[kernel-sec-discuss] r1499 - active

Michael Gilbert gilbert-guest at alioth.debian.org
Wed Sep 23 18:25:09 UTC 2009 

Author: gilbert-guest
Date: 2009-09-23 18:25:08 +0000 (Wed, 23 Sep 2009)
New Revision: 1499

Added:
   active/CVE-2009-3286
   active/CVE-2009-3288
   active/CVE-2009-3290
Removed:
   active/CVE-2009-NULL-deref-sg_build_indirect
   active/CVE-2009-O_EXCL-creates-on-NFSv4
   active/CVE-2009-kvm-hypercalls-vulnerability
Log:
cve's assigned

Copied: active/CVE-2009-3286 (from rev 1498, active/CVE-2009-O_EXCL-creates-on-NFSv4)
===================================================================
--- active/CVE-2009-3286	                        (rev 0)
+++ active/CVE-2009-3286	2009-09-23 18:25:08 UTC (rev 1499)
@@ -0,0 +1,23 @@
+Candidate: CVE-2009-3286
+Description:
+ There is an issue with O_EXCL creates on NFSv4 that with enough 
+ attempts, it is possible for a lingering file from a failed create that 
+ is world-writable but only setuid execute as the user who is attempting 
+ these creates. Fortunately, root is not susceptible to this bug, so a 
+ setuid root file should not be possible. It might be possible to exploit 
+ this to gain access as another user though.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/21/2
+ https://bugzilla.redhat.com/show_bug.cgi?id=524520#c0
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.30-rc1) [79fb54ab]
+linux-2.6: released (2.6.30-1)
+2.6.18-etch-security: needed
+2.6.24-etch-security: needed
+2.6.26-lenny-security: needed
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Added: active/CVE-2009-3288
===================================================================
--- active/CVE-2009-3288	                        (rev 0)
+++ active/CVE-2009-3288	2009-09-23 18:25:08 UTC (rev 1499)
@@ -0,0 +1,22 @@
+Candidate: CVE-2009-3288
+Description:
+ The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel
+ 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when
+ accessing an array, which allows local users to cause a denial of
+ service (kernel OOPS and NULL pointer dereference), as demonstrated by
+ using xcdroast to duplicate a CD.  NOTE: this is only exploitable by
+ users who can open the cdrom device.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/03/4
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: needed "patch available, but doesn't appear to be commited"
+linux-2.6: needed
+2.6.18-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
+2.6.24-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
+2.6.26-lenny-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Copied: active/CVE-2009-3290 (from rev 1498, active/CVE-2009-kvm-hypercalls-vulnerability)
===================================================================
--- active/CVE-2009-3290	                        (rev 0)
+++ active/CVE-2009-3290	2009-09-23 18:25:08 UTC (rev 1499)
@@ -0,0 +1,30 @@
+Candidate: CVE-2009-3290 
+Description:
+ "So far unprivileged guest callers running in ring 3 can issue, e.g., 
+ MMU hypercalls. Normally, such callers cannot provide any hand-crafted 
+ MMU command structure as it has to be passed by its physical address, 
+ but they can still crash the guest kernel by passing random addresses.
+ .
+ To close the hole, this patch considers hypercalls valid only if issued 
+ from guest ring 0. This may still be relaxed on a per-hypercall base in 
+ the future once required."
+ .
+ This was introduced in v2.6.25-rc1, and fixed in 2.6.31.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/18/1
+ http://patchwork.kernel.org/patch/38926/
+ https://bugzilla.redhat.com/show_bug.cgi?id=524124
+Ubuntu-Description:
+Notes:
+ brad spengler has already developed working exploit code for this, so this is 
+ high-urgency
+Bugs:
+upstream: released (2.6.31) [07708c4af1346ab1521b26a202f438366b7bcffd]
+linux-2.6: needed
+2.6.18-etch-security: N/A "introduced in 2.6.25"
+2.6.24-etch-security: N/A "introduced in 2.6.25"
+2.6.26-lenny-security: needed
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Deleted: active/CVE-2009-NULL-deref-sg_build_indirect
===================================================================
--- active/CVE-2009-NULL-deref-sg_build_indirect	2009-09-21 15:52:10 UTC (rev 1498)
+++ active/CVE-2009-NULL-deref-sg_build_indirect	2009-09-23 18:25:08 UTC (rev 1499)
@@ -1,16 +0,0 @@
-Candidate:
-Description:
-References:
- http://www.openwall.com/lists/oss-security/2009/09/03/4
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
-2.6.24-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
-2.6.26-lenny-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:

Deleted: active/CVE-2009-O_EXCL-creates-on-NFSv4
===================================================================
--- active/CVE-2009-O_EXCL-creates-on-NFSv4	2009-09-21 15:52:10 UTC (rev 1498)
+++ active/CVE-2009-O_EXCL-creates-on-NFSv4	2009-09-23 18:25:08 UTC (rev 1499)
@@ -1,23 +0,0 @@
-Candidate: requested on oss-sec
-Description:
- There is an issue with O_EXCL creates on NFSv4 that with enough 
- attempts, it is possible for a lingering file from a failed create that 
- is world-writable but only setuid execute as the user who is attempting 
- these creates. Fortunately, root is not susceptible to this bug, so a 
- setuid root file should not be possible. It might be possible to exploit 
- this to gain access as another user though.
-References:
- http://www.openwall.com/lists/oss-security/2009/09/21/2
- https://bugzilla.redhat.com/show_bug.cgi?id=524520#c0
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.30-rc1) [79fb54ab]
-linux-2.6: released (2.6.30-1)
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:

Deleted: active/CVE-2009-kvm-hypercalls-vulnerability
===================================================================
--- active/CVE-2009-kvm-hypercalls-vulnerability	2009-09-21 15:52:10 UTC (rev 1498)
+++ active/CVE-2009-kvm-hypercalls-vulnerability	2009-09-23 18:25:08 UTC (rev 1499)
@@ -1,30 +0,0 @@
-Candidate: requested on oss-sec
-Description:
- "So far unprivileged guest callers running in ring 3 can issue, e.g., 
- MMU hypercalls. Normally, such callers cannot provide any hand-crafted 
- MMU command structure as it has to be passed by its physical address, 
- but they can still crash the guest kernel by passing random addresses.
- .
- To close the hole, this patch considers hypercalls valid only if issued 
- from guest ring 0. This may still be relaxed on a per-hypercall base in 
- the future once required."
- .
- This was introduced in v2.6.25-rc1, and fixed in 2.6.31.
-References:
- http://www.openwall.com/lists/oss-security/2009/09/18/1
- http://patchwork.kernel.org/patch/38926/
- https://bugzilla.redhat.com/show_bug.cgi?id=524124
-Ubuntu-Description:
-Notes:
- brad spengler has already developed working exploit code for this, so this is 
- high-urgency
-Bugs:
-upstream: released (2.6.31) [07708c4af1346ab1521b26a202f438366b7bcffd]
-linux-2.6: needed
-2.6.18-etch-security: N/A "introduced in 2.6.25"
-2.6.24-etch-security: N/A "introduced in 2.6.25"
-2.6.26-lenny-security: needed
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:

More information about the kernel-sec-discuss mailing list