Date: Thu, 22 Jan 2015 23:05:35 -0500 (EST) From: Wade Mealing <wmealing@...hat.com> To: cve-assign@...re.org, OSS Security List <oss-security@...ts.openwall.com> Subject: CVE Request: Linux kernel - Denial of service in notify_change for xattrs. I'd like to request a CVE for an issue brought up on this list on Jan 17th 2015. I did not see one created for this issue titled: "Re: [RFC PATCH RESEND] vfs: Move security_inode_killpriv() after permission checks" http://www.openwall.com/lists/oss-security/2015/01/21/3t This issue can be classified as a denial of service. Example: [wmealing]$ ping -c1 www.google.com PING www.google.com (126.96.36.199) 56(84) bytes of data. 64 bytes from syd10s01-in-f4.1e100.net (188.8.131.52): icmp_seq=1 ttl=51 time=14.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 14.162/14.162/14.162/0.000 ms [wmealing]$ chown root:root /usr/bin/ping chown: changing ownership of ‘/usr/bin/ping’: Operation not permitted [wmealing]$ ping www.google.com ping: icmp open socket: Operation not permitted This can cause a denial of service for applications which use the capabilities subsystem such as pirahnah (arping), netconsole (arping), some kdump implementations, etc. Thank you. Wade Mealing -- Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.