Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 May 2009 13:01:11 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Eugene Teo <eugene@...hat.com>
cc: oss-security@...ts.openwall.com, Steven French <sfrench@...ibm.com>,
        security@...nel.org, jlayton@...hat.com,
        "Steven M. Christey" <coley@...us.mitre.org>,
        dann frazier <dannf@...ian.org>, Greg KH <greg@...ah.com>
Subject: Re: Update - Re: CVE request? buffer overflow in CIFS
 in 2.6.*


On Thu, 14 May 2009, Eugene Teo wrote:

> >> CVE-2009-NOT-YET-ASSIGNED:
> >>  http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
> >>  http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=7b0c8fcff47a885743125dd843db64af41af5a61
> >>  http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=968460ebd8006d55661dec0fb86712b40d71c413
> >>  + some others in progress
>
> These fixes need to be tagged to a CVE.

Use CVE-2009-1633, to be filled in later.  This CVE should be anchored
*only* on the issue above.

I'm almost afraid to ask what relationship there is between the above
commits and the extensive list of other issues from Jeff Layton, which
lists the above commit and a ton of others.  Mark Cox or Josh Bressers,
this might be a good time for you to step in CNA-wise?

- Steve



> From Jeff Layton:
> The cifs code regularly has to convert strings from ucs2_le (a double
> byte encoding scheme used on windows) to the local NLS charset. The
> routines that do this have a very poor scheme for handling buffer lengths.
>
> The string conversion routines accept only a single length parameter
> specified in units of the number of wide characters that it should try
> to convert. It's assumed therefore that the destination buffer will be
> big enough. Some measures are in place now to try to ensure this, but
> they really aren't sufficient. What's needed is a new set of conversion
> routines that take both the source and destination buffer lengths into
> account.
>
> The patchset adds these routines and converts the appropriate callers to
> use them. In addition, it removes a very large piece of "experimental"
> NTLMSSP code that I found to be completely unreachable. That code was
> using the old routines and it's simpler (and better) to just remove that
> code rather than convert it.
>
> The upstream commits are:
>
> 1) [CIFS] remove cifs_strfromUCS_le
> 341060273232a2df0d1a7fa53abc661fcf22747c
>
> 2) [CIFS] Fix final user of old string conversion code
> afe48c31ea5c74eaac58621ce1c85ae8187c4383
>
> 3) cifs: fix length handling in cifs_get_name_from_search_buf
> 18295796a30cada84e933d805072dc2248d54f98
>
> 4) [CIFS] Remove unneeded QuerySymlink call and fix mapping for unmapped
> status
> 9e39b0ae8af46c83b85dae7ff5251911a80fce5a
>
> 5) [CIFS] rename cifs_strndup to cifs_strndup_from_ucs
> d185cda7712fd1d9e349174639d76eadc66679be
>
> 6) [CIFS] NTLMSSP support moving into new file, old dead code removed
> 2edd6c5b0517b9131ede9e74cb121898ccd73042
>
> 7) [CIFS] Remove older session setup implementation
> 20418acd6874792359b42c12d159f42f17593f34
>
> 8) cifs: change cifs_get_name_from_search_buf to use new unicode helper
> f58841666bc22e827ca0dcef7b71c7bc2758ce82
>
> 9) cifs: change CIFSSMBUnixQuerySymLink to use new helpers
> 460b96960d1946914e50316ffeefe7b41dddce91
>
> 10) cifs: fix session setup unicode string saving to use new unicode helpers
> 59140797c5817363087b0ffb46e6bb81a11fe0dc
>
> 11) cifs: convert CIFSTCon to use new unicode helper functions
> cc20c031bb067eb3280a1c4b5c42295093e24863
>
> 12) cifs: rename cifs_strlcpy_to_host and make it use new functions
> 066ce6899484d9026acd6ba3a8dbbedb33d7ae1b
>
> 13) cifs: add new function to get unicode string length in bytes
> 69f801fcaa03be83d58c564f00913b7c172808e4
>
> 14) cifs: add replacement for cifs_strtoUCS_le called cifs_from_ucs2
> 7fabf0c9479fef9fdb9528a5fbdb1cb744a744a4
>
> 15) cifs: move #defines for mapchars into cifs_unicode.h
> 66345f50f070ae7412a28543ee197cb5eff73598
>
> 16) nls: add a nls_nullsize inline
> d37dc42ab6f040b8f0f2962ab219c5b2accf748d
>
> 17) cifs: Increase size of tmp_buf in cifs_readdir to avoid potential
> overflows
> 7b0c8fcff47a885743125dd843db64af41af5a61
>
> 18) cifs: Rename cifs_strncpy_to_host and fix buffer size
> 968460ebd8006d55661dec0fb86712b40d71c413
>
> 19) cifs: fix unicode string area word alignment in session setup
> 27b87fe52baba0a55e9723030e76fce94fabcea4
>
> References:
> https://bugzilla.redhat.com/show_bug.cgi?id=496572
> http://git.kernel.org/linus/341060273232a2df0d1a7fa53abc661fcf22747c
> http://git.kernel.org/linus/afe48c31ea5c74eaac58621ce1c85ae8187c4383
> http://git.kernel.org/linus/18295796a30cada84e933d805072dc2248d54f98
> http://git.kernel.org/linus/9e39b0ae8af46c83b85dae7ff5251911a80fce5a
> http://git.kernel.org/linus/d185cda7712fd1d9e349174639d76eadc66679be
> http://git.kernel.org/linus/2edd6c5b0517b9131ede9e74cb121898ccd73042
> http://git.kernel.org/linus/20418acd6874792359b42c12d159f42f17593f34
> http://git.kernel.org/linus/f58841666bc22e827ca0dcef7b71c7bc2758ce82
> http://git.kernel.org/linus/460b96960d1946914e50316ffeefe7b41dddce91
> http://git.kernel.org/linus/59140797c5817363087b0ffb46e6bb81a11fe0dc
> http://git.kernel.org/linus/cc20c031bb067eb3280a1c4b5c42295093e24863
> http://git.kernel.org/linus/066ce6899484d9026acd6ba3a8dbbedb33d7ae1b
> http://git.kernel.org/linus/69f801fcaa03be83d58c564f00913b7c172808e4
> http://git.kernel.org/linus/7fabf0c9479fef9fdb9528a5fbdb1cb744a744a4
> http://git.kernel.org/linus/66345f50f070ae7412a28543ee197cb5eff73598
> http://git.kernel.org/linus/d37dc42ab6f040b8f0f2962ab219c5b2accf748d
> http://git.kernel.org/linus/7b0c8fcff47a885743125dd843db64af41af5a61
> http://git.kernel.org/linus/968460ebd8006d55661dec0fb86712b40d71c413
> http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
>
> Thanks, Eugene
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ