Re: CVE-2006-3468: which patch to use?

[Neil Brown]

On Sunday August 20, bunk@xxxxxxxxx wrote:
> While going through patches for 2.6.16.x, I stumbled over the following 
> regarding the "NFS export of ext2/ext3" security vulnerabilities (the 
> ext3 one is  CVE-2006-3468, I don't whether there's a number for the 
> ext2 one):
> 
> There are three patches available:
> have-ext2-reject-file-handles-with-bad-inode-numbers-early.patch
> have-ext3-reject-file-handles-with-bad-inode-numbers-early.patch
> ext3-avoid-triggering-ext3_error-on-bad-nfs-file-handle.patch
> 
> The first two patches are except for a s/ext2/ext3/ identical.
> 
> The two ext3 patches fix the same issue in slightly different ways.
> 
> It seems there was already some agreement that the first of the two ext3 
> patches should be preferred due to being more the same as the ext2 patch
> (see [1] and followups).
> 
> But the only patch that is applied in 2.6.18-rc4 (and in 2.6.17.9) is 
> the ext3 patch that is _not_ identical to the ext2 one.
> 
> Is it the correct solution to revert this ext3 patch in both 2.6.18-rc 
> and 2.6.17 and to apply the other two patches?

There is no point in reverting the ext3 patch.  It is a good and
proper patch to have.
Apply the ext2 patch is definitely a good idea.
Applying the other ext3 patch is also a good idea.

NeilBrown
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/