When the package maintainers backported CVE-2007-2878, [1] they made a typo while adapting the code to kernel 2.6.15.
With [2] applied to the 2.6.15 source code, fat_ioctl_readdir() is as follows:
...
down(&inode->i_sem);
ret = -ENOENT;
if (!IS_DEADDIR(inode)) {
ret = __fat_readdir(inode, filp, &buf, filldir, short_only, both);
}
down(&inode->i_sem);
...
The second down() should be an up().
This only affect the dapper kernels 2.6.15-28-51, but not later kernels used in Ubuntu 6.10+, which kept the mutex_lock() / mutex_unlock() from the original commit in kernel 2.6.21.2.
When the package maintainers backported CVE-2007-2878, [1] they made a typo while adapting the code to kernel 2.6.15.
With [2] applied to the 2.6.15 source code, fat_ioctl_readdir() is as follows:
... >i_sem) ; inode)) { inode, filp, &buf, filldir, short_only, both); >i_sem) ;
down(&inode-
ret = -ENOENT;
if (!IS_DEADDIR(
ret = __fat_readdir(
}
down(&inode-
...
The second down() should be an up().
This only affect the dapper kernels 2.6.15-28-51, but not later kernels used in Ubuntu 6.10+, which kept the mutex_lock() / mutex_unlock() from the original commit in kernel 2.6.21.2.
[1] http:// cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2007- 2878 archive. ubuntu. com/ubuntu/ pool/main/ l/linux- source- 2.6.15/ linux-source- 2.6.15_ 2.6.15- 51.66.diff. gz
[2] http://