Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Mar 2011 12:35:20 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vasiliy Kulikov <segoon@...nwall.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: netfilter & econet infoleaks

> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
> copied from userspace.  Fields of these structs that are
> zero-terminated strings are not checked.  When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first bug was introduced before the git epoch;  the second is
> introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
> 6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
> CAP_NET_ADMIN."
> http://marc.info/?l=netfilter-devel&m=129978081009955&w=2

[PATCH] ipv4: netfilter: arp_tables: fix infoleak to userspace
CVE-2011-1170

> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
> copied from userspace.  Fields of these structs that are
> zero-terminated strings are not checked.  When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first and the third bugs were introduced before the git epoch; the
> second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
> one should have CAP_NET_ADMIN."
> http://marc.info/?l=linux-kernel&m=129978077609894&w=2

[PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace
CVE-2011-1171

> "'buffer' string is copied from userspace.  It is not checked whether it is
> zero terminated.  This may lead to overflow inside of simple_strtoul().
> Changli Gao suggested to copy not more than user supplied 'size' bytes.
>
> It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
> root writable only by default, however, on some setups permissions might be
> relaxed to e.g. network admin user."
> http://marc.info/?l=netfilter&m=129978077509888&w=2
> http://marc.info/?l=netfilter-devel&m=130036157327564&w=2

I'm reluctant to assign a CVE name for this one. The default perms for 
this is S_IWUSR|S_IRUSR. I will let Steve decide for this one.

> "Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
> copied from userspace.  Fields of these structs that are
> zero-terminated strings are not checked.  When they are used as argument
> to a format string containing "%s" in request_module(), some sensitive
> information is leaked to userspace via argument of spawned modprobe
> process.
>
> The first bug was introduced before the git epoch;  the second was
> introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
> 6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
> CAP_NET_ADMIN."
> http://marc.info/?l=linux-kernel&m=129978086410061&w=2

[PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace
CVE-2011-1172

> "struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
> x86_64.  These bytes are not initialized in the variable 'ah' before
> sending 'ah' to the network.  This leads to 4 bytes kernel stack
> infoleak.
>
> This bug was introduced before the git epoch."
> http://marc.info/?l=linux-netdev&m=130036203528021&w=2

[PATCH] econet: 4 byte infoleak to the network
CVE-2011-1173

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.