Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 25 Mar 2011 14:07:29 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Dan Rosenberg <dan.j.rosenberg@...il.com>
Subject: Re: CVE request: kernel: two OSS fixes

On 03/23/2011 11:56 PM, Dan Rosenberg wrote:
> For both issues, access to /dev/sequencer is required, which is
> typically reserved for group audio.  Additionally, these only affect
> systems that use OSS (not to be confused with the OSS emulation layer
> provided by ALSA).
>
> 1. Specially crafted requests may be written to /dev/sequencer
> resulting in an underflow when calculating a size for a
> copy_from_user() operation in the driver for MIDI interfaces.  On x86,
> this just returns an error, but it may cause memory corruption on
> other architectures.  Other malformed requests may result in the use
> of uninitialized variables.  [1]

CVE-2011-1476

> 2. Due to a failure to validate user-supplied indexes in the driver
> for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request
> may be sent to /dev/sequencer, resulting in reading and writing beyond
> the bounds of heap buffers, and potentially allowing privilege
> escalation.  [2]

CVE-2011-1477

> [1] http://marc.info/?l=linux-kernel&m=130089204124354&w=2
> [2] http://marc.info/?l=linux-kernel&m=130089499728386&w=2

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ