv directory since it
+ was getting loaded at mount-time instead. The intent was that the
+ entry would be hidden from the user via a poisoned d_compare, but
+ this was faulty.
+
+ This introduced a security issue where unpriviledged users could
+ access and modify extended attributes or ACLs belonging to other
+ users, including root.
+
+ This patch resolves the issue by properly hiding .reiserfs_priv. This
+ was the intent of the xattr poisoning code, but it appears to have
+ never worked as expected. This is fixed by using d_revalidate instead
+ of d_compare.
+
+ This patch makes -oexpose_privroot a no-op. I'm fine leaving it this
+ way. The effort involved in working out the corner cases wrt permissions
+ and caching outweigh the benefit of the feature.
+
+Signed-off-by: Jeff Mahoney <je...@suse.com>
+---
+
+ fs/reiserfs/dir.c   |    2 --
+ fs/reiserfs/xattr.c |   17 ++++-------------
+ 2 files changed, 4 insertions(+), 15 deletions(-)
+
+--- a/fs/reiserfs/dir.c
++++ b/fs/reiserfs/dir.c
+@@ -45,8 +45,6 @@ static inline bool is_privroot_deh(struc
+                                  struct reiserfs_de_head *deh)
+ {
+       struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root;
+-      if (reiserfs_expose_privroot(dir->d_sb))
+-              return 0;
+       return (dir == dir->d_parent && privroot->d_inode &&
+               deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid);
+ }
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -972,21 +972,13 @@ int reiserfs_permission(struct inode *in
+       return generic_permission(inode, mask, NULL);
+ }
+
+-/* This will catch lookups from the fs root to .reiserfs_priv */
+-static int
+-xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name)
++static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd)
+ {
+-      struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root;
+-      if (container_of(q1, struct dentry, d_name) == priv_root)
+-              return -ENOENT;
+-      if (q1->len == name->len &&
+-                 !memcmp(q1->name, name->name, name->len))
+-              return 0;
+-      return 1;
++      return -EPERM;
+ }
+
+ static const struct dentry_operations xattr_lookup_poison_ops = {
+-      .d_compare = xattr_lookup_poison,
++      .d_revalidate = xattr_hide_revalidate,
+ };
+
+ int reiserfs_lookup_privroot(struct super_block *s)
+@@ -1000,8 +992,7 @@ int reiserfs_lookup_privroot(struct supe
+                               strlen(PRIVROOT_NAME));
+       if (!IS_ERR(dentry)) {
+               REISERFS_SB(s)->priv_root = dentry;
+-              if (!reiserfs_expose_privroot(s))
+-                      s->s_root->d_op = &xattr_lookup_poison_ops;
++              dentry->d_op = &xattr_lookup_poison_ops;
+               if (dentry->d_inode)
+                       dentry->d_inode->i_flags |= S_PRIVATE;
+       } else
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majord...@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at  http://www.tux.org/lkml/
diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild
index e801450..eea69a5 100644
--- a/source/base/kernel/FrugalBuild
+++ b/source/base/kernel/FrugalBuild
@@ -4,7 +4,7 @@
USE_DEVEL=${USE_DEVEL:-"n"}

# See http://bugs.freedesktop.org/show_bug.cgi?id=25417
-_F_kernel_patches=(fdo-25417.patch)
+_F_kernel_patches=(fdo-25417.patch CVE-2010-1146.patch)

if Fuse $USE_DEVEL; then
# example for a tagged rc release: 2.6.32.rc5
diff --git a/source/include/kernel-version.sh b/source/include/kernel-version.sh
index f96dc77..5c85304 100644
--- a/source/include/kernel-version.sh
+++ b/source/include/kernel-version.sh
@@ -16,8 +16,8 @@
# * _F_kernelver_stable: the number of the -stable patch to use (if any)
###
_F_kernelver_ver=2.6.33
-_F_kernelver_rel=1
-_F_kernelver_stable=
+_F_kernelver_rel=2
+_F_kernelver_stable=2

###
# == APPENDED VALUES
_______________________________________________
Frugalware-git mailing list
Frugalware-git@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-git

Reply via email to