Date: Thu, 22 Jan 2015 23:05:35 -0500 (EST) From: Wade Mealing <wmealing@...hat.com> To: cve-assign@...re.org, OSS Security List <oss-security@...ts.openwall.com> Subject: CVE Request: Linux kernel - Denial of service in notify_change for xattrs. I'd like to request a CVE for an issue brought up on this list on Jan 17th 2015. I did not see one created for this issue titled: "Re: [RFC PATCH RESEND] vfs: Move security_inode_killpriv() after permission checks" http://www.openwall.com/lists/oss-security/2015/01/21/3t This issue can be classified as a denial of service. Example: [wmealing]$ ping -c1 www.google.com PING www.google.com (22.214.171.124) 56(84) bytes of data. 64 bytes from syd10s01-in-f4.1e100.net (126.96.36.199): icmp_seq=1 ttl=51 time=14.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 14.162/14.162/14.162/0.000 ms [wmealing]$ chown root:root /usr/bin/ping chown: changing ownership of ‘/usr/bin/ping’: Operation not permitted [wmealing]$ ping www.google.com ping: icmp open socket: Operation not permitted This can cause a denial of service for applications which use the capabilities subsystem such as pirahnah (arping), netconsole (arping), some kdump implementations, etc. Thank you. Wade Mealing -- Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ