diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2015-11-08 14:48:04 +0000 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2015-11-08 14:48:04 +0000 |
| commit | 222755c823c1e7d86e3c77e06c080594828e7435 (patch) | |
| tree | 83f2fe27a87b50c4259a3b42fa8ae06d74366504 | |
| parent | 95b8f8213bfd01cc878b9f9c9f8fca69f273d885 (diff) | |
usbvision: fix overflow of interfaces array (CVE-2015-7833)
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch | 31 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 38 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index b2aaf988f..28ef9f137 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux (4.2.5-2) UNRELEASED; urgency=medium + + * usbvision: fix overflow of interfaces array (CVE-2015-7833) + + -- Ben Hutchings <ben@decadent.org.uk> Sun, 08 Nov 2015 14:47:40 +0000 + linux (4.2.5-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch new file mode 100644 index 000000000..839aa6855 --- /dev/null +++ b/debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch @@ -0,0 +1,31 @@ +From: Oliver Neukum <oneukum@suse.com> +Date: Tue, 27 Oct 2015 12:42:38 +0100 +Subject: usbvision fix overflow of interfaces array +Origin: https://bugzilla.novell.com/attachment.cgi?id=653350 + +This fixes the crash reported in: +http://seclists.org/bugtraq/2015/Oct/35 +The interface number needs a sanity check. + +Signed-off-by: Oliver Neukum <oneukum@suse.com> +[bwh: Backported to 4.2: adjust context] +--- + drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1533,6 +1533,13 @@ static int usbvision_probe(struct usb_in + printk(KERN_INFO "%s: %s found\n", __func__, + usbvision_device_data[model].model_string); + ++ /* ++ * this is a security check. ++ * an exploit using an incorrect bInterfaceNumber is known ++ */ ++ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum]) ++ return -ENODEV; ++ + if (usbvision_device_data[model].interface >= 0) + interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0]; + else diff --git a/debian/patches/series b/debian/patches/series index 5792e691f..0f2520ec6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -104,3 +104,4 @@ bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch debian/target-fix-abi-change-in-4.2.4.patch debian/signal-fix-abi-change-in-4.2.4.patch +bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch |