Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 27 Aug 2014 01:12:35 -0400 (EDT)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux Kernel unbound recursion in ISOFS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://code.google.com/p/google-security-research/issues/detail?id=88

> - recurse.iso: crashes / reboots a kernel due to kernel stack overflow / corruption.

Use CVE-2014-5471.


> - deadlock.iso: causes a deadlock in the mount process in "inode_wait"

Use CVE-2014-5472.


> https://github.com/torvalds/linux/commit/410dd3cf4c9b36f27ed4542ee18b1af5e68645a4

> We did not check relocated directory in any way when processing Rock
> Ridge 'CL' tag.

There are the two CVE IDs above, instead of one CVE ID for "did not
check ... in any way."

CVE-2014-5471 is about the need for code to prevent unchecked
recursion (CWE-674), whereas CVE-2014-5472 is not about CWE-674. On
some systems, CVE-2014-5472 might have only a minor security impact by
enabling a user to start an unkillable process (i.e., it would be
minor if there were a low limit on the number of processes the user is
allowed to start).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJT/WhZAAoJEKllVAevmvmskWYH/2YTlXYpcG5AgNusDLxCEdqs
r+1qOetYYD2VhLr3LqcI0gDAU26V2sNcCej1h4wiVx4q83yN95ZleCYOEEzy99OG
vjQQp/bnhcL1++UJEZvnxvSXbUw8sOcLky60GEHQ6F+MICZcCAUKShtOn0meeQgr
Cke9dXw8pcXFmt7N8R+ztdpot4pxPKUVNmiNNhKC6q9yIQQ+rDVnYD+81+l5vMD3
fpFunsqUclRczEBoh5ptyZ89mNFUytlz1R1gFxN/3fkseFfxybVpBKL3XW364USj
ett5kJxt/jI2yam7rP/eAV166EtjenBNgS6q6boFO8GiyM6OsUYVsYBIUEhuB24=
=R3U4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ