Eugene Teo | 2 Nov 10:40 2009
Picon

CVE request: kernel: connector security bypass

1/ uvesafb/connector: Disallow unprivileged users to send netlink packets
upstream commit: cc44578b5a508889beb8ae3ccd4d2bbdf17bc86c
introduced in v2.6.24-rc1; fixed in v2.6.32-rc3

2/ pohmelfs/connector: Disallow unprivileged users to configure pohmelfs
upstream commit: 98a5783af02f4c9b87b676d7bbda6258045cfc76
(staging/experimental)

3/ dst/connector: Disallow unprivileged users to configure dst
upstream commit: 5788c56891cfb310e419c4f9ae20427851797431
(staging/experimental)

4/ dm/connector: Only process connector packages from privileged processes
upstream commit: 24836479a126e02be691e073c2b6cad7e7ab836a
introduced in v2.6.31-rc1; fixed in v2.6.32-rc3

2/ and 3/ are experimental; I doubt distros are supporting these.
1/ and 4/ fixed similar issues, so perhaps we should just have one CVE 
name for this.

References:
http://secunia.com/advisories/37113/
http://xorl.wordpress.com/2009/10/31/linux-kernel-multiple-capabilities-missing-checks/

Thanks, Eugene

Mark J Cox | 2 Nov 12:37 2009
Picon

Re: CVE request: kernel: connector security bypass

On Mon, 2 Nov 2009, Eugene Teo wrote:

> 1/ uvesafb/connector: Disallow unprivileged users to send netlink packets
> upstream commit: cc44578b5a508889beb8ae3ccd4d2bbdf17bc86c
> introduced in v2.6.24-rc1; fixed in v2.6.32-rc3
>
> 2/ pohmelfs/connector: Disallow unprivileged users to configure pohmelfs
> upstream commit: 98a5783af02f4c9b87b676d7bbda6258045cfc76
> (staging/experimental)
>
> 3/ dst/connector: Disallow unprivileged users to configure dst
> upstream commit: 5788c56891cfb310e419c4f9ae20427851797431
> (staging/experimental)
>
> 4/ dm/connector: Only process connector packages from privileged processes
> upstream commit: 24836479a126e02be691e073c2b6cad7e7ab836a
> introduced in v2.6.31-rc1; fixed in v2.6.32-rc3

> References:
> http://secunia.com/advisories/37113/
> http://xorl.wordpress.com/2009/10/31/linux-kernel-multiple-capabilities-missing-checks/

I'm going to give one name to all four issues.  (Allowed as they are all 
of flaw type 'missing capability checks', found by the same reporter, and 
fixed at the same time).

CVE-2009-3725

Mark

(Continue reading)

Eugene Teo | 3 Nov 11:54 2009
Picon

CVE-2009-3547 kernel: fs: pipe.c null pointer dereference

* a NULL pointer dereference flaw was found in each of the following
functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and
pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer 
could be released by other processes before it is used to update the 
pipe's reader and writer counters. This could lead to a local denial of 
service or privilege escalation.

http://lkml.org/lkml/2009/10/14/184
http://lkml.org/lkml/2009/10/21/42
http://git.kernel.org/linus/ad3960243e55320d74195fb85c975e0a8cc4466c
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3547

Thanks, Eugene
--

-- 
Eugene Teo / Red Hat Security Response Team

Tim Brown | 4 Nov 16:39 2009

Re: CVE request - asterisk, python-markdown, jetty, kde

On Thursday 29 October 2009 22:11:32 Tim Brown wrote:
> On Thursday 29 October 2009 20:10:27 Tomas Hoger wrote:
> > On Thu, 29 Oct 2009 09:42:36 -0600 Raphael Geissert
> >
> > <geissert@...> wrote:
> > > = kde =
> > > Multiple missing input sanity checks in KDE
> > > Reference:
> > > http://www.ocert.org/advisories/ocert-2009-015.html
> >
> > Btw, do you have any suggestion on how many CVEs should be allocated
> > here and what are the individual flaws?  I failed to build satisfying
> > list form the info in the advisory.  Have you managed to tell which
> > patch is supposed to address which vulnerability?
>
> I've responded to Tomas off list regarding these issues since our
> advisories have not yet been made available.  We have 4 advisories to cover
> the individual flaws.  If anyone else wants further details in the
> meantime, feel free to get in touch off list but I'll likely only respond
> to people I can validate (i.e. package maintainers for the distros etc).

Our advisories are now up at http://www.portcullis-security.com/advisories:

* Portcullis Security Advisory 09-008 Insufficient Input Validation By IO 
Slaves
* Portcullis Security Advisory 09-004 KMail Attachment Mime Type Spoofing 
Enables Javascript Injection
* Portcullis Security Advisory 09-003 Form Spoofing In Konqueror Enables 
KWallet Stored Credential Theft
* Portcullis Security Advisory 09-002 Ark Default View Allows JavaScript 
(Continue reading)

Eugene Teo | 5 Nov 06:29 2009
Picon

CVE request: kernel: NULL pointer dereference in nfs4_proc_lock()

Quote from upstream commit:
"We just had a case in which a buggy server occasionally returns the 
wrong attributes during an OPEN call. While the client does catch this 
sort of condition in nfs4_open_done(), and causes the nfs4_atomic_open() 
to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since it 
causes a fallback to an ordinary lookup instead of just returning the error.

When the buggy server then returns a regular file for the fallback 
lookup, the VFS allows the open, and bad things start to happen, since 
the open file doesn't have any associated NFSv4 state.

The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and 
secondly to ensure that we are always careful when dereferencing the 
nfs_open_context state pointer."

Upstream commit:
http://git.kernel.org/linus/d953126a28f97e (v2.6.31-rc4)

Steps to reproduce the issue/backtraces:
https://bugzilla.redhat.com/show_bug.cgi?id=529227#c0

References:
http://www.spinics.net/linux/lists/linux-nfs/msg03357.html
https://bugzilla.redhat.com/show_bug.cgi?id=529227

Thanks, Eugene

Jan Lieskovsky | 5 Nov 10:56 2009
Picon

CVE Request - Asterisk (AST-2009-008.html)

Hello Steve, vendors,

   Asterisk upstream has recently published two security advisories:

a, SIP responses expose valid usernames
    http://downloads.asterisk.org/pub/security/AST-2009-008.html

    This is similar issue to AST-2009-003.html (CVE-2008-3903)
    http://downloads.asterisk.org/pub/security/AST-2009-003.html

    But according to the patches:

    http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt (AST-2009-003) vs
    http://downloads.asterisk.org/pub/security/AST-2009-008-1.6.1.diff.txt (AST-2009-003)

    it desires a new CVE id. Could you allocate one?

The second issue (b,) already got an CVE id of CVE-2008-7220.

b, Cross-site AJAX request vulnerability (CVE-2008-7220)
    http://downloads.asterisk.org/pub/security/AST-2009-009.html

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Mark J Cox | 5 Nov 16:24 2009
Picon

CVE-2009-3555 for TLS renegotiation MITM attacks

http://extendedsubset.com/?p=8 
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html and so on
https://bugzilla.redhat.com/show_bug.cgi?id=533125

Marsh Ray of PhoneFactor has discovered a flaw in the TLS/SSL protocol 
related to the handling of the session renegotiations.  In certain 
circumstances this flaw could be used in MITM attacks, allowing an 
attacker to inject attacker-chosen plain text prefix into a secure session 
of the victim.

Thanks, Mark

Josh Bressers | 5 Nov 18:23 2009
Picon

Re: CVE request: kernel: NULL pointer dereference in nfs4_proc_lock()

Please use CVE-2009-3726

Thanks.

-- 
    JB

----- "Eugene Teo" <eugeneteo@...> wrote:

> Quote from upstream commit:
> "We just had a case in which a buggy server occasionally returns the 
> wrong attributes during an OPEN call. While the client does catch this
> 
> sort of condition in nfs4_open_done(), and causes the
> nfs4_atomic_open() 
> to return -EISDIR, the logic in nfs_atomic_lookup() is broken, since
> it 
> causes a fallback to an ordinary lookup instead of just returning the
> error.
> 
> When the buggy server then returns a regular file for the fallback 
> lookup, the VFS allows the open, and bad things start to happen, since
> 
> the open file doesn't have any associated NFSv4 state.
> 
> The fix is firstly to return the EISDIR/ENOTDIR errors immediately,
> and 
> secondly to ensure that we are always careful when dereferencing the 
> nfs_open_context state pointer."
> 
(Continue reading)

Florian Weimer | 5 Nov 18:24 2009
Picon

Re: CVE-2009-3555 for TLS renegotiation MITM attacks

* Mark J. Cox:

> http://extendedsubset.com/?p=8
> http://www.ietf.org/mail-archive/web/tls/current/msg03948.html and so
> on
> https://bugzilla.redhat.com/show_bug.cgi?id=533125
>
> Marsh Ray of PhoneFactor has discovered a flaw in the TLS/SSL protocol
> related to the handling of the session renegotiations.

Shouldn't this be credited to Martin Rex from SAP?  He's the first one
who publicly comitted to this vulnerability.  (And I'm slightly
surprised by the rapid me-too-ing that's going on here.)

Anyway, is the CVE just for HTTP over TLS, or more?

Josh Bressers | 5 Nov 18:35 2009
Picon

Re: CVE Request - Asterisk (AST-2009-008.html)

CVE-2009-3727 Asterisk AST-2009-008

    Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, and
    1.6.0.x before 1.6.0.17; Asterisk Business Edition A.x.x, B.x.x before
    B.2.5.12, C.1.x.x before C.2.x.x before C.2.4.5 and C.3.2.2; s800i 1.3.x
    before 1.3.0.5; Generates different responses when a specially crafted
    REGISTER message is sent twice depending on whether a SIP username is
    valid. This allows remote attackers to enumerate valid usernames.

    http://downloads.asterisk.org/pub/security/AST-2009-008.html

Thanks.

--

-- 
    JB

----- "Jan Lieskovsky" <jlieskov@...> wrote:

> Hello Steve, vendors,
> 
>    Asterisk upstream has recently published two security advisories:
> 
> a, SIP responses expose valid usernames
>     http://downloads.asterisk.org/pub/security/AST-2009-008.html
> 
>     This is similar issue to AST-2009-003.html (CVE-2008-3903)
>     http://downloads.asterisk.org/pub/security/AST-2009-003.html
> 
>     But according to the patches:
> 
(Continue reading)


Gmane