Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 09 Jul 2012 21:47:44 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>, Timo Warns <warns@...-sense.de>
Subject: Re: CVE Request: Stability fixes in UDF Logical Volume
 Descriptor handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/06/2012 03:51 PM, Marcus Meissner wrote:
> On Wed, Jul 04, 2012 at 02:51:15PM -0600, Kurt Seifried wrote:
>> On 07/03/2012 02:46 PM, Timo Warns wrote:
>>> Am 03.07.2012 20:58, schrieb Kurt Seifried:
>>>> On 07/03/2012 07:22 AM, Marcus Meissner wrote:
>>>> 
>>>>> People (do not know who) reported to the kernel security
>>>>> team and Jan Kara some UDF filesystem crashes.
>>>> 
>>>>> Jan Kara did some fixes in the UDF fs and they were
>>>>> committed to mainline already, both actual bugfixes and
>>>>> some more sanity checking for hardening.
>>>>> 
>>>>> I think a single CVE is sufficient.
>>>> 
>>>> Were they discovered by the same person or different people?
>>> 
>>> I reported the following issue for sparing tables on 2012-06-17
>>> to security@...nel.org. Eugene Teo informed Jan Kara, who is
>>> the maintainer for the UDF filesystem, on the same day. Jan had
>>> a closer look at the UDF code and identified all other issues 
>>> addressed by the patches.
>>> 
>>> | udf_load_logicalvol() in fs/udf/super.c parses the number of 
>>> sparing | tables and stores the sparing tables on the heap: |
>>> | (1286)  for (j = 0; j < spm->numSparingTables; j++) { | [...]
>>> | (1293)    map->s_type_specific.s_sparing. | (1294) 
>>> s_spar_map[j] = bh2; | | map is of type udf_part_map, whose | 
>>> s_type_specific.s_sparing.s_spar_map | member can only hold 4 
>>> pointers to buffer_head structs. | | spm->numSparingTables is
>>> read from the file system and not further | validated. A
>>> corrupted file system with numSparingTables > 4 causes | a heap
>>> overflow.
>>> 
>>> Regards, Timo
>>> 
>> 
>> Just a placeholder: I'm waiting for a reply from Steve to see if
>> we can violate CVE assignment guidelines and put this under one
>> CVE (it should probably be two but sorting it out seems like it
>> might not be worthwhile).
> 
> Unclear ...
> 
> 1 reporter 1 developer fixing this bug and making stability fixes
> on the side
> 
> Might just be 1 issue.
> 
> CIao, Marcus

Apologies, I misunderstood the original email:

> People (do not know who) reported to the kernel security team and
> Jan Kara some UDF filesystem crashes.

I misunderstood that to mean 2 reporters.

Please use CVE-2012-3400 for these issues.




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP+6XgAAoJEBYNRVNeJnmTs8AP+wbie7KU8gNXaVmLvLKRXymE
Kdb9ugVyPlhgOQ6/6aWRNeM5BY5j1kRx7Eq7HL5xCYibiB4x8eBzj33HhKB+vXzl
A6vI0rykKE3G5dr9ccc28cXmx60yTDnmDfJ+51n+/JDQUWKts+FWI+zpHG8LBXvM
U+Z02owe9Srp4pAVsXD+H7uab9riEW4Khd0l7W28fgzE4JtSVcij1v0T3EBohFEQ
Dr7fATymsEh2wLEmWuyROVdJNXg+vbrgqUAqe9XO//SwmfhstU3QGeODue/ykjYo
TQIwk+PVMrEn959msw4/MOmCW2Vy6UI1RoQhyr7I9QQHrkr9jaXKRLFE2Wufuo9U
DGgy0tr+etoetxNq1Mko3sIVDIumf2PnwY2574h9LB/Dt1qCEEfj+DsvvTMZGcvZ
vxiA+BQXOywpETU1G1ArR2xxMLnky/NQQ410Nwpzh+DzRzlaqDBbfEXCoE5iarew
Kp9phzYanZUF223xtvTHukY2sgbuoPyui2qacC64Y1EBrEYfpedPrQu34JXHGpvk
j4SzPq3+Pwic0McG/9mYyaaFoZ/KW+Cyi8JadlqX/kgQGZ0ALrh2wY3hIm21jsdK
H5VR7JdcNH0RKvjye7/Y/8fBRefCTxh9GT8+gq0MFSkgE68LOcD+i6zCd75AR4pV
CdjDbUrVcdBdaNF9Z+U9
=n+1P
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ