Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20150124145903.177CA3AE060@smtpvbsrv1.mitre.org>
Date: Sat, 24 Jan 2015 09:59:03 -0500 (EST)
From: cve-assign@...re.org
To: wmealing@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> [wmealing]$ chown root:root /usr/bin/ping
> chown: changing ownership of '/usr/bin/ping': Operation not permitted
> 
> [wmealing]$ ping www.google.com
> ping: icmp open socket: Operation not permitted
> 
> This can cause a denial of service for applications which use the
> capabilities subsystem such as pirahnah (arping), netconsole (arping),
> some kdump implementations, etc.

>> Currently we call security_inode_killpriv() in notify_change(),
>> but in case of a chown() this is too early - we have not called
>> inode_change_ok() or made any filesystem-specific permission/sanity
>> checks.

>> + * setattr_killpriv - remove extended privilege attributes from a file
>> + * @dentry: Directory entry passed to the setattr operation
>> + * @iattr: New attributes pased to the setattr operation
>> + *
>> + * All filesystems that can carry extended privilege attributes
>> + * should call this from their setattr operation *after* validating
>> + * the attribute changes.

This is a somewhat unusual situation in which there is arguably a
single underlying discovery: if any filesystem supports extended
privilege attributes, its setattr operation has a requirement for
certain code that supports the functionality of removing extended
privilege attributes. Previously, there was no such requirement in the
sense that notify_change was (wrongly) expected to support that
functionality. Thus, it seems best to model this as a single security
problem (with a single CVE ID) in which the set of requirements for
setattr operations was incomplete. It does not seem worthwhile to
model this as a series of related security problems (with multiple CVE
IDs) in which individual filesystems had their own independent
implementation errors.

Use CVE-2015-1350.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUw7LsAAoJEKllVAevmvmsxFwIAI8+WBXMKoJ7r+rWI7eeXoSn
mGcb3gMBNS4siHYk12q22wcSHL/MbPqeUwWYT6b28xgf79GHkuLFyEksunhVoLzB
TFrg1co3TjhzOtxAMV+VjjPRmfiS0Odc3KVsFyHX3FkNbPRLqy7d/yHMstScOTXM
NzqpxrVRrL0Xs4LiOXWfWsAl1pkHpoDZSEC6FNxB2O87LowQF1qn/UlT88QczYoN
4R66bDM3grd8iqohrpRk9ILiD97ZDShpwL8AIT27yxWttC2QiltSWTqCLvTGOZ4V
ovk5gI1kAcGvGE32ILLYPrqDERLM4O3LqZtsd+793yj2yuqDs9D4cNj9XAdij5M=
=WP6T
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.