Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 2 Dec 2009 10:41:55 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Eugene Teo <eugene@...hat.com>
cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: mac80211: fix two remote
 exploits


On Wed, 2 Dec 2009, Eugene Teo wrote:

> Actually, you can ignore this request. So what happened was that, there
> were actually two patches for this, but Johannes combined them together
> when he shared the fix with us. So, this is part of the fixes for
> CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9.

The Red Hat bug report lists both CVE-2009-4026 and CVE-2009-4027 but
doesn't actually link these two CVEs to any specific fix/issue:

  https://bugzilla.redhat.com/show_bug.cgi?id=541149

We associated CVE-2009-4026 with commit
827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027
with commit d92684e66091c0f0101819619b315b4bb8b5bcc5.

Here is the logic chain that we had to follow in order to perform this
association.

  The History section of 541149 indicates that this "mac80211: fix
  spurious delBA handling" bug was assigned both CVE-2009-4026 and
  CVE-2009-4027 on 20091125. All activity in this bug is by Eugene Teo.
  The fix for the bug is in commit
  827d42c9ac91ddd728e4f4a31fefb906ef2ceff7. As mentioned in
  oss-security/2009/12/01/2, the portion of this bug that was introduced
  by the d75636ef9c1af224f1097941879d5a8db7cd04e5 commit in 2009 is
  CVE-2009-4026. Therefore, the portion of the bug that was introduced by
  the d92684e66091c0f0101819619b315b4bb8b5bcc5 commit in 2008 is
  CVE-2009-4027. The 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 commit
  message says "The first problem is that I moved a BUG_ON before various
  checks -- thereby making it possible to hit. As the comment indicates,
  the BUG_ON can be removed since the ampdu_action callback must already
  exist when the state is != IDLE." However, apparently no part of the
  diff affects any BUG_ON line in the code. Later, on 20091201, Eugene Teo
  sent a "CVE request: kernel: mac80211: fix two remote exploits"
  oss-security message. The fix for this additional vulnerability is in
  commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51. The entirety of the fix
  is removal of calls to BUG_ON and WARN_ON.


- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ