diff --git a/debian/changelog b/debian/changelog index 32e5f5c02..411c69a1c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -443,6 +443,8 @@ linux (4.18.14-1) UNRELEASED; urgency=medium * [x86] swiotlb: Enable swiotlb for > 4GiG RAM on 32-bit kernels (Closes: #908924) * mremap: properly flush TLB before releasing the page (CVE-2018-18281) + * cdrom: fix improper type cast, which can leat to information leak + (CVE-2018-18710) -- Ben Hutchings Mon, 08 Oct 2018 19:02:53 +0100 diff --git a/debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch b/debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch new file mode 100644 index 000000000..c85d51cc4 --- /dev/null +++ b/debian/patches/bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch @@ -0,0 +1,34 @@ +From: Young_X +Date: Wed, 3 Oct 2018 12:54:29 +0000 +Subject: cdrom: fix improper type cast, which can leat to information leak. +Origin: https://git.kernel.org/linus/e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-18710 + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +This issue is similar to CVE-2018-16658 and CVE-2018-10940. + +Signed-off-by: Young_X +Signed-off-by: Jens Axboe +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index a5d5a96479bf..10802d1fc554 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2445,7 +2445,7 @@ static int cdrom_ioctl_select_disc(struct cdrom_device_info *cdi, + return -ENOSYS; + + if (arg != CDSL_CURRENT && arg != CDSL_NONE) { +- if ((int)arg >= cdi->capacity) ++ if (arg >= cdi->capacity) + return -EINVAL; + } + +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 13e83e91c..f29ef21d5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -146,6 +146,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch bugfix/all/mremap-properly-flush-TLB-before-releasing-the-page.patch +bugfix/all/cdrom-fix-improper-type-cast-which-can-leat-to-infor.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch