Secure testing team - Mar 2006 - Re: ACL patches in Debian 2.4 series kernel.

On Tue, Aug 09, 2005 at 10:03:59AM +0200, Fabio Muzzi
wrote:
> Hello Horms,
> Tuesday, August 9, 2005, 6:33:04 AM, you wrote:
> 
> 
> >> >   I  have  read the cahngelog for Debian version of kernel
2.4.27 (and .26
> >> >   too) and I have found that the latest version of Posix ACL
patches seems
> >> >   to be 0.8.71, merged by Herbert Xu in April 2004.
> 
> H> are you talking about CAN-2005-0757
> 
> No, I don''t think it''s the same. This issue, AFAIK,
causes default acls to
> disappear from a directory, but does not crash the system. It''s
not really
> a  security  issue,  since it does not allow more rights on the files, but
> less  rights (removing default ACLS). Well, if a user can trigger it,
it''s
> a DOS anyway.
> 
> I  have not investigated the issue very deeply, but I can tell that it can
> be   fixed   by   applying   the   newer  (>=  0.8.72)  ACL  patches 
from
> http://acl.bestbits.at.
> 
> To  quote  Andreas Gruenbacher, "This was fixed in version 0.8.72. The
bug
> was  in  function  ext2_xattr_cmp and ext3_xattr_cmp: They did not compare
> the e_name_index field."
Thanks, I have been able to narrow the problem down to the following
change http://acl.bestbits.at/pipermail/acl-devel/2005-February/001848.html
(patch attached), which SuSE seem to regard as a security bug
http://www.novell.com/linux/security/advisories/2005_18_kernel.html
however it does not appear to have a CAN number.
I am putting the attached fix into SVN for both 2.4.27 and 2.6.8.
> H> Otherwise, 2.4 is really in maintenence mode for Sarge, so you might
be
> H> best to try one of the newer kernels (e.g. 2.6.12) in unstable.
> 
> I''ll  try 2.6.12, because with 2.6.8 (Sarge default 2.6 kernel) I
have had
> issues  with  USB2  controllers  not  being  released  by  the BIOS to the
> kernel''s  driver  (which  never happened with 2.4.x series) so I
could not
> use USB2 devices at all.
-- 
Horms
-------------- next part --------------
--- fs/ext2/xattr.c.orig	2005-08-09 17:59:44.000000000 +0900
+++ fs/ext2/xattr.c	2005-08-09 17:59:46.000000000 +0900
@@ -977,6 +977,7 @@
 		if (IS_LAST_ENTRY(entry2))
 			return 1;
 		if (entry1->e_hash != entry2->e_hash ||
+		    entry1->e_name_index != entry2->e_name_index ||
 		    entry1->e_name_len != entry2->e_name_len ||
 		    entry1->e_value_size != entry2->e_value_size ||
 		    memcmp(entry1->e_name, entry2->e_name, entry1->e_name_len))
--- fs/ext3/xattr.c.orig	2005-08-09 17:58:31.000000000 +0900
+++ fs/ext3/xattr.c	2005-08-09 17:58:50.000000000 +0900
@@ -1025,6 +1025,7 @@
 		if (IS_LAST_ENTRY(entry2))
 			return 1;
 		if (entry1->e_hash != entry2->e_hash ||
+		    entry1->e_name_index != entry2->e_name_index ||
 		    entry1->e_name_len != entry2->e_name_len ||
 		    entry1->e_value_size != entry2->e_value_size ||
 		    memcmp(entry1->e_name, entry2->e_name, entry1->e_name_len))