Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 May 2009 13:01:11 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Eugene Teo <eugene@...hat.com>
cc: oss-security@...ts.openwall.com, Steven French <sfrench@...ibm.com>,
        security@...nel.org, jlayton@...hat.com,
        "Steven M. Christey" <coley@...us.mitre.org>,
        dann frazier <dannf@...ian.org>, Greg KH <greg@...ah.com>
Subject: Re: Update - Re: CVE request? buffer overflow in CIFS
 in 2.6.*


On Thu, 14 May 2009, Eugene Teo wrote:

> >> CVE-2009-NOT-YET-ASSIGNED:
> >>  http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
> >>  http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
> >>  http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
> >>  + some others in progress
>
> These fixes need to be tagged to a CVE.

Use CVE-2009-1633, to be filled in later.  This CVE should be anchored
*only* on the issue above.

I'm almost afraid to ask what relationship there is between the above
commits and the extensive list of other issues from Jeff Layton, which
lists the above commit and a ton of others.  Mark Cox or Josh Bressers,
this might be a good time for you to step in CNA-wise?

- Steve



> From Jeff Layton:
> The cifs code regularly has to convert strings from ucs2_le (a double
> byte encoding scheme used on windows) to the local NLS charset. The
> routines that do this have a very poor scheme for handling buffer lengths.
>
> The string conversion routines accept only a single length parameter
> specified in units of the number of wide characters that it should try
> to convert. It's assumed therefore that the destination buffer will be
> big enough. Some measures are in place now to try to ensure this, but
> they really aren't sufficient. What's needed is a new set of conversion
> routines that take both the source and destination buffer lengths into
> account.
>
> The patchset adds these routines and converts the appropriate callers to
> use them. In addition, it removes a very large piece of "experimental"
> NTLMSSP code that I found to be completely unreachable. That code was
> using the old routines and it's simpler (and better) to just remove that
> code rather than convert it.
>
> The upstream commits are:
>
> 1) [CIFS] remove cifs_strfromUCS_le
> 341060273232a2df0d1a7fa53abc661fcf22747c
>
> 2) [CIFS] Fix final user of old string conversion code
> afe48c31ea5c74eaac58621ce1c85ae8187c4383
>
> 3) cifs: fix length handling in cifs_get_name_from_search_buf
> 18295796a30cada84e933d805072dc2248d54f98
>
> 4) [CIFS] Remove unneeded QuerySymlink call and fix mapping for unmapped
> status
> 9e39b0ae8af46c83b85dae7ff5251911a80fce5a
>
> 5) [CIFS] rename cifs_strndup to cifs_strndup_from_ucs
> d185cda7712fd1d9e349174639d76eadc66679be
>
> 6) [CIFS] NTLMSSP support moving into new file, old dead code removed
> 2edd6c5b0517b9131ede9e74cb121898ccd73042
>
> 7) [CIFS] Remove older session setup implementation
> 20418acd6874792359b42c12d159f42f17593f34
>
> 8) cifs: change cifs_get_name_from_search_buf to use new unicode helper
> f58841666bc22e827ca0dcef7b71c7bc2758ce82
>
> 9) cifs: change CIFSSMBUnixQuerySymLink to use new helpers
> 460b96960d1946914e50316ffeefe7b41dddce91
>
> 10) cifs: fix session setup unicode string saving to use new unicode helpers
> 59140797c5817363087b0ffb46e6bb81a11fe0dc
>
> 11) cifs: convert CIFSTCon to use new unicode helper functions
> cc20c031bb067eb3280a1c4b5c42295093e24863
>
> 12) cifs: rename cifs_strlcpy_to_host and make it use new functions
> 066ce6899484d9026acd6ba3a8dbbedb33d7ae1b
>
> 13) cifs: add new function to get unicode string length in bytes
> 69f801fcaa03be83d58c564f00913b7c172808e4
>
> 14) cifs: add replacement for cifs_strtoUCS_le called cifs_from_ucs2
> 7fabf0c9479fef9fdb9528a5fbdb1cb744a744a4
>
> 15) cifs: move #defines for mapchars into cifs_unicode.h
> 66345f50f070ae7412a28543ee197cb5eff73598
>
> 16) nls: add a nls_nullsize inline
> d37dc42ab6f040b8f0f2962ab219c5b2accf748d
>
> 17) cifs: Increase size of tmp_buf in cifs_readdir to avoid potential
> overflows
> 7b0c8fcff47a885743125dd843db64af41af5a61
>
> 18) cifs: Rename cifs_strncpy_to_host and fix buffer size
> 968460ebd8006d55661dec0fb86712b40d71c413
>
> 19) cifs: fix unicode string area word alignment in session setup
> 27b87fe52baba0a55e9723030e76fce94fabcea4
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=496572
> http://git.kernel.org/linus/341060273232a2df0d1a7fa53abc661fcf22747c
> http://git.kernel.org/linus/afe48c31ea5c74eaac58621ce1c85ae8187c4383
> http://git.kernel.org/linus/18295796a30cada84e933d805072dc2248d54f98
> http://git.kernel.org/linus/9e39b0ae8af46c83b85dae7ff5251911a80fce5a
> http://git.kernel.org/linus/d185cda7712fd1d9e349174639d76eadc66679be
> http://git.kernel.org/linus/2edd6c5b0517b9131ede9e74cb121898ccd73042
> http://git.kernel.org/linus/20418acd6874792359b42c12d159f42f17593f34
> http://git.kernel.org/linus/f58841666bc22e827ca0dcef7b71c7bc2758ce82
> http://git.kernel.org/linus/460b96960d1946914e50316ffeefe7b41dddce91
> http://git.kernel.org/linus/59140797c5817363087b0ffb46e6bb81a11fe0dc
> http://git.kernel.org/linus/cc20c031bb067eb3280a1c4b5c42295093e24863
> http://git.kernel.org/linus/066ce6899484d9026acd6ba3a8dbbedb33d7ae1b
> http://git.kernel.org/linus/69f801fcaa03be83d58c564f00913b7c172808e4
> http://git.kernel.org/linus/7fabf0c9479fef9fdb9528a5fbdb1cb744a744a4
> http://git.kernel.org/linus/66345f50f070ae7412a28543ee197cb5eff73598
> http://git.kernel.org/linus/d37dc42ab6f040b8f0f2962ab219c5b2accf748d
> http://git.kernel.org/linus/7b0c8fcff47a885743125dd843db64af41af5a61
> http://git.kernel.org/linus/968460ebd8006d55661dec0fb86712b40d71c413
> http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
>
> Thanks, Eugene
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.