Re: [VulnWatch] Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability

From: Steven M. Christey (coley@private)
Date: Tue May 17 2005 - 11:38:15 PDT

Previous message: alert7: "[VulnWatch] Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability"
In reply to: alert7: "[VulnWatch] Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Note that CAN-2005-1264 had already been assigned to the raw device issue,
as documented in the "[PATCH] Fix root hole in raw device" post to the
linux-kernel list by Greg KH:

  http://marc.theaimsgroup.com/?l=linux-kernel&m=111630512512222

So, the CAN-2005-1589 will only be used for the pktcdvd issue.  Working
descriptions are below and will be on the CVE web site later today.

It appears that this slightly erroneous candidate assignment occurred
because of insufficient coordination between researcher and vendor.


Regards,
Steve Christey
CVE Editor


======================================================
Candidate: CAN-2005-1264
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1264
Reference: MLIST:[linux-kernel] 20050517 [PATCH] Fix root hole in raw device
Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=111630512512222
Reference: VULNWATCH:20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html

Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong
function before passing an ioctl to the block device, which crosses
security boundaries by making kernel address space accessible from
user space, a similar vulnerability to CAN-2005-1589.


======================================================
Candidate: CAN-2005-1589
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1589
Reference: MLIST:[linux-kernel] 20050517 [PATCH] Fix root hole in pktcdvd
Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=111630531515901&w=2
Reference: VULNWATCH:20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability
Reference: URL:http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html

The pkt_ioctl function in the pktcdvd block device ioctl handler
(pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong
function before passing an ioctl to the block device, which crosses
security boundaries by making kernel address space accessible from
user space and allows local users to execute arbitrary code, a similar
vulnerability to CAN-2005-1264.

Previous message: alert7: "[VulnWatch] Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability"
In reply to: alert7: "[VulnWatch] Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue May 17 2005 - 14:03:03 PDT