Author: dannf
Date: Tue Jan 8 05:28:26 2008
New Revision: 10084
Log:
* bugfix/i4l-isdn_ioctl-mem-overrun.patch
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/i4l-isdn_ioctl-mem-overrun.patch
dists/etch-security/linux-2.6/debian/patches/series/17etch1
Modified:
dists/etch-security/linux-2.6/debian/changelog
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Jan 8 05:28:26 2008
@@ -1,3 +1,11 @@
+linux-2.6 (2.6.18.dfsg.1-17etch1) UNRELEASED; urgency=high
+
+ * bugfix/i4l-isdn_ioctl-mem-overrun.patch
+ [SECURITY] Fix potential isdn ioctl memory overrun
+ See CVE-2007-6151
+
+ -- dann frazier <[EMAIL PROTECTED]> Sat, 05 Jan 2008 17:27:50 -0700
+
linux-2.6 (2.6.18.dfsg.1-17) stable; urgency=high
* [futex] Fix address computation in compat code, fixing hangs
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/i4l-isdn_ioctl-mem-overrun.patch
==============================================================================
--- (empty file)
+++
dists/etch-security/linux-2.6/debian/patches/bugfix/i4l-isdn_ioctl-mem-overrun.patch
Tue Jan 8 05:28:26 2008
@@ -0,0 +1,56 @@
+From: Karsten Keil <[EMAIL PROTECTED]>
+Date: Sat, 1 Dec 2007 20:16:15 +0000 (-0800)
+Subject: I4L: fix isdn_ioctl memory overrun vulnerability
+X-Git-Tag: v2.6.24-rc4~16
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
+
+I4L: fix isdn_ioctl memory overrun vulnerability
+
+Fix possible memory overrun issue in the isdn ioctl code.
+
+Found by ADLAB <[EMAIL PROTECTED]>
+
+Signed-off-by: Karsten Keil <[EMAIL PROTECTED]>
+Cc: ADLAB <[EMAIL PROTECTED]>
+Cc: <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
+index c6df292..d695295 100644
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1515,6 +1515,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid,
',')))
+ *p = 0;
+@@ -1599,6 +1600,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ if (copy_from_user(&iocts, argp,
+ sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ drvidx = -1;
+ for (i = 0; i <
ISDN_MAX_DRIVERS; i++)
+@@ -1643,7 +1645,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ } else {
+ p = (char __user *) iocts.arg;
+ for (i = 0; i < 10; i++) {
+- sprintf(bname, "%s%s",
++ snprintf(bname,
sizeof(bname), "%s%s",
+
strlen(dev->drv[drvidx]->msn2eaz[i]) ?
+
dev->drv[drvidx]->msn2eaz[i] : "_",
+ (i < 9) ? "," :
"\0");
+@@ -1673,6 +1675,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint
cmd, ulong arg)
+ char *p;
+ if (copy_from_user(&iocts, argp,
sizeof(isdn_ioctl_struct)))
+ return -EFAULT;
++ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
+ if (strlen(iocts.drvid)) {
+ if ((p = strchr(iocts.drvid,
',')))
+ *p = 0;
Added: dists/etch-security/linux-2.6/debian/patches/series/17etch1
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/series/17etch1 Tue Jan 8
05:28:26 2008
@@ -0,0 +1 @@
++ bugfix/i4l-isdn_ioctl-mem-overrun.patch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
