From 7aaa1a06b0087a2702f04be576c876778b777bfa Mon Sep 17 00:00:00 2001 From: dann frazier Date: Sun, 8 Apr 2007 22:20:53 +0000 Subject: * bugfix/cm4040-buffer-overflow.patch [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver See CVE-2007-0005 svn path=/dists/etch-security/linux-2.6/; revision=8431 --- debian/changelog | 5 ++- debian/patches/bugfix/cm4040-buffer-overflow.patch | 44 ++++++++++++++++++++++ debian/patches/series/12etch1 | 1 + 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/cm4040-buffer-overflow.patch diff --git a/debian/changelog b/debian/changelog index eaf3feddabef..e5a9340d5ecc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,8 +8,11 @@ linux-2.6 (2.6.18.dfsg.1-12etch1) UNRELEASED; urgency=low [SECURITY] Fix a remote DoS (crash) in appletalk Depends upon bugfix/appletalk-endianness-annotations.patch See CVE-2007-1357 + * bugfix/cm4040-buffer-overflow.patch + [SECURITY] Fix a buffer overflow in the Omnikey CardMan 4040 driver + See CVE-2007-0005 - -- dann frazier Fri, 06 Apr 2007 14:33:49 -0600 + -- dann frazier Sun, 08 Apr 2007 16:16:03 -0600 linux-2.6 (2.6.18.dfsg.1-12) unstable; urgency=low diff --git a/debian/patches/bugfix/cm4040-buffer-overflow.patch b/debian/patches/bugfix/cm4040-buffer-overflow.patch new file mode 100644 index 000000000000..3047ff6bf4bf --- /dev/null +++ b/debian/patches/bugfix/cm4040-buffer-overflow.patch @@ -0,0 +1,44 @@ +From: Marcel Holtmann +Date: Tue, 6 Mar 2007 21:12:00 +0000 (+0100) +Subject: [PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) +X-Git-Tag: v2.6.21-rc3~17 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=059819a41d4331316dd8ddcf977a24ab338f4300 + +[PATCH] Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) + +Based on a patch from Don Howard + +When calling write() with a buffer larger than 512 bytes, the +driver's write buffer overflows, allowing to overwrite the EIP and +execute arbitrary code with kernel privileges. + +In read(), there exists a similar problem, but coming from the device. +A malicous or buggy device sending more than 512 bytes can overflow +of the driver's read buffer, with the same effects as above. + +Signed-off-by: Marcel Holtmann +Signed-off-by: Harald Welte +Signed-off-by: Linus Torvalds +--- + +diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c +index 0e82968..f2e4ec4 100644 +--- a/drivers/char/pcmcia/cm4040_cs.c ++++ b/drivers/char/pcmcia/cm4040_cs.c +@@ -273,6 +273,7 @@ static ssize_t cm4040_read(struct file *filp, char __user *buf, + DEBUGP(6, dev, "BytesToRead=%lu\n", bytes_to_read); + + min_bytes_to_read = min(count, bytes_to_read + 5); ++ min_bytes_to_read = min_t(size_t, min_bytes_to_read, READ_WRITE_BUFFER_SIZE); + + DEBUGP(6, dev, "Min=%lu\n", min_bytes_to_read); + +@@ -340,7 +341,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, + return 0; + } + +- if (count < 5) { ++ if ((count < 5) || (count > READ_WRITE_BUFFER_SIZE)) { + DEBUGP(2, dev, "<- cm4040_write buffersize=%Zd < 5\n", count); + return -EIO; + } diff --git a/debian/patches/series/12etch1 b/debian/patches/series/12etch1 index ff70dcc02311..eedae5123b49 100644 --- a/debian/patches/series/12etch1 +++ b/debian/patches/series/12etch1 @@ -1,3 +1,4 @@ + bugfix/core-dump-unreadable-PT_INTERP.patch + bugfix/appletalk-endianness-annotations.patch + bugfix/appletalk-length-mismatch.patch ++ bugfix/cm4040-buffer-overflow.patch -- cgit v1.2.3