headers
Tomas Hoger | 2 Jun 2009 11:02
Picon
Favicon

Re: Two OpenSSL DTLS remote DoS

Hi!

There are 2 more issues that cause DTLS server to crash (NULL pointer
dereference DoS), detailed in upstream bug reports linked below.

CVE-2009-1386
DTLS: SegFault if ChangeCipherSpec is received before ClientHello

http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17369

This was first fixed upstream in 0.9.8i.

CVE-2009-1387
DTLS fragment bug - out-of-sequence message handling

http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17958

Here NULL pointer dereference resulting in DTLS server crash can happen in
dtls1_retrieve_buffered_fragment() during memcpy from frag->fragment.

This is fixed in 1.0.0-beta2, not yet in the latest 0.9.8 available at
the moment - 0.9.8k.

Both issues should be reproducible by connecting using 1.0.0-beta2
s_client to 0.9.8 s_server.

--

-- 
Tomas Hoger / Red Hat Security Response Team
(Continue reading)

Permalink | Reply | 0 comments |
headers
Miklos Szeredi | 2 Jun 2009 11:54
Picon

Re: CVE request: kernel: splice local denial of service

On Sat, 2009-05-30 at 03:36 -0400, Jon Oberheide wrote:
> The deadlock can be reproduced easily (you might need to fork() a few
> times to get an pipe inode allocation ptr less than the file inode ptr):
> 
>     pipe(pfds);
>     snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
>     fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);
> 
>     if (fork()) {
>         splice(pfds[0], NULL, fd, NULL, 1024, NULL);
>     } else{
>         sleep(1);
>         splice(pfds[0], NULL, fd, NULL, 1024, NULL);
>     }
> 
> However, the deadlock only affects the task attempting to acquire the
> inode's i_mutex, so an attacker would require write access to a file
> that is also written (or other fs op that acquires i_mutex) by some
> victim process.  That is, unless I've missed something. :-)

Some operations also take i_mutex on parent (open(O_CREAT), mkdir,
unlink, rmdir, rename, etc), and the order is always parent first.  This
means, that if some task is holding i_mutex on /tmp/foo, then doing
unlink("/tmp/foo") will block while holding i_mutex on /tmp.  Together
with the above deadlock it will prevent creation or removal of files
under /tmp, making the system pretty much unusable.

Thanks,
Miklos
(Continue reading)

Permalink | Reply | 2 comments |
headers
Thomas Biege | 2 Jun 2009 13:54
Picon

CVE request: two denial of service bugs in strongswan

Maybe this two bugs need a CVE-ID...

Date: Wed, 27 May 2009 14:00:37 +0200
From: Andreas Steffen <andreas.steffen@...>
Organization: Linux strongSwan
To: strongSwan Announce <announce@...>,
    strongSwan Users <users@...>
Subject: [Announce] ANNOUNCE:  strongSwan 4.3.1 and 4.2.15 released
Reply-To: andreas.steffen@...
X-Spam-Level: 

Hi,

Orange Labs IKEv2 fuzzer discovers two DoS vulnerabilities
----------------------------------------------------------

Two DoS vulnerabilities in the charon daemon were discovered by
fuzzing techniques:

1) Receiving a malformed IKE_SA_INIT request leaves an incomplete state
   which causes a crash of the IKEv2 charon daemon while dereferencing
   a null pointer if a subsequent CREATE_CHILD_SA request for the
   same connection is received.

2) Receiving an IKE_AUTH request with either a missing TSi or TSr
   traffic selector payload causes a crash of the IKEv2 charon daemon
   because the null pointer checks for TSi and TSr prior to deletion
   were swapped by mistake.

The IKEv2 fuzzer used was developed by the Orange Labs vulnerability
(Continue reading)

Permalink | Reply | 1 comment |
headers
Jan Lieskovsky | 2 Jun 2009 20:07
Picon
Favicon

CVE Request - Ghostscript -- Multiple NULL ptr dereference flaws in JBIG2 decoder proved by PoC for CVE-2009-0658

Hello Steve,

  multiple NULL pointer dereference flaws were identified in the 
Ghostscript's JBIG compression format decoder (jbig2dec)
based on the PoC for recent Adobe Reader's 9.0, Adobe Acrobat's 9.0
(CVE-2009-0658) issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=501710
https://bugzilla.redhat.com/show_bug.cgi?id=503785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658

PoC:
http://milw0rm.com/sploits/2009-41414141.pdf

Affected versions: All GPL-Ghostscript versions from ghostscript-8.10
                   (contains initial implementation of jbig2dec) up
                   to latest upstream 8.64 one.

Could you allocate a CVE id?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Permalink | Reply | 0 comments |
headers
Eugene Teo | 3 Jun 2009 03:28
Picon
Favicon

Re: CVE request: kernel: splice local denial of service

Miklos Szeredi wrote:
> On Sat, 2009-05-30 at 03:36 -0400, Jon Oberheide wrote:
>> The deadlock can be reproduced easily (you might need to fork() a few
>> times to get an pipe inode allocation ptr less than the file inode ptr):
>>
>>     pipe(pfds);
>>     snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
>>     fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);
>>
>>     if (fork()) {
>>         splice(pfds[0], NULL, fd, NULL, 1024, NULL);
>>     } else{
>>         sleep(1);
>>         splice(pfds[0], NULL, fd, NULL, 1024, NULL);
>>     }
>>
>> However, the deadlock only affects the task attempting to acquire the
>> inode's i_mutex, so an attacker would require write access to a file
>> that is also written (or other fs op that acquires i_mutex) by some
>> victim process.  That is, unless I've missed something. :-)
> 
> Some operations also take i_mutex on parent (open(O_CREAT), mkdir,
> unlink, rmdir, rename, etc), and the order is always parent first.  This
> means, that if some task is holding i_mutex on /tmp/foo, then doing
> unlink("/tmp/foo") will block while holding i_mutex on /tmp.  Together
> with the above deadlock it will prevent creation or removal of files
> under /tmp, making the system pretty much unusable.

But it does not make the box unresponsive. In this example, you can
still ssh into the system as long as it does not create files in /tmp. I
(Continue reading)

Permalink | Reply | 1 comment |
headers
Eugene Teo | 3 Jun 2009 04:06
Picon
Favicon

CVE-2009-1385 kernel: e1000_clean_rx_irq() denial of service

e1000 has an issue in which a partial frame can leak through validation
check on reception. This can lead to an underflow in the length
computation of the frame which will panic the system in question.

This bug was discovered and fixed in e1000-7.5.5 since April 2007, but
was somehow not merged in the upstream kernel...

http://sourceforge.net/project/shownotes.php?release_id=504022&group_id=42302
Notes:
 * fix panic on changing MTU under stress
[...]

References:
http://sourceforge.net/projects/e1000
http://git.kernel.org/linus/ea30e11970a96cfe5e32c03a29332554573b4a10
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1385

Thanks, Eugene
Permalink | Reply | 0 comments |
headers
Eugene Teo | 3 Jun 2009 11:29
Picon
Favicon

CVE request: kernel: sparc64: Fix crash with /proc/iomem

This was introduced in commit 9fd8b647 (v2.6.22-rc1), and fixed in
commit 192d7a46. The description is as follows:

From: Mikulas Patocka <mpatocka@...>

[ Upstream commit 67c6d11d1a174ec4cad9a3c5d5f9043c ]

When you compile kernel on Sparc64 with heap memory checking and type
"cat /proc/iomem", you get a crash, because pointers in struct
resource are uninitialized.

Most code fills struct resource with zeros, so I assume that it is
responsibility of the caller of request_resource to initialized it,
not the responsibility of request_resource functuion.

After 2.6.29 is out, there could be a check for uninitialized fields
added to request_resource to avoid crashes like this.
Permalink | Reply | 1 comment |
headers
Joe Orton | 3 Jun 2009 17:07
Picon
Favicon

CVE request: "billion laughs" attack against Apache APR

Hi, could a CVE name be allocated for this issue:

The expat XML parser is vulnerable to the "billion laughs" entity 
expansion attack.  This results in a denial of service vulnerability in 
any network-facing service which uses the Apache "APR-util" library's 
wrapper interface for expat to parse untrusted XML documents.  The 
Apache httpd WebDAV module "mod_dav" is such a service.

References: 
http://milw0rm.com/exploits/8842 
http://marc.info/?l=apr-dev&m=124396021826125&w=2
http://svn.apache.org/viewvc?rev=781403&view=rev

Affected versions: 
APR-util <= 1.3.4
Permalink | Reply | 3 comments |
headers
Marcus Meissner | 3 Jun 2009 17:57
Picon
Gravatar

CVE Request: ModSecurity / apache2 mod_security 2.5.9

Hi,

This is out for some time already, but I found no CVE:

ModSecurity 2.5 module for versions < 2.5.9 
http://www.securityfocus.com/archive/1/501968
http://www.securityfocus.com/bid/34096

https://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846

SVN rev we think:
http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1265

Ciao, Marcus
Permalink | Reply | 1 comment |
headers
Marcus Meissner | 3 Jun 2009 17:59
Picon
Gravatar

CVE Request: PDF XSS in ModSecurity / apache2 mod_security 2.5.8

Hi,

There also is a PDF XSS in ModSecurity <2.5.8

https://sourceforge.net/project/shownotes.php?release_id=667538&group_id=68846
http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=rev&revision=1255

"Discovered by Steve Grubb at Redhat", so perhaps there 
already is a CVE.

Ciao, Marcus
Permalink | Reply | 2 comments |

Gmane