Date: Fri, 16 Jul 2010 11:08:14 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: security-alert@...bsd.org, secteam@...ebsd.org, product-security@...le.com, coley <coley@...re.org> Subject: Re: CVE request: NetSMB BSD kernel module (minor) Please use CVE-2010-2530 Sorry for the delay. -- JB ----- "Dan Rosenberg" <dan.j.rosenberg@...il.com> wrote: > I discovered and reported a minor security issue in the netsmb kernel > module for NetBSD and FreeBSD. The issue also affects Mac OS X 10.x, > where netsmb is available as a kernel extension. > > Several of the subroutines in the netsmb module (see reference below > for vulnerable functions), which are reachable by unprivileged local > users via device ioctls sent to a /dev/nsmb* device, had signedness > errors. By providing a negative value for a size field for certain > device ioctls (including SMBIOC_LOOKUP and SMBIOC_OPENSESSION for > *BSD), a size check will be bypassed and a memory overallocation will > occur, causing a kernel panic. NetBSD committed their fix to CVS > today: > > http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netsmb/smb_subr.c.diff?r1=1.34&r2=1.35&only_with_tag=MAIN&f=h > > Regards, > Dan Rosenberg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.