Date: Thu, 03 Dec 2009 09:06:02 +0800 From: Eugene Teo <eugene@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security@...ts.openwall.com Subject: Re: CVE request: kernel: mac80211: fix two remote exploits On 12/02/2009 11:41 PM, Steven M. Christey wrote: > > On Wed, 2 Dec 2009, Eugene Teo wrote: > >> Actually, you can ignore this request. So what happened was that, there >> were actually two patches for this, but Johannes combined them together >> when he shared the fix with us. So, this is part of the fixes for >> CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9. > > The Red Hat bug report lists both CVE-2009-4026 and CVE-2009-4027 but > doesn't actually link these two CVEs to any specific fix/issue: > > https://bugzilla.redhat.com/show_bug.cgi?id=541149 > > We associated CVE-2009-4026 with commit > 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027 > with commit d92684e66091c0f0101819619b315b4bb8b5bcc5. > > Here is the logic chain that we had to follow in order to perform this > association. > > The History section of 541149 indicates that this "mac80211: fix > spurious delBA handling" bug was assigned both CVE-2009-4026 and > CVE-2009-4027 on 20091125. All activity in this bug is by Eugene Teo. > The fix for the bug is in commit > 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7. As mentioned in > oss-security/2009/12/01/2, the portion of this bug that was introduced > by the d75636ef9c1af224f1097941879d5a8db7cd04e5 commit in 2009 is > CVE-2009-4026. Therefore, the portion of the bug that was introduced by > the d92684e66091c0f0101819619b315b4bb8b5bcc5 commit in 2008 is > CVE-2009-4027. The 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 commit > message says "The first problem is that I moved a BUG_ON before various > checks -- thereby making it possible to hit. As the comment indicates, > the BUG_ON can be removed since the ampdu_action callback must already > exist when the state is != IDLE." However, apparently no part of the > diff affects any BUG_ON line in the code. Later, on 20091201, Eugene Teo > sent a "CVE request: kernel: mac80211: fix two remote exploits" > oss-security message. The fix for this additional vulnerability is in > commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51. The entirety of the fix > is removal of calls to BUG_ON and WARN_ON. Hi Steve, The two CVE names were assigned when this issue was reported in vendor-sec (forwarded you the email; I should have cc'ed you but I missed it, sorry). When it was reported, the reporter combined two patches into one, but the upstream committed them in two separate patches: upstream commits 4253119a and 827d42c9. There are two issues in commit 827d42c9. The first issue (problem) was assigned CVE-2009-4026, and the second issue (problem) was assigned CVE-2009-4027. Commit 4253119a should be associated with CVE-2009-4026 because the fix is also for an issue that was introduced by d75636ef (which is related to the first issue). Commits 4253119a and 827d42c9 (first problem) = CVE-2009-4026 Commit 827d42c9 (second problem) = CVE-2009-4027 Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ