[kernel-sec-discuss] r697 - active
Martin Pitt
mpitt at alioth.debian.org
Tue Jan 16 12:40:24 CET 2007
Author: mpitt
Date: 2007-01-16 12:40:24 +0100 (Tue, 16 Jan 2007)
New Revision: 697
Added:
active/CVE-2006-5753
Log:
add CVE-2006-5753
Added: active/CVE-2006-5753
===================================================================
--- active/CVE-2006-5753 2007-01-16 11:29:37 UTC (rev 696)
+++ active/CVE-2006-5753 2007-01-16 11:40:24 UTC (rev 697)
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-5753
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8
+Description:
+ The listxattr syscall can corrupt user space under certain
+ circumstances. The problem seems to be related to signed/unsigned
+ conversion during size promotion. The function return_EIO returns an
+ int but its used as a ssize_t with a comparison to 0. This causes the
+ range check to fail and copy_to_user copies way too much.
+ The command line "fsfuzz iso9660" can easily reproduce this behavior.
+Ubuntu-Description:
+ Various syscalls (like listxattr()) misinterpreted the return value
+ of return_EIO() when encountering bad inodes. By issuing particular
+ system calls on a malformed file system, a local attacker could
+ exploit this to crash the kernel.
+Notes:
+Bugs:
+upstream: released (2.6.20-rc5)
+linux-2.6:
+2.6.18-etch: needed
+2.6.8-sarge-security: needed
+2.4.27-sarge-security:
+2.6.12-breezy-security: needed
+2.6.15-dapper-security: needed
+2.6.17-edgy-security: needed
More information about the kernel-sec-discuss
mailing list