Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 24 Jan 2015 09:59:03 -0500 (EST)
From: cve-assign@...re.org
To: wmealing@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> [wmealing]$ chown root:root /usr/bin/ping
> chown: changing ownership of '/usr/bin/ping': Operation not permitted
> 
> [wmealing]$ ping www.google.com
> ping: icmp open socket: Operation not permitted
> 
> This can cause a denial of service for applications which use the
> capabilities subsystem such as pirahnah (arping), netconsole (arping),
> some kdump implementations, etc.

>> Currently we call security_inode_killpriv() in notify_change(),
>> but in case of a chown() this is too early - we have not called
>> inode_change_ok() or made any filesystem-specific permission/sanity
>> checks.

>> + * setattr_killpriv - remove extended privilege attributes from a file
>> + * @dentry: Directory entry passed to the setattr operation
>> + * @iattr: New attributes pased to the setattr operation
>> + *
>> + * All filesystems that can carry extended privilege attributes
>> + * should call this from their setattr operation *after* validating
>> + * the attribute changes.

This is a somewhat unusual situation in which there is arguably a
single underlying discovery: if any filesystem supports extended
privilege attributes, its setattr operation has a requirement for
certain code that supports the functionality of removing extended
privilege attributes. Previously, there was no such requirement in the
sense that notify_change was (wrongly) expected to support that
functionality. Thus, it seems best to model this as a single security
problem (with a single CVE ID) in which the set of requirements for
setattr operations was incomplete. It does not seem worthwhile to
model this as a series of related security problems (with multiple CVE
IDs) in which individual filesystems had their own independent
implementation errors.

Use CVE-2015-1350.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUw7LsAAoJEKllVAevmvmsxFwIAI8+WBXMKoJ7r+rWI7eeXoSn
mGcb3gMBNS4siHYk12q22wcSHL/MbPqeUwWYT6b28xgf79GHkuLFyEksunhVoLzB
TFrg1co3TjhzOtxAMV+VjjPRmfiS0Odc3KVsFyHX3FkNbPRLqy7d/yHMstScOTXM
NzqpxrVRrL0Xs4LiOXWfWsAl1pkHpoDZSEC6FNxB2O87LowQF1qn/UlT88QczYoN
4R66bDM3grd8iqohrpRk9ILiD97ZDShpwL8AIT27yxWttC2QiltSWTqCLvTGOZ4V
ovk5gI1kAcGvGE32ILLYPrqDERLM4O3LqZtsd+793yj2yuqDs9D4cNj9XAdij5M=
=WP6T
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ