[kernel-sec-discuss] r1544 - active
Moritz Muehlenhoff
jmm at alioth.debian.org
Thu Oct 22 21:58:42 UTC 2009
Author: jmm
Date: 2009-10-22 21:58:42 +0000 (Thu, 22 Oct 2009)
New Revision: 1544
Added:
active/CVE-2009-3623
Log:
new kernel issue
Added: active/CVE-2009-3623
===================================================================
--- active/CVE-2009-3623 (rev 0)
+++ active/CVE-2009-3623 2009-10-22 21:58:42 UTC (rev 1544)
@@ -0,0 +1,28 @@
+Candidate: CVE-2009-3623
+Description:
+ "On setting up the callback to the client, we attempt to use the same
+ authentication flavor the client did. We find an rpc cred to use by
+ calling rpcauth_lookup_credcache(), which assumes that the given
+ authentication flavor has a credentials cache. However, this is not
+ required to be true--in particular, auth_null does not use one.
+ Instead, we should call the auth's lookup_cred() method.
+ .
+ Without this, a client attempting to mount using nfsv4 and auth_null
+ triggers a null dereference."
+ .
+ The code was introduced in upstream commit 3cef9ab2 (v2.6.31-rc1),
+ fixed in 886e3b7f (v2.6.32-rc1), and was later replaced by 80fc015b in
+ the same version.
+References:
+ http://article.gmane.org/gmane.linux.nfs/26513
+ https://bugzilla.redhat.com/show_bug.cgi?id=530269
+ http://git.kernel.org/linus/3cef9ab266a932899e756f7e1ea7a988a97bf3b2
+ http://git.kernel.org/linus/886e3b7fe6054230c89ae078a09565ed183ecc73
+ http://git.kernel.org/linus/80fc015bdfe1f5b870c1e1ee02d78e709523fee7
+Notes:
+Bugs:
+upstream: released (2.6.31-rc1)
+linux-2.6: needed
+2.6.18-etch-security: N/A
+2.6.24-etch-security: N/A
+2.6.26-lenny-security: N/A
More information about the kernel-sec-discuss
mailing list