[kernel-sec-discuss] r1981 - active
Moritz Muehlenhoff
jmm at alioth.debian.org
Thu Sep 30 09:04:00 UTC 2010
Author: jmm
Date: 2010-09-30 09:03:57 +0000 (Thu, 30 Sep 2010)
New Revision: 1981
Added:
active/CVE-2010-3437
Log:
new issue
Added: active/CVE-2010-3437
===================================================================
--- active/CVE-2010-3437 (rev 0)
+++ active/CVE-2010-3437 2010-09-30 09:03:57 UTC (rev 1981)
@@ -0,0 +1,25 @@
+Candidate: CVE-2010-3437
+Description:
+ > ----- "Eugene Teo" <eugeneteo at kernel.sg> wrote:
+ > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS
+ > device ioctl retrieves a pointer to a pktcdvd_device from the global
+ > pkt_devs array. The index into this array is provided directly by the
+ >
+ > user and is a signed integer, so the comparison to ensure that it falls
+ > within the bounds of this array will fail when provided with a
+ > negative index.
+ >
+ > This can be used to read arbitrary kernel memory or cause a crash due to
+ > an invalid pointer dereference. This can be exploited by users with
+ > permission to open /dev/pktcdvd/control (on many distributions, this is
+ > readable by group "cdrom").
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=638085
+ http://git.kernel.org/linus/252a52aa4fa22a668f019e55b3aac3ff71ec1c29
+Notes:
+Bugs:
+upstream: released (2.6.36-rc6)
+2.6.32-upstream-stable: needed
+linux-2.6: needed
+2.6.26-lenny-security: needed
+2.6.32-squeeze-security: needed
More information about the kernel-sec-discuss
mailing list