Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 03 Dec 2009 09:06:02 +0800
From: Eugene Teo <eugene@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE request: kernel: mac80211: fix two remote
 exploits

On 12/02/2009 11:41 PM, Steven M. Christey wrote:
>
> On Wed, 2 Dec 2009, Eugene Teo wrote:
>
>> Actually, you can ignore this request. So what happened was that, there
>> were actually two patches for this, but Johannes combined them together
>> when he shared the fix with us. So, this is part of the fixes for
>> CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9.
>
> The Red Hat bug report lists both CVE-2009-4026 and CVE-2009-4027 but
> doesn't actually link these two CVEs to any specific fix/issue:
>
>    https://bugzilla.redhat.com/show_bug.cgi?id=541149
>
> We associated CVE-2009-4026 with commit
> 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027
> with commit d92684e66091c0f0101819619b315b4bb8b5bcc5.
>
> Here is the logic chain that we had to follow in order to perform this
> association.
>
>    The History section of 541149 indicates that this "mac80211: fix
>    spurious delBA handling" bug was assigned both CVE-2009-4026 and
>    CVE-2009-4027 on 20091125. All activity in this bug is by Eugene Teo.
>    The fix for the bug is in commit
>    827d42c9ac91ddd728e4f4a31fefb906ef2ceff7. As mentioned in
>    oss-security/2009/12/01/2, the portion of this bug that was introduced
>    by the d75636ef9c1af224f1097941879d5a8db7cd04e5 commit in 2009 is
>    CVE-2009-4026. Therefore, the portion of the bug that was introduced by
>    the d92684e66091c0f0101819619b315b4bb8b5bcc5 commit in 2008 is
>    CVE-2009-4027. The 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 commit
>    message says "The first problem is that I moved a BUG_ON before various
>    checks -- thereby making it possible to hit. As the comment indicates,
>    the BUG_ON can be removed since the ampdu_action callback must already
>    exist when the state is != IDLE." However, apparently no part of the
>    diff affects any BUG_ON line in the code. Later, on 20091201, Eugene Teo
>    sent a "CVE request: kernel: mac80211: fix two remote exploits"
>    oss-security message. The fix for this additional vulnerability is in
>    commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51. The entirety of the fix
>    is removal of calls to BUG_ON and WARN_ON.

Hi Steve,

The two CVE names were assigned when this issue was reported in 
vendor-sec (forwarded you the email; I should have cc'ed you but I 
missed it, sorry). When it was reported, the reporter combined two 
patches into one, but the upstream committed them in two separate 
patches: upstream commits 4253119a and 827d42c9.

There are two issues in commit 827d42c9. The first issue (problem) was 
assigned CVE-2009-4026, and the second issue (problem) was assigned 
CVE-2009-4027. Commit 4253119a should be associated with CVE-2009-4026 
because the fix is also for an issue that was introduced by d75636ef 
(which is related to the first issue).

Commits 4253119a and 827d42c9 (first problem) = CVE-2009-4026
Commit 827d42c9 (second problem) = CVE-2009-4027

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ