Spotted in the 2.6.30.4 ChangeLog: commit 59a1c9b5b74e95eea73a6f85c574bd63031a0bcf Author: Ramon de Carvalho Valle <ramon@risesecurity.org> Date: Tue Jul 28 13:58:22 2009 -0500 eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407) commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream. The parse_tag_3_packet function does not check if the tag 3 packet contains a encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. Signed-off-by: Ramon de Carvalho Valle <ramon@risesecurity.org> [tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free] Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
CVE-2009-2407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2407): Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving a crafted eCryptfs file, related to a large encrypted key size in a Tag 3 packet.