[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060820192750.GR7813@stusta.de>
Date: Sun, 20 Aug 2006 21:27:50 +0200
From: Adrian Bunk <bunk@...sta.de>
To: ext2-devel@...ts.sourceforge.net, Neil Brown <neilb@...e.de>,
Eric Sandeen <sandeen@...deen.net>
Cc: linux-kernel@...r.kernel.org
Subject: CVE-2006-3468: which patch to use?
While going through patches for 2.6.16.x, I stumbled over the following
regarding the "NFS export of ext2/ext3" security vulnerabilities (the
ext3 one is CVE-2006-3468, I don't whether there's a number for the
ext2 one):
There are three patches available:
have-ext2-reject-file-handles-with-bad-inode-numbers-early.patch
have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch
ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch
The first two patches are except for a s/ext2/ext3/ identical.
The two ext3 patches fix the same issue in slightly different ways.
It seems there was already some agreement that the first of the two ext3
patches should be preferred due to being more the same as the ext2 patch
(see [1] and followups).
But the only patch that is applied in 2.6.18-rc4 (and in 2.6.17.9) is
the ext3 patch that is _not_ identical to the ext2 one.
Is it the correct solution to revert this ext3 patch in both 2.6.18-rc
and 2.6.17 and to apply the other two patches?
cu
Adrian
BTW: I've attached all three patches.
[1] http://lkml.org/lkml/2006/8/4/192
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
View attachment "have-ext2-reject-file-handles-with-bad-inode-numbers-early.patch" of type "text/plain" (2320 bytes)
View attachment "have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch" of type "text/plain" (2570 bytes)
View attachment "ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch" of type "text/plain" (3837 bytes)
Powered by blists - more mailing lists