Bug#310982: plan to include in sarge 2.4 update

To: Steve Langasek <vorlon@debian.org>, 310982@bugs.debian.org
Cc: Bill Allombert <allomber@math.u-bordeaux.fr>, Horms <horms@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, ballombe@debian.org, team@security.debian.org
Subject: Bug#310982: plan to include in sarge 2.4 update
From: dann frazier <dannf@debian.org>
Date: Wed, 15 Nov 2006 17:54:52 -0700
Message-id: <[🔎] 20061116005451.GQ31374@colo>
Reply-to: dann frazier <dannf@debian.org>, 310982@bugs.debian.org
In-reply-to: <[🔎] 20061113202259.GF27636@borges.dodds.net>
References: <[🔎] 20061113042813.GK19049@colo> <[🔎] 20061113090951.GA13244@seventeen> <[🔎] 20061113162609.GD10411@colo> <[🔎] 20061113164956.GF13244@seventeen> <[🔎] 20061113202259.GF27636@borges.dodds.net>

On Mon, Nov 13, 2006 at 12:22:59PM -0800, Steve Langasek wrote:
> Yes, because this is a kernel security bug.  The smbmount patch was
> entertained pre-sarge only as a stopgap due to the proximity to release; the
> right place to fix this is still in the kernel (upstream as appropriate).

I've done some testing and verified that 2.6.18 honors uid= and 2.6.8
does not. It looks like this was fixed upstream:
  http://linux.bkbits.net:8080/linux-2.6/cset@41752f820crlhkG3FzR1EMmg1OxskA?nav=index.html|src/|src/fs|src/fs/smbfs|related/fs/smbfs/inode.c

So, I plan to use this patch for 2.6.8, and attempt to backport it to
2.4.27. If backporting becomes overly complicated/risky, I'll revert
to using something like Horms' patch. I'll also see about getting a
CVE assigned.

Everyone cool with this plan?

-- 
dann frazier

Reply to:

Follow-Ups:
- Bug#310982: plan to include in sarge 2.4 update
  - From: Horms <horms@verge.net.au>
- Bug#310982: plan to include in sarge 2.4 update
  - From: Martin Schulze <joey@infodrom.org>
- Bug#310982: plan to include in sarge 2.4 update
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>

References:
- Bug#310982: plan to include in sarge 2.4 update
  - From: dann frazier <dannf@debian.org>
- Bug#310982: plan to include in sarge 2.4 update
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>
- Bug#310982: plan to include in sarge 2.4 update
  - From: dann frazier <dannf@dannf.org>
- Bug#310982: plan to include in sarge 2.4 update
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>
- Bug#310982: plan to include in sarge 2.4 update
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Processed: Re: Bug#398470: Acknowledgement (mysterious, possibly race-y oops in key/keyring code)
Next by Date: Bug#310982: plan to include in sarge 2.4 update
Previous by thread: Bug#310982: plan to include in sarge 2.4 update
Next by thread: Bug#310982: plan to include in sarge 2.4 update
Index(es):
- Date
- Thread