Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 30 Dec 2015 15:37:23 -0500 (EST)
From: cve-assign@...re.org
To: limeburst@...ber.fsf.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Squashfs 4.2 Race Condition

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> A malformed Squashfs filesystem can cause a race condition in unsquashfs.
> 
> This is caused by the decompress thread attempting to access a shared
> queue, resulting in a SIGSEGV.
> 
>     struct cache_entry *entry = queue_get(to_deflate);

Do you have any information about a scenario in which this bug crosses
a privilege boundary?

Do you mean that, because of the details of the SIGSEGV, there's a
reasonable likelihood of code execution when a victim runs unsquashfs
on an untrusted SquashFS filesystem image?

Other possibilities in which there could be a CVE ID assigned include:

  - if the affected unsquashfs code were also available as a library
    that was used to build a program that was supposed to remain
    running to handle multiple unsquash operations

  - if the affected unsquashfs code were also used to support a
    SquashFS filesystem that was mounted on a system, and an
    unprivileged user could crash the system by reading from the
    filesystem

  - (again for this use of the affected code) if a system exists that
    automatically mounts SquashFS filesystems found on removable
    media, and inserting removable media could crash the system

  - (again for this use of the affected code) maybe a scenario in
    which the SIGSEGV ultimately leads to disclosure of private data
    that wasn't contained in the SquashFS filesystem

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWhEAZAAoJEL54rhJi8gl51ikP/icQQJUyV/Zw43KeOs5BmVJg
dWCI2KqVbhjDWW0esdrzL/LAzYMSvH+jXfNBZthzg2e5pFb3+YjkvKiejS5CZszT
DTfWTFEfbjDKtIbrISqMAOM7SS9dCy3Zqu37VA1riqzpDRjD4PyoQTn5d95ck8Y9
1aPEEgkTv9Z+VbAv1ONvOK6vLeHXcyovkyXyBdJxPYoXXCQjn3CC6TAYW9HF9qrL
AYgSLCogHI3e1PnjA+EHsBqRBYeh70nkH8yrYWj0WDxZFwmnMTb1p+KE5rOwJw/a
Gpvq5cM4rtWdV//XFMdBsyg4q/hbJ1leY9W5invnAeeqe8wkVGuJCApS7neRB5pU
TV9wvGudvn73hkE61yDSR6Hp2qUGcIYZ1FHK9+uSrYmO6zczJJy7F6lax90BmgWD
bvJUvquYRCwV+OUWLMkN7vctY5BXTiM47wLIi6bJMUma65e3Q5TXHcBd6F3p8pCe
7OoNfuzqSDRU1FHz8oxuzLtVMIEzRT9sz9JMTo6ZtdLfzDZBet1qM9p9dXo8Nyej
2Kpm1jN2mlvlnHCQzN1XtweCM/eAbQaxM0/WZzhJ3ipIJQnMLCFSeZH7QS6BbuDC
AAnHD8BIH70VYhmZrHLDaRrW08RYWtyaAdiJMeygsiFIxdNxpPUjmFOHHvElkzw1
LhwDS57lxKg9o5p1S+zH
=riOK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ