Author: dannf Date: Wed Feb 13 21:14:07 2008 New Revision: 10533 Log: * bugfix/cifs-honor-umask.dpatch [SECURITY] Make CIFS honor a process' umask See CVE-2007-3740
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Wed Feb 13 21:14:07 2008 @@ -44,8 +44,11 @@ * [SECURITY] Prevent OOPS during stack expansion when the VMA crosses into address space reserved for hugetlb pages. See CVE-2007-3739 + * bugfix/cifs-honor-umask.dpatch + [SECURITY] Make CIFS honor a process' umask + See CVE-2007-3740 - -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 14:01:28 -0700 + -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 14:12:35 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cifs-honor-umask.dpatch Wed Feb 13 21:14:07 2008 @@ -0,0 +1,81 @@ +From: Steve French <[EMAIL PROTECTED]> +Date: Fri, 8 Jun 2007 14:55:14 +0000 (+0000) +Subject: [CIFS] CIFS should honour umask +X-Git-Tag: v2.6.22-rc5~50^2 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f + +[CIFS] CIFS should honour umask + +This patch makes CIFS honour a process' umask like other filesystems. +Of course the server is still free to munge the permissions if it wants +to; but the client will send the "right" permissions to begin with. + +A few caveats: + +1) It only applies to filesystems that have CAP_UNIX (aka support unix +extensions) +2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms() +after remote creation + +When mode to CIFS/NTFS ACL mapping is complete we can do the +same thing for that case for servers which do not +support the Unix Extensions. + +Signed-off-by: Matt Keenen <[EMAIL PROTECTED]> +Signed-off-by: Steve French <[EMAIL PROTECTED]> +--- + +Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN kernel-source-2.6.8.orig/fs/cifs/dir.c kernel-source-2.6.8/fs/cifs/dir.c +--- kernel-source-2.6.8.orig/fs/cifs/dir.c 2007-05-26 02:54:39.000000000 -0600 ++++ kernel-source-2.6.8/fs/cifs/dir.c 2008-02-13 14:05:50.000000000 -0700 +@@ -242,7 +242,8 @@ cifs_create(struct inode *inode, struct + /* If Open reported that we actually created a file + then we now have to set the mode if possible */ + if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) && +- (oplock & CIFS_CREATE_ACTION)) ++ (oplock & CIFS_CREATE_ACTION)) { ++ mode &= ~current->fs->umask; + if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) { + CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode, + (__u64)current->euid, +@@ -256,7 +257,7 @@ cifs_create(struct inode *inode, struct + 0 /* dev */, + cifs_sb->local_nls); + } +- else { ++ } else { + /* BB implement via Windows security descriptors */ + /* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/ + /* could set r/o dos attribute if mode & 0222 == 0 */ +@@ -356,6 +357,7 @@ int cifs_mknod(struct inode *inode, stru + rc = -ENOMEM; + + if (full_path && (pTcon->ses->capabilities & CAP_UNIX)) { ++ mode &= ~current->fs->umask; + if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) { + rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path, + mode,(__u64)current->euid,(__u64)current->egid, +diff -urpN kernel-source-2.6.8.orig/fs/cifs/inode.c kernel-source-2.6.8/fs/cifs/inode.c +--- kernel-source-2.6.8.orig/fs/cifs/inode.c 2004-08-13 23:36:11.000000000 -0600 ++++ kernel-source-2.6.8/fs/cifs/inode.c 2008-02-13 14:07:24.000000000 -0700 +@@ -480,7 +480,8 @@ cifs_mkdir(struct inode *inode, struct d + d_instantiate(direntry, newinode); + if(direntry->d_inode) + direntry->d_inode->i_nlink = 2; +- if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) ++ if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) { ++ mode &= ~current->fs->umask; + if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) { + CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode, + (__u64)current->euid, +@@ -494,7 +495,7 @@ cifs_mkdir(struct inode *inode, struct d + 0 /* dev_t */, + cifs_sb->local_nls); + } +- else { /* BB to be implemented via Windows secrty descriptors*/ ++ } else { /* BB to be implemented via Windows secrty descriptors*/ + /* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/ + } + } Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Wed Feb 13 21:14:07 2008 @@ -12,3 +12,4 @@ + minixfs-printk-hang.dpatch + isdn-net-overflow.dpatch + prevent-stack-growth-into-hugetlb-region.dpatch ++ cifs-honor-umask.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes