Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130314161924.GC31744@dhcp-25-225.brq.redhat.com>
Date: Thu, 14 Mar 2013 17:19:24 +0100
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request/Guidance: Linux kernel cdc-wdm buffer
 overflow triggered by device

Hi Marcus,

On Thu, Mar 14, 2013 at 02:43:41PM +0100, Marcus Meissner wrote:
> I am wondering ... do we consider attacks with special attack taylored USB
> devices as CVE worthy?
> 
> There is only some precedence in the CVE DB, but not much.
> 
> I stumbled over this fix from one of my colleagues where a specifically
> made USB device reporting the "cdc-wdm" USB class could cause a kernel
> heap overflow.
> 
> "Malicious attached devices" might fall into several categories:
> 
> 1. Attaching the device causes the issue directly within the kernel / autoloaded
>    module, without user interaction. (here the case)
> 
> 
> 2. Attaching the device causes the issue when userspace, dependend on
>    e.g. desktop system, does initiate a seperate action (like an automount
>    and then exploitation of something) (so not direct a kernel, but a
>    kernel + GNOME/KDE interaction).
> 
> 
> 3. User needs to do something with the attached device (like click on 
>    a file on a USB disk)
> 
> I would consider (1) and (2) CVE worthy at least, not so sure with (3).

FWIW, I think all of the three options are CVE worthy. As Eugene said,
some filesystem bugs fall into (3) and they have been issued CVE
indentifiers.

-- 
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.