Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Sun, 5 Apr 2009 00:11:31 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: security@...nel.org, sfrench@...ibm.com
Subject: CVE request? buffer overflow in CIFS in 2.6.*

Hi,

I guess we need a CVE for this fix:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.29.y.git;a=commitdiff;h=15bd8021d870d2c4fbf8c16578d72d03cfddd3a7

Fixes a kmalloc area overflow in CIFS, number of overwritten bytes
is depending on the codepage converted to.

The data seems to come from a remote generated reply blob even, correct
me if I am wrong. :/

Checking our enterprise distro kernels it seems to cover most of the
2.6 kernel range...
2.6.27 has the same code, 2.6.16 too, 2.6.5 too.



And I wonder if "len*2" is sufficient, can't a UCS -> UTF8 conversion
generate more than 2 byte utf-8 characters for 1 ucs character?

(spotted by felix leitner, german blog entry: http://blog.fefe.de/?ts=b72905a8 )

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ