Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 25 Oct 2010 17:52:36 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Eugene Teo <eugeneteo@...nel.sg>
Subject: Re: CVE request: multiple kernel stack memory
 disclosures



All,

I apologize for taking so long to handle this.  Dan, thanks for being
so diligent about digging up more information!  That couldn't have
been easy, let alone fun.

- Steve


========================================================================

http://www.openwall.com/lists/oss-security/2010/10/07/1

Author: Dan Rosenberg


>  ipc/shm.c (shmctl), reported and fixed by Kees Cook
>  Affects >= 2.6.0, >= 2.4.0
>
>  Reference:
>  http://lkml.org/lkml/2010/10/6/454

CVE-2010-4072


>  ipc/compat.c (compat versions of semctl, shmctl, and msgctl)
>  Affects >= 2.6.8
>
>  ipc/compat_mq (compat versions of mq_open and mq_getsetattr)
>  Affects >= 2.6.8
>
>  Reference:
>  http://lkml.org/lkml/2010/10/6/492

CVE-2010-4073


========================================================================

http://www.openwall.com/lists/oss-security/2010/10/06/6

Author: Dan Rosenberg

Due to the high variation in affected kernel versions, most of these
are SPLIT.



>TIOCGICOUNT stack leaks:

(see http://lkml.org/lkml/2010/9/16/294)

>  usb/serial/mos*.c
>  Fixed in 2.6.36-rc5
>  Affects >= 2.6.19

CVE-2010-4074


>drivers/serial/serial_core.c
>Not fixed yet (Alan Cox's fix will be in 2.6.37)
>Affects >= 2.6.0


CVE-2010-4075


>drivers/char/amiserial.c
>Not fixed yet (Alan Cox's fix will be in 2.6.37)
>Affects >= 2.6.0, >= 2.4.0


CVE-2010-4076

>drivers/char/nozomi.c
>Not fixed yet (Alan Cox's fix will be in 2.6.37)
>Affects >= 2.6.25

CVE-2010-4077


>drivers/net/usb/hso.c (CVE-2010-3298)
>Fixed in 2.6.36-rc5
>Affects >= 2.6.29

Already assigned - CVE-2010-3298


>FBIOGET_VBLANK stack leaks:


>drivers/video/sis/sis_main.c
>Fixed in 2.6.36-rc6
>Affects >= 2.6.11

CVE-2010-4078


>drivers/video/ivtv/ivtvfb.c
>Not fixed yet (patch has been queued)
>Affects >= 2.6.24

CVE-2010-4079


>Miscellaneous device ioctl stack leaks:

>sound/pci/rme9652/hdsp*.c
>Fixed in 2.6.36-rc6
>Affects >= 2.6.0 (hdsp.c), >= 2.6.13 (hdspm.c)

These are SPLIT because the affected files are in different versions.

hdsp.c - CVE-2010-4080

hdspm.c - CVE-2010-4081


>drivers/video/via/ioctl.c
>Fixed in 2.6.36-rc5
>Affects >= 2.6.28

CVE-2010-4082


>drivers/net/cxgb3/cxgb3_main.c (CVE-2010-3296)
>Fixed in 2.6.36-rc5
>Affects >= 2.6.21


Already assigned - CVE-2010-3296


>drivers/net/eql.c (CVE-2010-3297)
>Fixed in 2.6.36-rc5
>Affects >= 2.6.0, >= 2.4.0


Already assigned - CVE-2010-3297


>System call stack leak:

>ipc/sem.c
>Not fixed yet (patch queued)
>Affects >= 2.6.0, >= 2.4.0

Presumably the lack of a current patch means this will affect a
different version than CVE-2010-4072 (ipc/shm.c shmctl), see above.

CVE-2010-4083


- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.