Date: Sat, 26 Mar 2016 17:52:11 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2015-1805 Linux kernel: pipe: iovec overrun leading to memory corruption On Tue, Mar 22, 2016 at 11:58:39PM +0300, Solar Designer wrote: > The primary reason I am posting this is so that other distros know the > vulnerability was apparently shown to be exploitable. And that's not the end of the story: https://lwn.net/SubscriberLink/681062/b974fb24a6c4617b/ "Posted Mar 25, 2016 13:23 UTC (Fri) by BenHutchings (subscriber, #37955) [Link] Unfortunately the fix by Seth Jennings for RHEL, later applied to stable branches, was still incorrect, leading to CVE-2016-0774. I hope AOSP picks up the second fix as well." https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0774 "Petr Matousek 2016-02-02 09:34:35 EST It was found that the fix for CVE-2015-1805 incorrectly kept buffer offset and buffer length in sync on failed atomic read, potentially resulting in pipe buffer state corruption. A local, unprivileged user could use this flaw to crash the system or leak kernel memory to user-space. Upstream Linux kernel is not affected by this flaw as it was introduced by the Red Hat Enterprise Linux only fix for CVE-2015-1805. Acknowledgements: The security impact of this issue was discovered by Red Hat." Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.