Re: CVE-2006-3468: which patch to use?

From: Neil Brown
Date: Sun Aug 20 2006 - 18:55:36 EST

On Sunday August 20, bunk@xxxxxxxxx wrote:
> While going through patches for 2.6.16.x, I stumbled over the following
> regarding the "NFS export of ext2/ext3" security vulnerabilities (the
> ext3 one is CVE-2006-3468, I don't whether there's a number for the
> ext2 one):
> There are three patches available:
> have-ext2-reject-file-handles-with-bad-inode-numbers-early.patch
> have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch
> ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch
> The first two patches are except for a s/ext2/ext3/ identical.
> The two ext3 patches fix the same issue in slightly different ways.
> It seems there was already some agreement that the first of the two ext3
> patches should be preferred due to being more the same as the ext2 patch
> (see [1] and followups).
> But the only patch that is applied in 2.6.18-rc4 (and in is
> the ext3 patch that is _not_ identical to the ext2 one.
> Is it the correct solution to revert this ext3 patch in both 2.6.18-rc
> and 2.6.17 and to apply the other two patches?

There is no point in reverting the ext3 patch. It is a good and
proper patch to have.
Apply the ext2 patch is definitely a good idea.
Applying the other ext3 patch is also a good idea.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at