Date: Wed, 18 May 2016 11:34:35 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux: information leak in Rock Ridge Extensions to iso9660 -- fs/isofs/rock.c -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The following commit in Linux v4.6 addresses an information leak > caused by not properly handling NM entries containing NUL. > > https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6 >> stop once we'd encountered 32 CEs, but you can get about 8Kb easily. >> And that's what will be passed to readdir callback as the name length. >> Cc: stable@...r.kernel.org # 0.98pl6+ (yes, really) Use CVE-2016-4913. This might have a threat model that is not often seen in vulnerability reports. Is the issue somewhat similar to CVE-2014-9731, i.e., the attacker only needs the ability to mount an isofs filesystem on an already-running system -- either with physical removable media or equivalent actions that may be relevant with virtualization -- and then the attacker obtains the ability to read from some unintended (but not arbitrary) kernel memory locations? Also, is the severity of CVE-2016-4913 much greater than that of CVE-2014-9731, because the amount of kernel memory is much larger and because CVE-2016-4913 affects essentially every Linux release (as long as CONFIG_ISO9660_FS was used)? Are there also plausible scenarios with a DoS impact, but they are of less concern because the information leak is much more important in almost all realistic cases? (For example: possibly someone has a long-running root process that tries to maintain a searchable index of all files on all user-mounted isofs filesystems, and that process stops because the code sees invalid readdir results.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXPIsOAAoJEHb/MwWLVhi2LPIP/RJ+S+xraiesxdcpC4M4uIB9 IQ7APteqUe2QCD4yoZwo4Lkq3IthV/cGE0Mko64coLzvU5zj0VSWac0rIQoXx1UR mLVgelyUCejpuFs9BZGhcjkBmzTT2pMSPxfwPeMV+0qiBfJbiJDIfYSLb7nzQXZA zb8XuKBWZL5VOftoXN2I33ZyEhaNXezyHESGTPaChEkioYyt48tAEBs/iTDUF/j6 j4dNouBoKPqeunbCtXtuZ5KMSSkmZrkCFg0N38Hs0CFdEUH2BTHJGcml1pforWx5 okoBPONK/oSM7WeiRftjFL3DLKnYPaW9DAkujNoJwh5GoW216qbuymYMYcz8yVHA BogUBRCfpuCe7Ua7MalgeBGklAYsfY3tYHhwDOnUZtO9wPJnocnoBVXKEoSQ+zAH cVTFPizG/ZvaGehC1Mp52+KSOgsdvJiNysQy6/GZmrEVOAk7kI9t/XFK6U7MUBwI p/wAzo27U1+0WL65JfVKP04RmPku0EN0zDCzka+GOyZXeAy96N0EcmsqoNT6NMS8 RBqLw/F61uNlPyK4Ys8NWn7XOv/GHl4t8l4I0ForxyLw7qikMZWwCW404TJ+CiTt Q6jz6Gky02gtifoaivheTzpWKUJE07TxubfkKdQTI+uimpAx/fx7mCIQFMSIei1i B4RwERTwoQgfX9GKwUnl =1bfz -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ