Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Mar 2016 17:55:48 -0600
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Miklos Szeredi <miklos@...redi.hu>,
	Colin Ian King <colin.king@...onical.com>, security@...ntu.com
Subject: CVE-2015-1339: Linux Kernel: memory exhaustion via CUSE driver

Colin Ian King discovered a kernel memory leak in the CUSE driver using
stress-ng. A local denial of service, via memory exhaustion, is possible
if the attacker has sufficient privileges to repeatedly open /dev/cuse
for reading.

In Ubuntu, /dev/cuse is only readable by root so this flaw was deemed to
have a very low impact. I'm unsure of the default permissions in other
distributions.

CVE-2015-1339 was assigned to the issue.

Introduced in 4.2: https://git.kernel.org/linus/cc080e9e9be16ccf26135d366d7d2b65209f1d56
Fixed in 4.4: https://git.kernel.org/linus/2c5816b4beccc8ba709144539f6fdd764f8fa49c

Tyler

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.