|
Message-Id: <20160518153435.8189F6C00A8@smtpvmsrv1.mitre.org> Date: Wed, 18 May 2016 11:34:35 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: Linux: information leak in Rock Ridge Extensions to iso9660 -- fs/isofs/rock.c -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The following commit in Linux v4.6 addresses an information leak > caused by not properly handling NM entries containing NUL. > > https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6 >> stop once we'd encountered 32 CEs, but you can get about 8Kb easily. >> And that's what will be passed to readdir callback as the name length. >> Cc: stable@...r.kernel.org # 0.98pl6+ (yes, really) Use CVE-2016-4913. This might have a threat model that is not often seen in vulnerability reports. Is the issue somewhat similar to CVE-2014-9731, i.e., the attacker only needs the ability to mount an isofs filesystem on an already-running system -- either with physical removable media or equivalent actions that may be relevant with virtualization -- and then the attacker obtains the ability to read from some unintended (but not arbitrary) kernel memory locations? Also, is the severity of CVE-2016-4913 much greater than that of CVE-2014-9731, because the amount of kernel memory is much larger and because CVE-2016-4913 affects essentially every Linux release (as long as CONFIG_ISO9660_FS was used)? Are there also plausible scenarios with a DoS impact, but they are of less concern because the information leak is much more important in almost all realistic cases? (For example: possibly someone has a long-running root process that tries to maintain a searchable index of all files on all user-mounted isofs filesystems, and that process stops because the code sees invalid readdir results.) - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXPIsOAAoJEHb/MwWLVhi2LPIP/RJ+S+xraiesxdcpC4M4uIB9 IQ7APteqUe2QCD4yoZwo4Lkq3IthV/cGE0Mko64coLzvU5zj0VSWac0rIQoXx1UR mLVgelyUCejpuFs9BZGhcjkBmzTT2pMSPxfwPeMV+0qiBfJbiJDIfYSLb7nzQXZA zb8XuKBWZL5VOftoXN2I33ZyEhaNXezyHESGTPaChEkioYyt48tAEBs/iTDUF/j6 j4dNouBoKPqeunbCtXtuZ5KMSSkmZrkCFg0N38Hs0CFdEUH2BTHJGcml1pforWx5 okoBPONK/oSM7WeiRftjFL3DLKnYPaW9DAkujNoJwh5GoW216qbuymYMYcz8yVHA BogUBRCfpuCe7Ua7MalgeBGklAYsfY3tYHhwDOnUZtO9wPJnocnoBVXKEoSQ+zAH cVTFPizG/ZvaGehC1Mp52+KSOgsdvJiNysQy6/GZmrEVOAk7kI9t/XFK6U7MUBwI p/wAzo27U1+0WL65JfVKP04RmPku0EN0zDCzka+GOyZXeAy96N0EcmsqoNT6NMS8 RBqLw/F61uNlPyK4Ys8NWn7XOv/GHl4t8l4I0ForxyLw7qikMZWwCW404TJ+CiTt Q6jz6Gky02gtifoaivheTzpWKUJE07TxubfkKdQTI+uimpAx/fx7mCIQFMSIei1i B4RwERTwoQgfX9GKwUnl =1bfz -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.