Date: Wed, 2 Dec 2009 10:41:55 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: Eugene Teo <eugene@...hat.com> cc: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: kernel: mac80211: fix two remote exploits On Wed, 2 Dec 2009, Eugene Teo wrote: > Actually, you can ignore this request. So what happened was that, there > were actually two patches for this, but Johannes combined them together > when he shared the fix with us. So, this is part of the fixes for > CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9. The Red Hat bug report lists both CVE-2009-4026 and CVE-2009-4027 but doesn't actually link these two CVEs to any specific fix/issue: https://bugzilla.redhat.com/show_bug.cgi?id=541149 We associated CVE-2009-4026 with commit 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027 with commit d92684e66091c0f0101819619b315b4bb8b5bcc5. Here is the logic chain that we had to follow in order to perform this association. The History section of 541149 indicates that this "mac80211: fix spurious delBA handling" bug was assigned both CVE-2009-4026 and CVE-2009-4027 on 20091125. All activity in this bug is by Eugene Teo. The fix for the bug is in commit 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7. As mentioned in oss-security/2009/12/01/2, the portion of this bug that was introduced by the d75636ef9c1af224f1097941879d5a8db7cd04e5 commit in 2009 is CVE-2009-4026. Therefore, the portion of the bug that was introduced by the d92684e66091c0f0101819619b315b4bb8b5bcc5 commit in 2008 is CVE-2009-4027. The 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 commit message says "The first problem is that I moved a BUG_ON before various checks -- thereby making it possible to hit. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is != IDLE." However, apparently no part of the diff affects any BUG_ON line in the code. Later, on 20091201, Eugene Teo sent a "CVE request: kernel: mac80211: fix two remote exploits" oss-security message. The fix for this additional vulnerability is in commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51. The entirety of the fix is removal of calls to BUG_ON and WARN_ON. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ