Date: Fri, 22 Oct 2010 10:38:52 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE request: kernel: heap overflow in TIPC Please use CVE-2010-3859 Thanks. -- JB ----- "Dan Rosenberg" <dan.j.rosenberg@...il.com> wrote: > The tipc_msg_build() function in net/tipc/msg.c contains an > exploitable kernel heap overflow that would allow a local user to > escalate privileges to root by issuing maliciously crafted sendmsg() > calls via TIPC sockets. > > Fortunately, none of the distributions I tested actually define a > module alias for TIPC even though it is compiled as a module on > nearly > all of them (I suspect this is a lucky accident). Since in these > situations, the TIPC module will not be loaded automatically on > creation of a TIPC socket, an administrator would have had to > explicitly load the TIPC kernel module in order for a system to be > vulnerable. > > I checked Ubuntu, Debian, and Fedora, none of which define an alias. > Any distributions that define a module alias for TIPC (i.e. "alias > net-pf-30 tipc") should treat this as a serious vulnerability. Even > if your distribution does not, I highly recommend backporting the fix > for this, since it's a bit of defensive programming in the core > networking code that handles verifying user-supplied iovecs, which > likely resolves other undiscovered (or undisclosed) security issues > elsewhere. I'll post a link to the fix when it's finalized and > committed. > > Reference: > http://marc.info/?l=linux-netdev&m=128770476511716&w=2 > > -Dan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ