On Fri, Mar 02, 2012 at 05:44:01PM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> BugLink: http://bugs.launchpad.net/bugs/944990
>
> SRU justification:
>
> Impact:
>
> From mhalcrow's original commit message:
>
> Characters with ASCII values greater than the size of
> filename_rev_map[] are valid filename characters.
> ecryptfs_decode_from_filename() will access kernel memory beyond
> that array, and ecryptfs_parse_tag_70_packet() will then decrypt
> those characters. The attacker, using the FNEK of the crafted file,
> can then re-encrypt the characters to reveal the kernel memory past
> the end of the filename_rev_map[] array. I expect low security
> impact since this array is statically allocated in the text area,
> and the amount of memory past the array that is accessible is
> limited by the largest possible ASCII filename character.
>
> Fix:
>
> Upstream commit 0f751e641a71157aa584c2a2e22fda52b52b8a56
>
> Note: This patch has already been picked up in Lucid as part of
> the stable updates process, but got overlooked for Natty.
>
> Tyler Hicks (1):
> eCryptfs: Extend array bounds for all filename chars
>
> fs/ecryptfs/crypto.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> --
> 1.7.9
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team