Open Source Security

Re: CVE request - kernel: ima: fix null pointer dereference

Tue, 09 Feb 2010 15:57:00 GMT

Posted by Greg KH on Feb 09

Do we need CVE numbers for issues that never showed up in a released
kernel version? I don't see how this could affect anyone, unless they
were foolish enough to ship a product on a non-released kernel :)

thanks,

greg k-h

CVE Request -- cURL/libCURL 7.20.0

Tue, 09 Feb 2010 14:23:27 GMT

Posted by Jan Lieskovsky on Feb 09

Hi Steve, vendors,

cURL upstream has released latest v7.20.0 version of cURL/libCURL
fixing the "libcurl data callback excessive length" issue.

References:
[1] http://curl.haxx.se/docs/security.html#20100209
[2] http://curl.haxx.se/docs/adv_20100209.html
[3] http://curl.haxx.se/libcurl-contentencoding.patch
[4] http://curl.haxx.se/download.html

Mitigation factors (from [1]):

"This error is only present in zlib-enabled builds...

Re: CVE request - fetchmail 6.3.11-.13 heap overflow in verbose X.509 cert display (only printable chars)

Tue, 09 Feb 2010 08:43:49 GMT

Posted by Tomas Hoger on Feb 09

Looks like one got assigned by Mitre:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0562

Fwd: CVE request - fetchmail 6.3.11-.13 heap overflow in verbose X.509 cert display (only printable chars)

Tue, 09 Feb 2010 08:32:39 GMT

Posted by Matthias Andree on Feb 09

PING?

------- Weitergeleitete Nachricht -------
Von: "Matthias Andree" <matthias.andree () gmx de>
An: oss-security () lists openwall com
Kopie:
Betreff: [oss-security] CVE request - fetchmail 6.3.11-.13 heap overflow
in verbose X.509 cert display (only printable chars)
Datum: Thu, 04 Feb 2010 10:59:32 +0100

Please assign a CVE for the issue described below:...

CVE request - kernel: futex: Handle user space corruption gracefully

Tue, 09 Feb 2010 07:59:01 GMT

Posted by Eugene Teo on Feb 08

Description of the issue: "If the owner of a PI futex dies we fix up the
pi_state and set pi_state->owner to NULL. When a malicious or just
sloppy programmed user space application sets the futex value to 0 e.g.
by calling pthread_mutex_init(), then the futex can be acquired again. A
new waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.

Prevent this by...

CVE request - kernel: race in ptrace

Tue, 09 Feb 2010 06:35:05 GMT

Posted by Eugene Teo on Feb 08

Discovered by Tavis Ormandy. "The race involves interaction between a
tracer, a tracee and an antagonist. The tracer is tracing the tracee
with PTRACE_SYSCALL and waits on the tracee. In the mean time, an
antagonist blasts the tracee with SIGCONTs.

The observed issue is that sometimes when the tracer attempts to
continue the tracee with PTRACE_SYSCALL, it gets a return value of
-ESRCH, indicating that the tracee is already running (or...

gnome-screensaver vulnerability (CVE-2010-0414)

Mon, 08 Feb 2010 16:48:58 GMT

Posted by Vincent Danen on Feb 08

This is a heads up on a gnome-screensaver issue that was fixed upstream
today.

In version 2.28, it is possible to circumvent the security of screen
locking functionality by changing the physical monitor configuration.

Details are available in our bugzilla, along with the patch being used
by upstream to correct the issue:

https://bugzilla.redhat.com/show_bug.cgi?id=562217

We have assigned CVE-2010-0414 to this issue.

The code that caused this...

Re: CVE request: information leak / potential crash in sys_move_pages

Mon, 08 Feb 2010 14:36:36 GMT

Posted by Marcus Meissner on Feb 08

For the record...

This was reported to Novell Bugzilla by our business partner IBM as a beta test
bug on our Service Pack SLES 11 SP1, from rcvalle () IBM

The report contained the Ooops backtrace, caused by runs of the "flail" tool,
( http://www.risesecurity.org/ramon/flail-0.1.0.tar.gz )

I spotted this 1 bug in the actual code though and mailed security () kernel org
to get it fixed ASAP for 2.6.33 and our product.

Usually IBM...

CVE request - kernel: ima: fix null pointer dereference

Mon, 08 Feb 2010 01:31:23 GMT

Posted by Eugene Teo on Feb 07

Was cc'ed this in a couple of kernel mailing lists.

This was introduced in 6c21a7fb4 (v2.6.33-rc1).

It was first reported here http://lkml.org/lkml/2009/12/29/13, and
subsequently here http://lkml.org/lkml/2010/2/5/76 (backtraces).

This can be reproduced by running ltp test pipe07.

http://groups.google.com/group/linux.kernel/msg/95986c94ea55c81a.
https://bugzilla.redhat.com/show_bug.cgi?id=562597

Mainline fix:...

Re: Samba symlink 0day flaw

Sun, 07 Feb 2010 18:24:27 GMT

Posted by Nico Golde on Feb 07

Hey,
* Yves-Alexis Perez <corsac () debian org> [2010-02-06 15:02]:

[...]

Args, you are right.

Cheers
Nico

Re: CVE request: information leak / potential crash in sys_move_pages

Sun, 07 Feb 2010 14:59:10 GMT

Posted by Eugene Teo on Feb 07

Thanks, please use CVE-2010-0415.

Eugene

CVE request: information leak / potential crash in sys_move_pages

Sun, 07 Feb 2010 01:50:52 GMT

Posted by Marcus Meissner on Feb 06

Hi,

I spotted a problem in sys_move_pages, where "node" value is read from userspace,
but not limited to the node set within the kernel itself.

Due to the bit tests in mm/migrate.c:do_move_pages it is easy to read out
the kernel memory (as node can also be negative).

(The node_isset and node_state functions just map to test_bit, which has
no limiter in the normal implementations.)

There also is (in my eyes) the chance we can...

Re: Samba symlink 0day flaw

Sat, 06 Feb 2010 13:54:34 GMT

Posted by Yves-Alexis Perez on Feb 06

wide links (S)

This parameter controls whether or not links in the UNIX file
system may be followed by the server. Links that point to areas
within the directory tree exported by the server are always
allowed; this parameter controls access only to areas that are
outside the directory tree being exported.

Note that setting this parameter can have a negative effect
on your...

Re: Samba symlink 0day flaw

Sat, 06 Feb 2010 13:33:35 GMT

Posted by Nico Golde on Feb 06

Hey,
* Simo Sorce <ssorce () redhat com> [2010-02-05 22:48]:

The wide_links variable, at least not in my copy.

Cheers
Nico

Re: Samba symlink 0day flaw

Sat, 06 Feb 2010 10:53:59 GMT

Posted by Eren Türkay on Feb 06

FYI, metasploit exploit module was released.

http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html