Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 18 May 2016 11:34:35 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux: information leak in Rock Ridge Extensions to iso9660 -- fs/isofs/rock.c

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The following commit in Linux v4.6 addresses an information leak
> caused by not properly handling NM entries containing NUL.
> 
> https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6

>> stop once we'd encountered 32 CEs, but you can get about 8Kb easily.
>> And that's what will be passed to readdir callback as the name length.

>> Cc: stable@...r.kernel.org # 0.98pl6+ (yes, really)

Use CVE-2016-4913.

This might have a threat model that is not often seen in vulnerability
reports. Is the issue somewhat similar to CVE-2014-9731, i.e., the
attacker only needs the ability to mount an isofs filesystem on an
already-running system -- either with physical removable media or
equivalent actions that may be relevant with virtualization -- and
then the attacker obtains the ability to read from some unintended
(but not arbitrary) kernel memory locations? Also, is the severity of
CVE-2016-4913 much greater than that of CVE-2014-9731, because the
amount of kernel memory is much larger and because CVE-2016-4913
affects essentially every Linux release (as long as CONFIG_ISO9660_FS
was used)?

Are there also plausible scenarios with a DoS impact, but they are of
less concern because the information leak is much more important in
almost all realistic cases? (For example: possibly someone has a
long-running root process that tries to maintain a searchable index of
all files on all user-mounted isofs filesystems, and that process
stops because the code sees invalid readdir results.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXPIsOAAoJEHb/MwWLVhi2LPIP/RJ+S+xraiesxdcpC4M4uIB9
IQ7APteqUe2QCD4yoZwo4Lkq3IthV/cGE0Mko64coLzvU5zj0VSWac0rIQoXx1UR
mLVgelyUCejpuFs9BZGhcjkBmzTT2pMSPxfwPeMV+0qiBfJbiJDIfYSLb7nzQXZA
zb8XuKBWZL5VOftoXN2I33ZyEhaNXezyHESGTPaChEkioYyt48tAEBs/iTDUF/j6
j4dNouBoKPqeunbCtXtuZ5KMSSkmZrkCFg0N38Hs0CFdEUH2BTHJGcml1pforWx5
okoBPONK/oSM7WeiRftjFL3DLKnYPaW9DAkujNoJwh5GoW216qbuymYMYcz8yVHA
BogUBRCfpuCe7Ua7MalgeBGklAYsfY3tYHhwDOnUZtO9wPJnocnoBVXKEoSQ+zAH
cVTFPizG/ZvaGehC1Mp52+KSOgsdvJiNysQy6/GZmrEVOAk7kI9t/XFK6U7MUBwI
p/wAzo27U1+0WL65JfVKP04RmPku0EN0zDCzka+GOyZXeAy96N0EcmsqoNT6NMS8
RBqLw/F61uNlPyK4Ys8NWn7XOv/GHl4t8l4I0ForxyLw7qikMZWwCW404TJ+CiTt
Q6jz6Gky02gtifoaivheTzpWKUJE07TxubfkKdQTI+uimpAx/fx7mCIQFMSIei1i
B4RwERTwoQgfX9GKwUnl
=1bfz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.