[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Mar 2011 12:35:20 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vasiliy Kulikov <segoon@...nwall.com>,
"Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: netfilter & econet infoleaks
> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
> copied from userspace. Fields of these structs that are
> zero-terminated strings are not checked. When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first bug was introduced before the git epoch; the second is
> introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
> 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
> CAP_NET_ADMIN."
> http://marc.info/?l=netfilter-devel&m=129978081009955&w=2
[PATCH] ipv4: netfilter: arp_tables: fix infoleak to userspace
CVE-2011-1170
> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
> copied from userspace. Fields of these structs that are
> zero-terminated strings are not checked. When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first and the third bugs were introduced before the git epoch; the
> second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
> one should have CAP_NET_ADMIN."
> http://marc.info/?l=linux-kernel&m=129978077609894&w=2
[PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace
CVE-2011-1171
> "'buffer' string is copied from userspace. It is not checked whether it is
> zero terminated. This may lead to overflow inside of simple_strtoul().
> Changli Gao suggested to copy not more than user supplied 'size' bytes.
>
> It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
> root writable only by default, however, on some setups permissions might be
> relaxed to e.g. network admin user."
> http://marc.info/?l=netfilter&m=129978077509888&w=2
> http://marc.info/?l=netfilter-devel&m=130036157327564&w=2
I'm reluctant to assign a CVE name for this one. The default perms for
this is S_IWUSR|S_IRUSR. I will let Steve decide for this one.
> "Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
> copied from userspace. Fields of these structs that are
> zero-terminated strings are not checked. When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first bug was introduced before the git epoch; the second was
> introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
> 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
> CAP_NET_ADMIN."
> http://marc.info/?l=linux-kernel&m=129978086410061&w=2
[PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace
CVE-2011-1172
> "struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
> x86_64. These bytes are not initialized in the variable 'ah' before
> sending 'ah' to the network. This leads to 4 bytes kernel stack
> infoleak.
>
> This bug was introduced before the git epoch."
> http://marc.info/?l=linux-netdev&m=130036203528021&w=2
[PATCH] econet: 4 byte infoleak to the network
CVE-2011-1173
Thanks, Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
