Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 3 Aug 2009 16:07:36 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: http://www.securityfocus.com/bid/33672/info kernel issue

On Thu, Feb 12, 2009 at 09:22:59PM +0100, Marcus Meissner wrote:
> On Thu, Feb 12, 2009 at 08:05:27PM +0000, Mark J Cox wrote:
> > >http://www.securityfocus.com/bid/33672/ seems to be this commit:
> > >http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.28.y.git;a=commit;h=8255fc826e58c0a59711029e01db9fcdc06ba211
> > >Not sure if its exploitable though.
> > 
> > BTW that BID list of affected kernels isn't correct; the multibyte stuff 
> > wasn't in <=2.6.18 at least.
> > 
> > I didn't check exactly where since it doesn't affect RHEL and didn't look 
> > into the issue any further -- but on first glance it seemed like you'd 
> > have to be a console user and display/select some carefully chosen 
> > characters in order to do the overflow; so it's probably a 'local attacker 
> > at keyboard' flaw?
> 
> We backported Unicode stuff to SLES 10 I just see, but yes, 2.6.18 then.
> 
> Yes, console user only. And you can overflow 2 bytes over the end of kmalloced
> space, not sure how much you can do with this.

New reference for the CVE-2009-1046 entry and a exploit:

http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ