Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 03 Dec 2009 09:06:02 +0800
From: Eugene Teo <eugene@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE request: kernel: mac80211: fix two remote
 exploits

On 12/02/2009 11:41 PM, Steven M. Christey wrote:
>
> On Wed, 2 Dec 2009, Eugene Teo wrote:
>
>> Actually, you can ignore this request. So what happened was that, there
>> were actually two patches for this, but Johannes combined them together
>> when he shared the fix with us. So, this is part of the fixes for
>> CVE-2009-4026: upstream commits (1) 4253119a and (2) 827d42c9.
>
> The Red Hat bug report lists both CVE-2009-4026 and CVE-2009-4027 but
> doesn't actually link these two CVEs to any specific fix/issue:
>
>    https://bugzilla.redhat.com/show_bug.cgi?id=541149
>
> We associated CVE-2009-4026 with commit
> 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7, and we associated CVE-2009-4027
> with commit d92684e66091c0f0101819619b315b4bb8b5bcc5.
>
> Here is the logic chain that we had to follow in order to perform this
> association.
>
>    The History section of 541149 indicates that this "mac80211: fix
>    spurious delBA handling" bug was assigned both CVE-2009-4026 and
>    CVE-2009-4027 on 20091125. All activity in this bug is by Eugene Teo.
>    The fix for the bug is in commit
>    827d42c9ac91ddd728e4f4a31fefb906ef2ceff7. As mentioned in
>    oss-security/2009/12/01/2, the portion of this bug that was introduced
>    by the d75636ef9c1af224f1097941879d5a8db7cd04e5 commit in 2009 is
>    CVE-2009-4026. Therefore, the portion of the bug that was introduced by
>    the d92684e66091c0f0101819619b315b4bb8b5bcc5 commit in 2008 is
>    CVE-2009-4027. The 827d42c9ac91ddd728e4f4a31fefb906ef2ceff7 commit
>    message says "The first problem is that I moved a BUG_ON before various
>    checks -- thereby making it possible to hit. As the comment indicates,
>    the BUG_ON can be removed since the ampdu_action callback must already
>    exist when the state is != IDLE." However, apparently no part of the
>    diff affects any BUG_ON line in the code. Later, on 20091201, Eugene Teo
>    sent a "CVE request: kernel: mac80211: fix two remote exploits"
>    oss-security message. The fix for this additional vulnerability is in
>    commit 4253119acf412fd686ef4bd8749b5a4d70ea3a51. The entirety of the fix
>    is removal of calls to BUG_ON and WARN_ON.

Hi Steve,

The two CVE names were assigned when this issue was reported in 
vendor-sec (forwarded you the email; I should have cc'ed you but I 
missed it, sorry). When it was reported, the reporter combined two 
patches into one, but the upstream committed them in two separate 
patches: upstream commits 4253119a and 827d42c9.

There are two issues in commit 827d42c9. The first issue (problem) was 
assigned CVE-2009-4026, and the second issue (problem) was assigned 
CVE-2009-4027. Commit 4253119a should be associated with CVE-2009-4026 
because the fix is also for an issue that was introduced by d75636ef 
(which is related to the first issue).

Commits 4253119a and 827d42c9 (first problem) = CVE-2009-4026
Commit 827d42c9 (second problem) = CVE-2009-4027

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.