2.6.16.14 release for smbfs chroot issue fixed (CVE-2006-1864)

diff --git a/releases/2.6.16.14/series b/releases/2.6.16.14/series
new file mode 100644 (file)
index 0000000..751848f
--- /dev/null
+++ b/releases/2.6.16.14/series
@@ -0,0 +1 @@
+smbfs-chroot-issue.patch

diff --git a/releases/2.6.16.14/smbfs-chroot-issue.patch b/releases/2.6.16.14/smbfs-chroot-issue.patch
new file mode 100644 (file)
index 0000000..897f101
--- /dev/null
+++ b/releases/2.6.16.14/smbfs-chroot-issue.patch
@@ -0,0 +1,39 @@
+From vendor-sec-admin@lst.de  Wed May  3 21:36:43 2006
+Date: Wed, 3 May 2006 21:30:11 -0700
+From: Greg KH <greg@kroah.com>
+To: Steven French <sfrench@us.ibm.com>
+Cc: Marcel Holtmann <holtmann@redhat.com>, Olaf Kirch <okir@suse.de>, Mark Moseley <moseleymark@gmail.com>, shaggy@austin.ibm.com
+Subject: [PATCH] smbfs chroot issue (CVE-2006-1864)
+
+From: Olaf Kirch <okir@suse.de>
+
+Mark Moseley reported that a chroot environment on a SMB share can be
+left via "cd ..\\".  Similar to CVE-2006-1863 issue with cifs, this fix
+is for smbfs.
+
+Steven French <sfrench@us.ibm.com> wrote:
+
+Looks fine to me.  This should catch the slash on lookup or equivalent,
+which will be all obvious paths of interest.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/smbfs/dir.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: linux-2.6.16.13/fs/smbfs/dir.c
+===================================================================
+--- linux-2.6.16.13.orig/fs/smbfs/dir.c
++++ linux-2.6.16.13/fs/smbfs/dir.c
+@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den
+       if (dentry->d_name.len > SMB_MAXNAMELEN)
+               goto out;
+ 
++      /* Do not allow lookup of names with backslashes in */
++      error = -EINVAL;
++      if (memchr(dentry->d_name.name, '\\', dentry->d_name.len))
++              goto out;
++
+       lock_kernel();
+       error = smb_proc_getattr(dentry, &finfo);
+ #ifdef SMBFS_PARANOIA