Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Mon, 03 Nov 2008 17:51:43 +0800
From: Eugene Teo <eteo@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>, Greg KH <greg@...ah.com>
Subject: CVE requests: kernel: hfsplus-related bugs

These were committed in upstream kernel. Reported by Eric Sesterhenn.

1) hfsplus: fix Buffer overflow with a corrupted image
Upstream commit: efc7ffcb4237f8cb9938909041c4ed38f6e1bf40

When an hfsplus image gets corrupted it might happen that the catalog
namelength field gets b0rked.  If we mount such an image the memcpy() in
hfsplus_cat_build_key_uni() writes more than the 255 that fit in the
name field.  Depending on the size of the overwritten data, we either
only get memory corruption or also trigger an oops.

2) hfsplus: check read_mapping_page() return value
Upstream commit: 649f1ee6c705aab644035a7998d7b574193a598a

The return value of read_mapping_page() is passed on to kmap unchecked.
 The bug is triggered after the first read_mapping_page() in
hfsplus_block_allocate(), this patch fixes all three usages in this
functions but leaves the ones further down in the file unchanged. This
was triggered by mounting an intentionally corrupted image.

These bugs need CVE names.

Thanks, Eugene

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux