Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 26 Feb 2013 10:16:54 -0800
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request - Linux kernel: VFAT slab-based
 buffer overflow

On Tue, Feb 26, 2013 at 11:56:02AM -0600, Joshua J. Drake wrote:
> All,
> 
> I'd like to request a CVE for an issue leading to a buffer overflow of
> a slab allocated buffer in the VFAT file system code. The issue
> manifests when converting UTF8 characters to UTF16 inside the
> "utf8s_to_utf16s" function. Reaching this code requires writing to a
> VFAT partition that has been mounted with the "utf8" option. Ubuntu
> 10.04 mounts USB sticks with this option by default. Most Android
> devices mount eMMC/SD cards/etc with this option.
> 
> The issue affects kernels prior to 3.2. Many Android devices remain
> affected today.
> 
> I'm not entirely sure when the issue was introduced at this moment. It
> appears to have been introduced here:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=74675a58507e769beee7d949dbed788af3c4139d
> 
> The issue was fixed here:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd
> 
> The issue was partially disclosed here (this spurred my investigation):
> http://www.exploit-db.com/exploits/23248/
> 
> Props to G13 for finding it. It's pretty disappointing that
> Google/Android security teams (and of course Linux maintainers) didn't
> responsibly disclose the issue so other Linux kernel packagers could
> package a fix.

Ok, how could the Linux maintainers have done anything about this, when
the developers involved in creating this patch didn't even realize it
was a "security" issue in the first place?

I'm tired of people complaining about how the Linux kernel developers
handle security issues, when no one seems to have a suggestion as to how
anything could actually be done better.

And note, I was one of the people involved in this patch, and I didn't
notice anything special about it, so if you want to blame anyone, blame
me for not tagging it for inclusion in the stable kernel releases.

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.