Date: Sat, 24 Jan 2015 09:59:03 -0500 (EST) From: cve-assign@...re.org To: wmealing@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > [wmealing]$ chown root:root /usr/bin/ping > chown: changing ownership of '/usr/bin/ping': Operation not permitted > > [wmealing]$ ping www.google.com > ping: icmp open socket: Operation not permitted > > This can cause a denial of service for applications which use the > capabilities subsystem such as pirahnah (arping), netconsole (arping), > some kdump implementations, etc. >> Currently we call security_inode_killpriv() in notify_change(), >> but in case of a chown() this is too early - we have not called >> inode_change_ok() or made any filesystem-specific permission/sanity >> checks. >> + * setattr_killpriv - remove extended privilege attributes from a file >> + * @dentry: Directory entry passed to the setattr operation >> + * @iattr: New attributes pased to the setattr operation >> + * >> + * All filesystems that can carry extended privilege attributes >> + * should call this from their setattr operation *after* validating >> + * the attribute changes. This is a somewhat unusual situation in which there is arguably a single underlying discovery: if any filesystem supports extended privilege attributes, its setattr operation has a requirement for certain code that supports the functionality of removing extended privilege attributes. Previously, there was no such requirement in the sense that notify_change was (wrongly) expected to support that functionality. Thus, it seems best to model this as a single security problem (with a single CVE ID) in which the set of requirements for setattr operations was incomplete. It does not seem worthwhile to model this as a series of related security problems (with multiple CVE IDs) in which individual filesystems had their own independent implementation errors. Use CVE-2015-1350. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUw7LsAAoJEKllVAevmvmsxFwIAI8+WBXMKoJ7r+rWI7eeXoSn mGcb3gMBNS4siHYk12q22wcSHL/MbPqeUwWYT6b28xgf79GHkuLFyEksunhVoLzB TFrg1co3TjhzOtxAMV+VjjPRmfiS0Odc3KVsFyHX3FkNbPRLqy7d/yHMstScOTXM NzqpxrVRrL0Xs4LiOXWfWsAl1pkHpoDZSEC6FNxB2O87LowQF1qn/UlT88QczYoN 4R66bDM3grd8iqohrpRk9ILiD97ZDShpwL8AIT27yxWttC2QiltSWTqCLvTGOZ4V ovk5gI1kAcGvGE32ILLYPrqDERLM4O3LqZtsd+793yj2yuqDs9D4cNj9XAdij5M= =WP6T -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ