Author: dannf
Date: Mon Nov 13 05:43:27 2006
New Revision: 7786
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/237_smbfs-no-cap-unix.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
Log:
* 237_smbfs-no-cap-unix.diff
[SECURITY] Disable SMB_CAP_UNIX if uid, gid, fmask or dmask are set.
Now that smbfs supports CAP_UNIX, these options are ignored when
connecting to a samba server in favor of passing through the Unix
permissions from the remote server. This is a behavior change from
woody that users likely will not expect, so disabling.
Closes: #310982
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Mon Nov 13 05:43:27 2006
@@ -17,8 +17,15 @@
remaining bytes of the kernel buffer after a fault on the userspace
address in copy_from_user()
See CVE-2006-5174
+ * 237_smbfs-no-cap-unix.diff
+ [SECURITY] Disable SMB_CAP_UNIX if uid, gid, fmask or dmask are set.
+ Now that smbfs supports CAP_UNIX, these options are ignored when
+ connecting to a samba server in favor of passing through the Unix
+ permissions from the remote server. This is a behavior change from
+ woody that users likely will not expect, so disabling.
+ Closes: #310982
- -- dann frazier <[EMAIL PROTECTED]> Sun, 12 Nov 2006 20:58:14 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Sun, 12 Nov 2006 21:12:42 -0700
kernel-source-2.4.27 (2.4.27-10sarge4) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/237_smbfs-no-cap-unix.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/237_smbfs-no-cap-unix.diff
Mon Nov 13 05:43:27 2006
@@ -0,0 +1,45 @@
+diff -pru kernel-source-2.4.27.orig/include/linux/smb_mount.h
kernel-source-2.4.27/include/linux/smb_mount.h
+--- kernel-source-2.4.27.orig/include/linux/smb_mount.h 2004-02-18
22:36:32.000000000 +0900
++++ kernel-source-2.4.27/include/linux/smb_mount.h 2005-07-07
11:27:51.000000000 +0900
+@@ -37,7 +37,9 @@ struct smb_mount_data {
+ #define SMB_MOUNT_OLDATTR 0x0002 /* Use core getattr (Win 95 speedup) */
+ #define SMB_MOUNT_DIRATTR 0x0004 /* Use find_first for getattr */
+ #define SMB_MOUNT_CASE 0x0008 /* Be case sensitive */
+-
++#define SMB_MOUNT_NO_CAP_UNIX 0x0010 /* Hack for Debian to disable
++ SMB_CAP_UNIX if uid, gid, fmask
++ or dmask are set. See Bug#310982 */
+
+ struct smb_mount_data_kernel {
+ int version;
+diff -pru kernel-source-2.4.27.orig/fs/smbfs/inode.c
kernel-source-2.4.27/fs/smbfs/inode.c
+--- kernel-source-2.4.27.orig/fs/smbfs/inode.c 2004-02-18 22:36:31.000000000
+0900
++++ kernel-source-2.4.27/fs/smbfs/inode.c 2005-07-07 10:50:56.000000000
+0900
+@@ -286,10 +286,10 @@ static struct option opts[] = {
+ { "oldattr", SMB_MOUNT_OLDATTR, 1 },
+ { "dirattr", SMB_MOUNT_DIRATTR, 1 },
+ { "case", SMB_MOUNT_CASE, 1 },
+- { "uid", 0, 'u' },
+- { "gid", 0, 'g' },
+- { "file_mode", 0, 'f' },
+- { "dir_mode", 0, 'd' },
++ { "uid", SMB_MOUNT_NO_CAP_UNIX, 'u' },
++ { "gid", SMB_MOUNT_NO_CAP_UNIX, 'g' },
++ { "file_mode", SMB_MOUNT_NO_CAP_UNIX, 'f' },
++ { "dir_mode", SMB_MOUNT_NO_CAP_UNIX, 'd' },
+ { "iocharset", 0, 'i' },
+ { "codepage", 0, 'c' },
+ { "ttl", 0, 't' },
+diff -pru kernel-source-2.4.27.orig/fs/smbfs/proc.c
kernel-source-2.4.27/fs/smbfs/proc.c
+--- kernel-source-2.4.27.orig/fs/smbfs/proc.c 2005-05-19 19:29:38.000000000
+0900
++++ kernel-source-2.4.27/fs/smbfs/proc.c 2005-07-07 10:49:35.000000000
+0900
+@@ -916,7 +916,8 @@ smb_newconn(struct smb_sb_info *server,
+ VERBOSE("LFS enabled\n");
+ }
+ #ifndef CONFIG_SMB_UNIX
+- server->opt.capabilities &= ~SMB_CAP_UNIX;
++ if (!server->mnt.flags & SMB_MOUNT_NO_CAP_UNIX)
++ server->opt.capabilities &= ~SMB_CAP_UNIX;
+ #endif
+ if (server->opt.capabilities & SMB_CAP_UNIX) {
+ struct inode *inode;
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge5
Mon Nov 13 05:43:27 2006
@@ -2,3 +2,4 @@
+ 234_atm-clip-freed-skb-deref.diff
+ 235_ppc-alignment-exception-table-check.diff
+ 236_s390-uaccess-memleak.diff
++ 237_smbfs-no-cap-unix.diff
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
