Date: Wed, 30 Dec 2015 15:37:23 -0500 (EST) From: cve-assign@...re.org To: limeburst@...ber.fsf.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Squashfs 4.2 Race Condition -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > A malformed Squashfs filesystem can cause a race condition in unsquashfs. > > This is caused by the decompress thread attempting to access a shared > queue, resulting in a SIGSEGV. > > struct cache_entry *entry = queue_get(to_deflate); Do you have any information about a scenario in which this bug crosses a privilege boundary? Do you mean that, because of the details of the SIGSEGV, there's a reasonable likelihood of code execution when a victim runs unsquashfs on an untrusted SquashFS filesystem image? Other possibilities in which there could be a CVE ID assigned include: - if the affected unsquashfs code were also available as a library that was used to build a program that was supposed to remain running to handle multiple unsquash operations - if the affected unsquashfs code were also used to support a SquashFS filesystem that was mounted on a system, and an unprivileged user could crash the system by reading from the filesystem - (again for this use of the affected code) if a system exists that automatically mounts SquashFS filesystems found on removable media, and inserting removable media could crash the system - (again for this use of the affected code) maybe a scenario in which the SIGSEGV ultimately leads to disclosure of private data that wasn't contained in the SquashFS filesystem - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWhEAZAAoJEL54rhJi8gl51ikP/icQQJUyV/Zw43KeOs5BmVJg dWCI2KqVbhjDWW0esdrzL/LAzYMSvH+jXfNBZthzg2e5pFb3+YjkvKiejS5CZszT DTfWTFEfbjDKtIbrISqMAOM7SS9dCy3Zqu37VA1riqzpDRjD4PyoQTn5d95ck8Y9 1aPEEgkTv9Z+VbAv1ONvOK6vLeHXcyovkyXyBdJxPYoXXCQjn3CC6TAYW9HF9qrL AYgSLCogHI3e1PnjA+EHsBqRBYeh70nkH8yrYWj0WDxZFwmnMTb1p+KE5rOwJw/a Gpvq5cM4rtWdV//XFMdBsyg4q/hbJ1leY9W5invnAeeqe8wkVGuJCApS7neRB5pU TV9wvGudvn73hkE61yDSR6Hp2qUGcIYZ1FHK9+uSrYmO6zczJJy7F6lax90BmgWD bvJUvquYRCwV+OUWLMkN7vctY5BXTiM47wLIi6bJMUma65e3Q5TXHcBd6F3p8pCe 7OoNfuzqSDRU1FHz8oxuzLtVMIEzRT9sz9JMTo6ZtdLfzDZBet1qM9p9dXo8Nyej 2Kpm1jN2mlvlnHCQzN1XtweCM/eAbQaxM0/WZzhJ3ipIJQnMLCFSeZH7QS6BbuDC AAnHD8BIH70VYhmZrHLDaRrW08RYWtyaAdiJMeygsiFIxdNxpPUjmFOHHvElkzw1 LhwDS57lxKg9o5p1S+zH =riOK -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ