[kernel-sec-discuss] r1499 - active
Michael Gilbert
gilbert-guest at alioth.debian.org
Wed Sep 23 18:25:09 UTC 2009
Author: gilbert-guest
Date: 2009-09-23 18:25:08 +0000 (Wed, 23 Sep 2009)
New Revision: 1499
Added:
active/CVE-2009-3286
active/CVE-2009-3288
active/CVE-2009-3290
Removed:
active/CVE-2009-NULL-deref-sg_build_indirect
active/CVE-2009-O_EXCL-creates-on-NFSv4
active/CVE-2009-kvm-hypercalls-vulnerability
Log:
cve's assigned
Copied: active/CVE-2009-3286 (from rev 1498, active/CVE-2009-O_EXCL-creates-on-NFSv4)
===================================================================
--- active/CVE-2009-3286 (rev 0)
+++ active/CVE-2009-3286 2009-09-23 18:25:08 UTC (rev 1499)
@@ -0,0 +1,23 @@
+Candidate: CVE-2009-3286
+Description:
+ There is an issue with O_EXCL creates on NFSv4 that with enough
+ attempts, it is possible for a lingering file from a failed create that
+ is world-writable but only setuid execute as the user who is attempting
+ these creates. Fortunately, root is not susceptible to this bug, so a
+ setuid root file should not be possible. It might be possible to exploit
+ this to gain access as another user though.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/21/2
+ https://bugzilla.redhat.com/show_bug.cgi?id=524520#c0
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.30-rc1) [79fb54ab]
+linux-2.6: released (2.6.30-1)
+2.6.18-etch-security: needed
+2.6.24-etch-security: needed
+2.6.26-lenny-security: needed
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:
Added: active/CVE-2009-3288
===================================================================
--- active/CVE-2009-3288 (rev 0)
+++ active/CVE-2009-3288 2009-09-23 18:25:08 UTC (rev 1499)
@@ -0,0 +1,22 @@
+Candidate: CVE-2009-3288
+Description:
+ The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel
+ 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when
+ accessing an array, which allows local users to cause a denial of
+ service (kernel OOPS and NULL pointer dereference), as demonstrated by
+ using xcdroast to duplicate a CD. NOTE: this is only exploitable by
+ users who can open the cdrom device.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/03/4
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: needed "patch available, but doesn't appear to be commited"
+linux-2.6: needed
+2.6.18-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
+2.6.24-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
+2.6.26-lenny-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:
Copied: active/CVE-2009-3290 (from rev 1498, active/CVE-2009-kvm-hypercalls-vulnerability)
===================================================================
--- active/CVE-2009-3290 (rev 0)
+++ active/CVE-2009-3290 2009-09-23 18:25:08 UTC (rev 1499)
@@ -0,0 +1,30 @@
+Candidate: CVE-2009-3290
+Description:
+ "So far unprivileged guest callers running in ring 3 can issue, e.g.,
+ MMU hypercalls. Normally, such callers cannot provide any hand-crafted
+ MMU command structure as it has to be passed by its physical address,
+ but they can still crash the guest kernel by passing random addresses.
+ .
+ To close the hole, this patch considers hypercalls valid only if issued
+ from guest ring 0. This may still be relaxed on a per-hypercall base in
+ the future once required."
+ .
+ This was introduced in v2.6.25-rc1, and fixed in 2.6.31.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/18/1
+ http://patchwork.kernel.org/patch/38926/
+ https://bugzilla.redhat.com/show_bug.cgi?id=524124
+Ubuntu-Description:
+Notes:
+ brad spengler has already developed working exploit code for this, so this is
+ high-urgency
+Bugs:
+upstream: released (2.6.31) [07708c4af1346ab1521b26a202f438366b7bcffd]
+linux-2.6: needed
+2.6.18-etch-security: N/A "introduced in 2.6.25"
+2.6.24-etch-security: N/A "introduced in 2.6.25"
+2.6.26-lenny-security: needed
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:
Deleted: active/CVE-2009-NULL-deref-sg_build_indirect
===================================================================
--- active/CVE-2009-NULL-deref-sg_build_indirect 2009-09-21 15:52:10 UTC (rev 1498)
+++ active/CVE-2009-NULL-deref-sg_build_indirect 2009-09-23 18:25:08 UTC (rev 1499)
@@ -1,16 +0,0 @@
-Candidate:
-Description:
-References:
- http://www.openwall.com/lists/oss-security/2009/09/03/4
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
-2.6.24-etch-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
-2.6.26-lenny-security: N/A "Introduced by upstream commit 10db10d1 in v2.6.28-rc1.
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:
Deleted: active/CVE-2009-O_EXCL-creates-on-NFSv4
===================================================================
--- active/CVE-2009-O_EXCL-creates-on-NFSv4 2009-09-21 15:52:10 UTC (rev 1498)
+++ active/CVE-2009-O_EXCL-creates-on-NFSv4 2009-09-23 18:25:08 UTC (rev 1499)
@@ -1,23 +0,0 @@
-Candidate: requested on oss-sec
-Description:
- There is an issue with O_EXCL creates on NFSv4 that with enough
- attempts, it is possible for a lingering file from a failed create that
- is world-writable but only setuid execute as the user who is attempting
- these creates. Fortunately, root is not susceptible to this bug, so a
- setuid root file should not be possible. It might be possible to exploit
- this to gain access as another user though.
-References:
- http://www.openwall.com/lists/oss-security/2009/09/21/2
- https://bugzilla.redhat.com/show_bug.cgi?id=524520#c0
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.30-rc1) [79fb54ab]
-linux-2.6: released (2.6.30-1)
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:
Deleted: active/CVE-2009-kvm-hypercalls-vulnerability
===================================================================
--- active/CVE-2009-kvm-hypercalls-vulnerability 2009-09-21 15:52:10 UTC (rev 1498)
+++ active/CVE-2009-kvm-hypercalls-vulnerability 2009-09-23 18:25:08 UTC (rev 1499)
@@ -1,30 +0,0 @@
-Candidate: requested on oss-sec
-Description:
- "So far unprivileged guest callers running in ring 3 can issue, e.g.,
- MMU hypercalls. Normally, such callers cannot provide any hand-crafted
- MMU command structure as it has to be passed by its physical address,
- but they can still crash the guest kernel by passing random addresses.
- .
- To close the hole, this patch considers hypercalls valid only if issued
- from guest ring 0. This may still be relaxed on a per-hypercall base in
- the future once required."
- .
- This was introduced in v2.6.25-rc1, and fixed in 2.6.31.
-References:
- http://www.openwall.com/lists/oss-security/2009/09/18/1
- http://patchwork.kernel.org/patch/38926/
- https://bugzilla.redhat.com/show_bug.cgi?id=524124
-Ubuntu-Description:
-Notes:
- brad spengler has already developed working exploit code for this, so this is
- high-urgency
-Bugs:
-upstream: released (2.6.31) [07708c4af1346ab1521b26a202f438366b7bcffd]
-linux-2.6: needed
-2.6.18-etch-security: N/A "introduced in 2.6.25"
-2.6.24-etch-security: N/A "introduced in 2.6.25"
-2.6.26-lenny-security: needed
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:
More information about the kernel-sec-discuss
mailing list