Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=010960856720283a1a3872d79a9f4750d5f1b390
commit 010960856720283a1a3872d79a9f4750d5f1b390 Author: Miklos Vajna <vmik...@frugalware.org> Date: Mon Apr 12 01:23:31 2010 +0200 kernel-2.6.33-2-i686 - update to patchlevel ".2" - add CVE-2010-1146.patch - closes #4175 diff --git a/source/base/kernel/CVE-2010-1146.patch b/source/base/kernel/CVE-2010-1146.patch new file mode 100644 index 0000000..e97fcd0 --- /dev/null +++ b/source/base/kernel/CVE-2010-1146.patch @@ -0,0 +1,81 @@ +From http://marc.info/?l=linux-kernel&m=127076012022155&q=raw. + + Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a removed the magic + from the lookup code to hide the .reiserfs_priv directory since it + was getting loaded at mount-time instead. The intent was that the + entry would be hidden from the user via a poisoned d_compare, but + this was faulty. + + This introduced a security issue where unpriviledged users could + access and modify extended attributes or ACLs belonging to other + users, including root. + + This patch resolves the issue by properly hiding .reiserfs_priv. This + was the intent of the xattr poisoning code, but it appears to have + never worked as expected. This is fixed by using d_revalidate instead + of d_compare. + + This patch makes -oexpose_privroot a no-op. I'm fine leaving it this + way. The effort involved in working out the corner cases wrt permissions + and caching outweigh the benefit of the feature. + +Signed-off-by: Jeff Mahoney <je...@suse.com> +--- + + fs/reiserfs/dir.c | 2 -- + fs/reiserfs/xattr.c | 17 ++++------------- + 2 files changed, 4 insertions(+), 15 deletions(-) + +--- a/fs/reiserfs/dir.c ++++ b/fs/reiserfs/dir.c +@@ -45,8 +45,6 @@ static inline bool is_privroot_deh(struc + struct reiserfs_de_head *deh) + { + struct dentry *privroot = REISERFS_SB(dir->d_sb)->priv_root; +- if (reiserfs_expose_privroot(dir->d_sb)) +- return 0; + return (dir == dir->d_parent && privroot->d_inode && + deh->deh_objectid == INODE_PKEY(privroot->d_inode)->k_objectid); + } +--- a/fs/reiserfs/xattr.c ++++ b/fs/reiserfs/xattr.c +@@ -972,21 +972,13 @@ int reiserfs_permission(struct inode *in + return generic_permission(inode, mask, NULL); + } + +-/* This will catch lookups from the fs root to .reiserfs_priv */ +-static int +-xattr_lookup_poison(struct dentry *dentry, struct qstr *q1, struct qstr *name) ++static int xattr_hide_revalidate(struct dentry *dentry, struct nameidata *nd) + { +- struct dentry *priv_root = REISERFS_SB(dentry->d_sb)->priv_root; +- if (container_of(q1, struct dentry, d_name) == priv_root) +- return -ENOENT; +- if (q1->len == name->len && +- !memcmp(q1->name, name->name, name->len)) +- return 0; +- return 1; ++ return -EPERM; + } + + static const struct dentry_operations xattr_lookup_poison_ops = { +- .d_compare = xattr_lookup_poison, ++ .d_revalidate = xattr_hide_revalidate, + }; + + int reiserfs_lookup_privroot(struct super_block *s) +@@ -1000,8 +992,7 @@ int reiserfs_lookup_privroot(struct supe + strlen(PRIVROOT_NAME)); + if (!IS_ERR(dentry)) { + REISERFS_SB(s)->priv_root = dentry; +- if (!reiserfs_expose_privroot(s)) +- s->s_root->d_op = &xattr_lookup_poison_ops; ++ dentry->d_op = &xattr_lookup_poison_ops; + if (dentry->d_inode) + dentry->d_inode->i_flags |= S_PRIVATE; + } else +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majord...@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild index e801450..eea69a5 100644 --- a/source/base/kernel/FrugalBuild +++ b/source/base/kernel/FrugalBuild @@ -4,7 +4,7 @@ USE_DEVEL=${USE_DEVEL:-"n"} # See http://bugs.freedesktop.org/show_bug.cgi?id=25417 -_F_kernel_patches=(fdo-25417.patch) +_F_kernel_patches=(fdo-25417.patch CVE-2010-1146.patch) if Fuse $USE_DEVEL; then # example for a tagged rc release: 2.6.32.rc5 diff --git a/source/include/kernel-version.sh b/source/include/kernel-version.sh index f96dc77..5c85304 100644 --- a/source/include/kernel-version.sh +++ b/source/include/kernel-version.sh @@ -16,8 +16,8 @@ # * _F_kernelver_stable: the number of the -stable patch to use (if any) ### _F_kernelver_ver=2.6.33 -_F_kernelver_rel=1 -_F_kernelver_stable= +_F_kernelver_rel=2 +_F_kernelver_stable=2 ### # == APPENDED VALUES _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git