Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4D86FF2A.1090200@redhat.com>
Date: Mon, 21 Mar 2011 15:32:58 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vasiliy Kulikov <segoon@...nwall.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: netfilter & econet infoleaks

On 03/21/2011 12:35 PM, Eugene Teo wrote:
>> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
>> copied from userspace. Fields of these structs that are
>> zero-terminated strings are not checked. When they are used as argument
>> to a format string containing "%s" in request_module(), some sensitive
>> information is leaked to userspace via argument of spawned modprobe
>> process.
>>
>> The first bug was introduced before the git epoch; the second is
>> introduced by 6b7d31fc (v2.6.15-rc1); the third is introduced by
>> 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
>> CAP_NET_ADMIN."
>> http://marc.info/?l=netfilter-devel&m=129978081009955&w=2
>
> [PATCH] ipv4: netfilter: arp_tables: fix infoleak to userspace
> CVE-2011-1170

https://bugzilla.redhat.com/CVE-2011-1170
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=42eab94fff18cb1091d3501cd284d6bd6cc9c143

>> "Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
>> copied from userspace. Fields of these structs that are
>> zero-terminated strings are not checked. When they are used as argument
>> to a format string containing "%s" in request_module(), some sensitive
>> information is leaked to userspace via argument of spawned modprobe
>> process.
>>
>> The first and the third bugs were introduced before the git epoch; the
>> second was introduced in 2722971c (v2.6.17-rc1). To trigger the bug
>> one should have CAP_NET_ADMIN."
>> http://marc.info/?l=linux-kernel&m=129978077609894&w=2
>
> [PATCH] ipv4: netfilter: ip_tables: fix infoleak to userspace
> CVE-2011-1171

https://bugzilla.redhat.com/CVE-2011-1171
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=78b79876761b86653df89c48a7010b5cbd41a84a

>> "'buffer' string is copied from userspace. It is not checked whether
>> it is
>> zero terminated. This may lead to overflow inside of simple_strtoul().
>> Changli Gao suggested to copy not more than user supplied 'size' bytes.
>>
>> It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
>> root writable only by default, however, on some setups permissions
>> might be
>> relaxed to e.g. network admin user."
>> http://marc.info/?l=netfilter&m=129978077509888&w=2
>> http://marc.info/?l=netfilter-devel&m=130036157327564&w=2
>
> I'm reluctant to assign a CVE name for this one. The default perms for
> this is S_IWUSR|S_IRUSR. I will let Steve decide for this one.

https://bugzilla.redhat.com/689337
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-2.6.git;a=commitdiff;h=961ed183a9fd080cf306c659b8736007e44065a5

>> "Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
>> copied from userspace. Fields of these structs that are
>> zero-terminated strings are not checked. When they are used as argument
>> to a format string containing "%s" in request_module(), some sensitive
>> information is leaked to userspace via argument of spawned modprobe
>> process.
>>
>> The first bug was introduced before the git epoch; the second was
>> introduced in 3bc3fe5e (v2.6.25-rc1); the third is introduced by
>> 6b7d31fc (v2.6.15-rc1). To trigger the bug one should have
>> CAP_NET_ADMIN."
>> http://marc.info/?l=linux-kernel&m=129978086410061&w=2
>
> [PATCH] ipv6: netfilter: ip6_tables: fix infoleak to userspace
> CVE-2011-1172

https://bugzilla.redhat.com/CVE-2011-1172
http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commitdiff;h=6a8ab060779779de8aea92ce3337ca348f973f54

>> "struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
>> x86_64. These bytes are not initialized in the variable 'ah' before
>> sending 'ah' to the network. This leads to 4 bytes kernel stack
>> infoleak.
>>
>> This bug was introduced before the git epoch."
>> http://marc.info/?l=linux-netdev&m=130036203528021&w=2
>
> [PATCH] econet: 4 byte infoleak to the network
> CVE-2011-1173

https://bugzilla.redhat.com/show_bug.cgi?id=591815#c14
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=67c5c6cb8129c595f21e88254a3fc6b3b841ae8e

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.