Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Mar 2011 15:32:58 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vasiliy Kulikov <segoon@...nwall.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: netfilter & econet infoleaks

On 03/21/2011 12:35 PM, Eugene Teo wrote:
>> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
>> copied from userspace. Fields of these structs that are
>> zero-terminated strings are not checked. When they are used as argument
>> to a format string containing "%s" in request_module(), some sensitive
>> information is leaked to userspace via argument of spawned modprobe
>> process.
>>
>> The first bug was introduced before the git epoch; the second is
>> introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
>> 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
>> CAP_NET_ADMIN."
>> http://marc.info/?l=netfilter-devel&m=129978081009955&w=2
>
> [PATCH] ipv4: netfilter: arp_tables: fix infoleak to userspace
> CVE-2011-1170

https://bugzilla.redhat.com/CVE-2011-1170
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=42eab94fff18cb1091d3501cd284d6bd6cc9c143

>> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
>> copied from userspace. Fields of these structs that are
>> zero-terminated strings are not checked. When they are used as argument
>> to a format string containing "%s" in request_module(), some sensitive
>> information is leaked to userspace via argument of spawned modprobe
>> process.
>>
>> The first and the third bugs were introduced before the git epoch; the
>> second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
>> one should have CAP_NET_ADMIN."
>> http://marc.info/?l=linux-kernel&m=129978077609894&w=2
>
> [PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace
> CVE-2011-1171

https://bugzilla.redhat.com/CVE-2011-1171
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=78b79876761b86653df89c48a7010b5cbd41a84a

>> "'buffer' string is copied from userspace. It is not checked whether
>> it is
>> zero terminated. This may lead to overflow inside of simple_strtoul().
>> Changli Gao suggested to copy not more than user supplied 'size' bytes.
>>
>> It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
>> root writable only by default, however, on some setups permissions
>> might be
>> relaxed to e.g. network admin user."
>> http://marc.info/?l=netfilter&m=129978077509888&w=2
>> http://marc.info/?l=netfilter-devel&m=130036157327564&w=2
>
> I'm reluctant to assign a CVE name for this one. The default perms for
> this is S_IWUSR|S_IRUSR. I will let Steve decide for this one.

https://bugzilla.redhat.com/689337
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-2.6.git;a=commitdiff;h=961ed183a9fd080cf306c659b8736007e44065a5

>> "Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
>> copied from userspace. Fields of these structs that are
>> zero-terminated strings are not checked. When they are used as argument
>> to a format string containing "%s" in request_module(), some sensitive
>> information is leaked to userspace via argument of spawned modprobe
>> process.
>>
>> The first bug was introduced before the git epoch; the second was
>> introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
>> 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
>> CAP_NET_ADMIN."
>> http://marc.info/?l=linux-kernel&m=129978086410061&w=2
>
> [PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace
> CVE-2011-1172

https://bugzilla.redhat.com/CVE-2011-1172
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=6a8ab060779779de8aea92ce3337ca348f973f54

>> "struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
>> x86_64. These bytes are not initialized in the variable 'ah' before
>> sending 'ah' to the network. This leads to 4 bytes kernel stack
>> infoleak.
>>
>> This bug was introduced before the git epoch."
>> http://marc.info/?l=linux-netdev&m=130036203528021&w=2
>
> [PATCH] econet: 4 byte infoleak to the network
> CVE-2011-1173

https://bugzilla.redhat.com/show_bug.cgi?id=591815#c14
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=67c5c6cb8129c595f21e88254a3fc6b3b841ae8e

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.