Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 10 Nov 2008 23:34:53 +0800
From: "Eugene Teo" <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>, "Greg KH" <greg@...ah.com>
Subject: Re: CVE requests: kernel: hfsplus-related bugs

Hi Steve,

On Mon, Nov 10, 2008 at 10:47 PM, Steven M. Christey
<coley@...us.mitre.org> wrote:
>
> On Mon, 10 Nov 2008, Eugene Teo wrote:
>
>> > 1) hfsplus: fix Buffer overflow with a corrupted image
>> > Upstream commit: efc7ffcb4237f8cb9938909041c4ed38f6e1bf40
>> ...
>> There's an equivalent bug for hfs. The upstream commit is d38b7aa. We
>> will need a CVE name for this too.
>
> Use CVE-2008-5025
>
> Is the bug exactly equivalent?  Could you be more specific about existing
> references?  "d38b7aa" doesn't look like a typical commit ID so the CVE is
> currently marked as reserved.

Both patches validate the catalog name length.

The following is the description of the hfs bug:
"Fix a stack corruption caused by a corrupted hfs filesystem.  If the
catalog name length is corrupted the memcpy overwrites the catalog
btree structure.  Since the field is limited to HFS_NAMELEN bytes in
the structure and the file format, we throw an error if it is too
long."

It is possible to use the 7-hexdigit instead of the usual 40-hexdigit
SHA1 hash to refer to the commit ID.

Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ