Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 May 2016 11:34:35 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux: information leak in Rock Ridge Extensions to iso9660 -- fs/isofs/rock.c

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The following commit in Linux v4.6 addresses an information leak
> caused by not properly handling NM entries containing NUL.
> 
> https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6

>> stop once we'd encountered 32 CEs, but you can get about 8Kb easily.
>> And that's what will be passed to readdir callback as the name length.

>> Cc: stable@...r.kernel.org # 0.98pl6+ (yes, really)

Use CVE-2016-4913.

This might have a threat model that is not often seen in vulnerability
reports. Is the issue somewhat similar to CVE-2014-9731, i.e., the
attacker only needs the ability to mount an isofs filesystem on an
already-running system -- either with physical removable media or
equivalent actions that may be relevant with virtualization -- and
then the attacker obtains the ability to read from some unintended
(but not arbitrary) kernel memory locations? Also, is the severity of
CVE-2016-4913 much greater than that of CVE-2014-9731, because the
amount of kernel memory is much larger and because CVE-2016-4913
affects essentially every Linux release (as long as CONFIG_ISO9660_FS
was used)?

Are there also plausible scenarios with a DoS impact, but they are of
less concern because the information leak is much more important in
almost all realistic cases? (For example: possibly someone has a
long-running root process that tries to maintain a searchable index of
all files on all user-mounted isofs filesystems, and that process
stops because the code sees invalid readdir results.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXPIsOAAoJEHb/MwWLVhi2LPIP/RJ+S+xraiesxdcpC4M4uIB9
IQ7APteqUe2QCD4yoZwo4Lkq3IthV/cGE0Mko64coLzvU5zj0VSWac0rIQoXx1UR
mLVgelyUCejpuFs9BZGhcjkBmzTT2pMSPxfwPeMV+0qiBfJbiJDIfYSLb7nzQXZA
zb8XuKBWZL5VOftoXN2I33ZyEhaNXezyHESGTPaChEkioYyt48tAEBs/iTDUF/j6
j4dNouBoKPqeunbCtXtuZ5KMSSkmZrkCFg0N38Hs0CFdEUH2BTHJGcml1pforWx5
okoBPONK/oSM7WeiRftjFL3DLKnYPaW9DAkujNoJwh5GoW216qbuymYMYcz8yVHA
BogUBRCfpuCe7Ua7MalgeBGklAYsfY3tYHhwDOnUZtO9wPJnocnoBVXKEoSQ+zAH
cVTFPizG/ZvaGehC1Mp52+KSOgsdvJiNysQy6/GZmrEVOAk7kI9t/XFK6U7MUBwI
p/wAzo27U1+0WL65JfVKP04RmPku0EN0zDCzka+GOyZXeAy96N0EcmsqoNT6NMS8
RBqLw/F61uNlPyK4Ys8NWn7XOv/GHl4t8l4I0ForxyLw7qikMZWwCW404TJ+CiTt
Q6jz6Gky02gtifoaivheTzpWKUJE07TxubfkKdQTI+uimpAx/fx7mCIQFMSIei1i
B4RwERTwoQgfX9GKwUnl
=1bfz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ