Version in base suite: 1.0.8-7
Version in overlay suite: 1.0.8-7sarge1

Base version: alsa-driver_1.0.8-7
Target version: alsa-driver_1.0.8-7sarge1
Base file: /org/ftp.debian.org/ftp/pool/main/a/alsa-driver/alsa-driver_1.0.8-7.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/a/alsa-driver/alsa-driver_1.0.8-7sarge1.dsc

diff -u alsa-driver-1.0.8/debian/patches/00list alsa-driver-1.0.8/debian/patches/00list
--- alsa-driver-1.0.8/debian/patches/00list
+++ alsa-driver-1.0.8/debian/patches/00list
@@ -8,2 +8,3 @@
 18_core_init_index
+20_snd-page-alloc-leak
 99_debian_makefile_depmod
diff -u alsa-driver-1.0.8/debian/changelog alsa-driver-1.0.8/debian/changelog
--- alsa-driver-1.0.8/debian/changelog
+++ alsa-driver-1.0.8/debian/changelog
@@ -1,3 +1,13 @@
+alsa-driver (1.0.8-7sarge1) oldstable-security; urgency=high
+
+  * NMU by the Security Team
+  * 20_snd-page-alloc-leak.dpatch:
+    Fix an issue in the alsa subsystem that allows a local user to read
+    potentially sensitive kernel memory from the proc filesystem.
+    See CVE-2007-4571
+
+ -- dann frazier <dannf@debian.org>  Wed, 20 Feb 2008 00:58:09 -0700
+
 alsa-driver (1.0.8-7) unstable; urgency=medium
 
   * Thomas Hood
only in patch2:
unchanged:
--- alsa-driver-1.0.8.orig/debian/patches/20_snd-page-alloc-leak.dpatch
+++ alsa-driver-1.0.8/debian/patches/20_snd-page-alloc-leak.dpatch
@@ -0,0 +1,116 @@
+#! /bin/sh -e
+
+# 20_snd-page-alloc-leak.dpatch
+#
+# DP: Fix sensitive memory leak in proc
+
+. debian/patches/patch-opts
+
+if [ $# -ne 1 ]; then
+    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+    exit 1
+fi
+case "$1" in
+    -patch) patch $patch_opts < $0;;
+    -unpatch) patch $patch_opts -R < $0;;
+    *)
+        echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+        exit 1;;
+esac
+
+exit 0
+
+@DPATCH@
+--- alsa-driver-1.0.8/sound/core/memalloc.c.orig	2004-10-23 10:10:24.000000000 -0600
++++ alsa-driver-1.0.8/sound/core/memalloc.c	2008-02-20 00:52:38.000000000 -0700
+@@ -28,6 +28,7 @@
+ #include <linux/pci.h>
+ #include <linux/slab.h>
+ #include <linux/mm.h>
++#include <linux/seq_file.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/moduleparam.h>
+ #include <asm/semaphore.h>
+@@ -593,10 +594,11 @@ static void __init preallocate_cards(voi
+ /*
+  * proc file interface
+  */
+-static int snd_mem_proc_read(char *page, char **start, off_t off,
+-			     int count, int *eof, void *data)
++#define SND_MEM_PROC_FILE	"driver/snd-page-alloc"
++struct proc_dir_entry *snd_mem_proc;
++
++static int snd_mem_proc_read(struct seq_file *seq, void *offset)
+ {
+-	int len = 0;
+ 	long pages = snd_allocated_pages >> (PAGE_SHIFT-12);
+ 	struct list_head *p;
+ 	struct snd_mem_list *mem;
+@@ -604,25 +606,36 @@ static int snd_mem_proc_read(char *page,
+ 	static char *types[] = { "UNKNOWN", "CONT", "DEV", "DEV-SG", "SBUS" };
+ 
+ 	down(&list_mutex);
+-	len += snprintf(page + len, count - len,
+-			"pages  : %li bytes (%li pages per %likB)\n",
+-			pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
++	seq_printf(seq, "pages  : %li bytes (%li pages per %likB)\n",
++		   pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
+ 	devno = 0;
+ 	list_for_each(p, &mem_list_head) {
+ 		mem = list_entry(p, struct snd_mem_list, list);
+ 		devno++;
+-		len += snprintf(page + len, count - len,
+-				"buffer %d : ID %08x : type %s\n",
+-				devno, mem->id, types[mem->buffer.dev.type]);
+-		len += snprintf(page + len, count - len,
+-				"  addr = 0x%lx, size = %d bytes\n",
+-				(unsigned long)mem->buffer.addr, (int)mem->buffer.bytes);
++		seq_printf(seq, "buffer %d : ID %08x : type %s\n",
++			   devno, mem->id, types[mem->buffer.dev.type]);
++		seq_printf(seq, "  addr = 0x%lx, size = %d bytes\n",
++			   (unsigned long)mem->buffer.addr,
++			   (int)mem->buffer.bytes);
+ 	}
+ 	up(&list_mutex);
+-	return len;
++	return 0;
++}
++
++static int snd_mem_proc_open(struct inode *inode, struct file *file)
++{
++	return single_open(file, snd_mem_proc_read, NULL);
+ }
+ #endif /* CONFIG_PROC_FS */
+ 
++static struct file_operations snd_mem_proc_fops = {
++	.owner		= THIS_MODULE,
++	.open		= snd_mem_proc_open,
++	.read		= seq_read,
++	.llseek		= seq_lseek,
++	.release	= single_release,
++};
++
+ /*
+  * module entry
+  */
+@@ -630,7 +643,9 @@ static int snd_mem_proc_read(char *page,
+ static int __init snd_mem_init(void)
+ {
+ #ifdef CONFIG_PROC_FS
+-	create_proc_read_entry("driver/snd-page-alloc", 0, NULL, snd_mem_proc_read, NULL);
++	snd_mem_proc = create_proc_entry(SND_MEM_PROC_FILE, 0644, NULL);
++	if (snd_mem_proc)
++		snd_mem_proc->proc_fops = &snd_mem_proc_fops;
+ #endif
+ 	preallocate_cards();
+ 	return 0;
+@@ -638,7 +653,8 @@ static int __init snd_mem_init(void)
+ 
+ static void __exit snd_mem_exit(void)
+ {
+-	remove_proc_entry("driver/snd-page-alloc", NULL);
++	if (snd_mem_proc)
++		remove_proc_entry(SND_MEM_PROC_FILE, NULL);
+ 	free_all_reserved_pages();
+ 	if (snd_allocated_pages > 0)
+ 		printk(KERN_ERR "snd-malloc: Memory leak?  pages not freed = %li\n", snd_allocated_pages);