[kernel-sec-discuss] r1482 - active

Michael Gilbert gilbert-guest at alioth.debian.org
Wed Sep 2 02:05:10 UTC 2009 

Author: gilbert-guest
Date: 2009-09-02 02:05:09 +0000 (Wed, 02 Sep 2009)
New Revision: 1482

Added:
   active/CVE-2009-3001
   active/CVE-2009-3002
   active/CVE-2009-need-to-flush-ldisc_halt
Removed:
   active/CVE-2009-getsockname-info-disclosure
Log:
cve assigned for an issue and two new issues

Copied: active/CVE-2009-3001 (from rev 1481, active/CVE-2009-getsockname-info-disclosure)
===================================================================
--- active/CVE-2009-3001	                        (rev 0)
+++ active/CVE-2009-3001	2009-09-02 02:05:09 UTC (rev 1482)
@@ -0,0 +1,23 @@
+Candidate: CVE-2009-3001
+Description:
+ The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel
+ 2.6.31-rc7 and earlier does not initialize a certain data structure,
+ which allows local users to read the contents of some kernel memory
+ locations by calling getsockname on an AF_LLC socket. 
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=519305
+ http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
+ http://jon.oberheide.org/files/llc-getsockname-leak.c
+Ubuntu-Description:
+Notes:
+ gilbert> minor info leak, so not very urgent
+Bugs:
+upstream: pending (2.6.31) [28e9fc592cb8c7a43e4d3147b38be6032a0e81bc]
+linux-2.6: needed
+2.6.18-etch-security: needed
+2.6.24-etch-security: needed
+2.6.26-lenny-security: needed
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Added: active/CVE-2009-3002
===================================================================
--- active/CVE-2009-3002	                        (rev 0)
+++ active/CVE-2009-3002	2009-09-02 02:05:09 UTC (rev 1482)
@@ -0,0 +1,29 @@
+Candidate: CVE-2009-3002
+Description:
+ The Linux kernel before 2.6.31-rc7 does not initialize certain data
+ structures within getname functions, which allows local users to read
+ the contents of some kernel memory locations by calling getsockname on
+ (1) an AF_APPLETALK socket, related to the atalk_getname function in
+ net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the
+ irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket,
+ related to the econet_getname function in net/econet/af_econet.c; (4)
+ an AF_NETROM socket, related to the nr_getname function in
+ net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the
+ rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket,
+ related to the raw_getname function in net/can/raw.c. 
+References:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3002
+ https://bugzilla.redhat.com/show_bug.cgi?id=519305
+Ubuntu-Description:
+Notes:
+ gilbert> these are just minor info leaks, so not really very urgent
+Bugs:
+upstream: pending (2.6.31) [09384dfc76e526c3993c09c42e016372dc9dd22c,17ac2e9c58b69a1e25460a568eae1b0dc0188c25,80922bbb12a105f858a8f0abb879cb4302d0ecaa,e84b90ae5eb3c112d1f208964df1d8156a538289,f6b97b29513950bfbf621a83d85b6f86b39ec8db]
+linux-2.6: needed
+2.6.18-etch-security:
+2.6.24-etch-security:
+2.6.26-lenny-security:
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Deleted: active/CVE-2009-getsockname-info-disclosure
===================================================================
--- active/CVE-2009-getsockname-info-disclosure	2009-08-27 04:02:23 UTC (rev 1481)
+++ active/CVE-2009-getsockname-info-disclosure	2009-09-02 02:05:09 UTC (rev 1482)
@@ -1,23 +0,0 @@
-Candidate:
-Description:
- sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc 
- before copying to the above layer's structure.
- .
- Note that LLC sockets are restricted to root since v2.6.25-rc9 (see 
- commit 3480c63b).
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=519305
- http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
- http://jon.oberheide.org/files/llc-getsockname-leak.c
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: pending (2.6.31) [28e9fc592cb8c7a43e4d3147b38be6032a0e81bc]
-linux-2.6: needed
-2.6.18-etch-security: needed
-2.6.24-etch-security: needed
-2.6.26-lenny-security: needed
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:

Added: active/CVE-2009-need-to-flush-ldisc_halt
===================================================================
--- active/CVE-2009-need-to-flush-ldisc_halt	                        (rev 0)
+++ active/CVE-2009-need-to-flush-ldisc_halt	2009-09-02 02:05:09 UTC (rev 1482)
@@ -0,0 +1,29 @@
+Candidate: requested on oss-sec
+Description:
+ The tty ldisc code was rewritten to use proper reference counts (commits 
+ 65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, but 
+ it also introduced another bug that can result in various problems such 
+ as a NULL pointer dereference in run_timer_softirq() or a BUG() in 
+ worker_thread. More info in the patch.
+References:
+ http://git.kernel.org/linus/5c58ceff103d8a654f24769bb1baaf84a841b0cc
+ http://lkml.org/lkml/2009/8/20/27
+ http://lkml.org/lkml/2009/8/20/68
+ http://lkml.org/lkml/2009/8/20/21
+Ubuntu-Description:
+Notes:
+ gilbert> supposedly only affects >2.6.26.  oss-sec note says:
+   I believe this affects kernel versions greater than v2.6.26. The code in 
+   drivers/char/tty_ldisc.c was from drivers/char/tty_io.c before it was 
+   splitted into its own file in v2.6.27-rc1 (commit 01e1abb2). I did not 
+   investigate further.
+Bugs:
+upstream: pending (2.6.31) [5c58ceff103d8a654f24769bb1baaf84a841b0cc]
+linux-2.6: needed
+2.6.18-etch-security:
+2.6.24-etch-security:
+2.6.26-lenny-security:
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

More information about the kernel-sec-discuss mailing list