Date: Sat, 24 Jan 2015 09:59:03 -0500 (EST) From: cve-assign@...re.org To: wmealing@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > [wmealing]$ chown root:root /usr/bin/ping > chown: changing ownership of '/usr/bin/ping': Operation not permitted > > [wmealing]$ ping www.google.com > ping: icmp open socket: Operation not permitted > > This can cause a denial of service for applications which use the > capabilities subsystem such as pirahnah (arping), netconsole (arping), > some kdump implementations, etc. >> Currently we call security_inode_killpriv() in notify_change(), >> but in case of a chown() this is too early - we have not called >> inode_change_ok() or made any filesystem-specific permission/sanity >> checks. >> + * setattr_killpriv - remove extended privilege attributes from a file >> + * @dentry: Directory entry passed to the setattr operation >> + * @iattr: New attributes pased to the setattr operation >> + * >> + * All filesystems that can carry extended privilege attributes >> + * should call this from their setattr operation *after* validating >> + * the attribute changes. This is a somewhat unusual situation in which there is arguably a single underlying discovery: if any filesystem supports extended privilege attributes, its setattr operation has a requirement for certain code that supports the functionality of removing extended privilege attributes. Previously, there was no such requirement in the sense that notify_change was (wrongly) expected to support that functionality. Thus, it seems best to model this as a single security problem (with a single CVE ID) in which the set of requirements for setattr operations was incomplete. It does not seem worthwhile to model this as a series of related security problems (with multiple CVE IDs) in which individual filesystems had their own independent implementation errors. Use CVE-2015-1350. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUw7LsAAoJEKllVAevmvmsxFwIAI8+WBXMKoJ7r+rWI7eeXoSn mGcb3gMBNS4siHYk12q22wcSHL/MbPqeUwWYT6b28xgf79GHkuLFyEksunhVoLzB TFrg1co3TjhzOtxAMV+VjjPRmfiS0Odc3KVsFyHX3FkNbPRLqy7d/yHMstScOTXM NzqpxrVRrL0Xs4LiOXWfWsAl1pkHpoDZSEC6FNxB2O87LowQF1qn/UlT88QczYoN 4R66bDM3grd8iqohrpRk9ILiD97ZDShpwL8AIT27yxWttC2QiltSWTqCLvTGOZ4V ovk5gI1kAcGvGE32ILLYPrqDERLM4O3LqZtsd+793yj2yuqDs9D4cNj9XAdij5M= =WP6T -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.