From: Chris Wright Date: Thu, 4 May 2006 23:59:17 +0000 (-0700) Subject: 2.6.16.14 release for smbfs chroot issue fixed (CVE-2006-1864) X-Git-Tag: v2.6.16.14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad2ced66e6be5e9e23af31253ac1e59245086eba;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.16.14 release for smbfs chroot issue fixed (CVE-2006-1864) --- diff --git a/releases/2.6.16.14/series b/releases/2.6.16.14/series new file mode 100644 index 00000000000..751848fac6e --- /dev/null +++ b/releases/2.6.16.14/series @@ -0,0 +1 @@ +smbfs-chroot-issue.patch diff --git a/releases/2.6.16.14/smbfs-chroot-issue.patch b/releases/2.6.16.14/smbfs-chroot-issue.patch new file mode 100644 index 00000000000..897f10153db --- /dev/null +++ b/releases/2.6.16.14/smbfs-chroot-issue.patch @@ -0,0 +1,39 @@ +From vendor-sec-admin@lst.de Wed May 3 21:36:43 2006 +Date: Wed, 3 May 2006 21:30:11 -0700 +From: Greg KH +To: Steven French +Cc: Marcel Holtmann , Olaf Kirch , Mark Moseley , shaggy@austin.ibm.com +Subject: [PATCH] smbfs chroot issue (CVE-2006-1864) + +From: Olaf Kirch + +Mark Moseley reported that a chroot environment on a SMB share can be +left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix +is for smbfs. + +Steven French wrote: + +Looks fine to me. This should catch the slash on lookup or equivalent, +which will be all obvious paths of interest. + +Signed-off-by: Chris Wright +--- + fs/smbfs/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: linux-2.6.16.13/fs/smbfs/dir.c +=================================================================== +--- linux-2.6.16.13.orig/fs/smbfs/dir.c ++++ linux-2.6.16.13/fs/smbfs/dir.c +@@ -434,6 +434,11 @@ smb_lookup(struct inode *dir, struct den + if (dentry->d_name.len > SMB_MAXNAMELEN) + goto out; + ++ /* Do not allow lookup of names with backslashes in */ ++ error = -EINVAL; ++ if (memchr(dentry->d_name.name, '\\', dentry->d_name.len)) ++ goto out; ++ + lock_kernel(); + error = smb_proc_getattr(dentry, &finfo); + #ifdef SMBFS_PARANOIA