Re: ACL patches in Debian 2.4 series kernel.
On Tue, Aug 09, 2005 at 10:03:59AM +0200, Fabio Muzzi wrote:
> Hello Horms,
> Tuesday, August 9, 2005, 6:33:04 AM, you wrote:
>
>
> >> > I have read the cahngelog for Debian version of kernel 2.4.27 (and .26
> >> > too) and I have found that the latest version of Posix ACL patches seems
> >> > to be 0.8.71, merged by Herbert Xu in April 2004.
>
> H> are you talking about CAN-2005-0757
>
> No, I don't think it's the same. This issue, AFAIK, causes default acls to
> disappear from a directory, but does not crash the system. It's not really
> a security issue, since it does not allow more rights on the files, but
> less rights (removing default ACLS). Well, if a user can trigger it, it's
> a DOS anyway.
>
> I have not investigated the issue very deeply, but I can tell that it can
> be fixed by applying the newer (>= 0.8.72) ACL patches from
> http://acl.bestbits.at.
>
> To quote Andreas Gruenbacher, "This was fixed in version 0.8.72. The bug
> was in function ext2_xattr_cmp and ext3_xattr_cmp: They did not compare
> the e_name_index field."
Thanks, I have been able to narrow the problem down to the following
change http://acl.bestbits.at/pipermail/acl-devel/2005-February/001848.html
(patch attached), which SuSE seem to regard as a security bug
http://www.novell.com/linux/security/advisories/2005_18_kernel.html
however it does not appear to have a CAN number.
I am putting the attached fix into SVN for both 2.4.27 and 2.6.8.
> H> Otherwise, 2.4 is really in maintenence mode for Sarge, so you might be
> H> best to try one of the newer kernels (e.g. 2.6.12) in unstable.
>
> I'll try 2.6.12, because with 2.6.8 (Sarge default 2.6 kernel) I have had
> issues with USB2 controllers not being released by the BIOS to the
> kernel's driver (which never happened with 2.4.x series) so I could not
> use USB2 devices at all.
--
Horms
--- fs/ext2/xattr.c.orig 2005-08-09 17:59:44.000000000 +0900
+++ fs/ext2/xattr.c 2005-08-09 17:59:46.000000000 +0900
@@ -977,6 +977,7 @@
if (IS_LAST_ENTRY(entry2))
return 1;
if (entry1->e_hash != entry2->e_hash ||
+ entry1->e_name_index != entry2->e_name_index ||
entry1->e_name_len != entry2->e_name_len ||
entry1->e_value_size != entry2->e_value_size ||
memcmp(entry1->e_name, entry2->e_name, entry1->e_name_len))
--- fs/ext3/xattr.c.orig 2005-08-09 17:58:31.000000000 +0900
+++ fs/ext3/xattr.c 2005-08-09 17:58:50.000000000 +0900
@@ -1025,6 +1025,7 @@
if (IS_LAST_ENTRY(entry2))
return 1;
if (entry1->e_hash != entry2->e_hash ||
+ entry1->e_name_index != entry2->e_name_index ||
entry1->e_name_len != entry2->e_name_len ||
entry1->e_value_size != entry2->e_value_size ||
memcmp(entry1->e_name, entry2->e_name, entry1->e_name_len))
Reply to: