| 1 |
Author: dsd |
| 2 |
Date: 2008-11-19 11:31:08 +0000 (Wed, 19 Nov 2008) |
| 3 |
New Revision: 1381 |
| 4 |
|
| 5 |
Added: |
| 6 |
genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch |
| 7 |
Modified: |
| 8 |
genpatches-2.6/trunk/2.6.26/0000_README |
| 9 |
Log: |
| 10 |
Fix hfs security issue with long catalog names |
| 11 |
|
| 12 |
Modified: genpatches-2.6/trunk/2.6.26/0000_README |
| 13 |
=================================================================== |
| 14 |
--- genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:14:34 UTC (rev 1380) |
| 15 |
+++ genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:31:08 UTC (rev 1381) |
| 16 |
@@ -75,6 +75,10 @@ |
| 17 |
From: http://bugs.gentoo.org/233307 |
| 18 |
Desc: Fix to add UTC timestamp option |
| 19 |
|
| 20 |
+Patch: 1905_hfs-namelength-corruption.patch |
| 21 |
+From: http://bugs.gentoo.org/246710 |
| 22 |
+Desc: Fix hfs security issue with long catalog names |
| 23 |
+ |
| 24 |
Patch: 2400_libertas-scan-buffer-overflow.patch |
| 25 |
From: http://bugs.gentoo.org/247541 |
| 26 |
Desc: Fix libertas buffer overflow |
| 27 |
|
| 28 |
Added: genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch |
| 29 |
=================================================================== |
| 30 |
--- genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch (rev 0) |
| 31 |
+++ genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch 2008-11-19 11:31:08 UTC (rev 1381) |
| 32 |
@@ -0,0 +1,37 @@ |
| 33 |
+From: Eric Sesterhenn <snakebyte@×××.de> |
| 34 |
+Date: Thu, 16 Oct 2008 05:04:11 +0000 (-0700) |
| 35 |
+Subject: hfs: fix namelength memory corruption (CVE-2008-5025) |
| 36 |
+X-Git-Tag: v2.6.27.6~2 |
| 37 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=3c050502c4166dc12009f35eb41fabe9c900cd43 |
| 38 |
+ |
| 39 |
+hfs: fix namelength memory corruption (CVE-2008-5025) |
| 40 |
+ |
| 41 |
+commit d38b7aa7fc3371b52d036748028db50b585ade2e upstream |
| 42 |
+ |
| 43 |
+Fix a stack corruption caused by a corrupted hfs filesystem. If the |
| 44 |
+catalog name length is corrupted the memcpy overwrites the catalog btree |
| 45 |
+structure. Since the field is limited to HFS_NAMELEN bytes in the |
| 46 |
+structure and the file format, we throw an error if it is too long. |
| 47 |
+ |
| 48 |
+Cc: Roman Zippel <zippel@××××××××××.org> |
| 49 |
+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de> |
| 50 |
+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org> |
| 51 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
| 52 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de> |
| 53 |
+--- |
| 54 |
+ |
| 55 |
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c |
| 56 |
+index ba85157..6d98f11 100644 |
| 57 |
+--- a/fs/hfs/catalog.c |
| 58 |
++++ b/fs/hfs/catalog.c |
| 59 |
+@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block *sb, u32 cnid, |
| 60 |
+ |
| 61 |
+ fd->search_key->cat.ParID = rec.thread.ParID; |
| 62 |
+ len = fd->search_key->cat.CName.len = rec.thread.CName.len; |
| 63 |
++ if (len > HFS_NAMELEN) { |
| 64 |
++ printk(KERN_ERR "hfs: bad catalog namelength\n"); |
| 65 |
++ return -EIO; |
| 66 |
++ } |
| 67 |
+ memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len); |
| 68 |
+ return hfs_brec_find(fd); |
| 69 |
+ } |
Archives