headers
Eugene Teo | 1 Mar 2010 16:35
Picon

CVE request: kernel: dvb-core: ULE decapsulation DoS

Reported by Ang Way Chuang.

"dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered 
by an invalid Payload Pointer ULE (Unidirectional Lightweight 
Encapsulation RFC 4326) decapsulation has a bug that causes endless loop 
when Payload Pointer of MPEG2-TS frame is 182 or 183.  Anyone who sends 
malicious MPEG2-TS frame will cause the receiver of ULE SNDU to go into 
endless loop.

This patch was generated and tested against linux-2.6.32.9 and should 
apply cleanly to linux-2.6.33 as well because there was only one typo 
fix to dvb_net.c since v2.6.32.

This bug was brought to you by modern day Santa Claus who decided to 
shower the satellite dish at Keio University with heavy snow causing 
huge burst of errors.  We, receiver end, received Santa Claus's gift in 
the form of kernel bug."

http://git.kernel.org/linus/29e1fa3565a7951cc415c634eb2b78dbdbee151d
http://bugzilla.redhat.com/569237

Thanks, Eugene
Permalink | Reply | 0 comments |
headers
Vincent Danen | 2 Mar 2010 21:52
Picon
Favicon
Gravatar

CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?

* [2010-03-02 13:05:28 -0500] nobody@... via RT wrote:

Hi, Steve.  I'm confused about these three CVEs, particularly since
CVE-2009-3297 was assigned to this issue (I suppose it would be more
correct to have 3 CVEs for the issue, but I'm not sure then why
CVE-2009-3297 was completely ignored unless you intend for it to be not
used/duplicated to one of these?).

I'm also confused on using a 2010-based name since our bugzilla entry is
dated 2009-11-04, and Samba upstream has their reported dated
2009-10-28, so these should have received 2009-based names.

We've used CVE-2009-3297 all over the place so it's pretty hard to miss.
Looking at the references just for the samba issue (your CVE-2010-0787),
all of the references except the git commits refer to CVE-2009-3297.

Can you clarify why this was done?  CC'ing oss-security in case anyone
else has noticed this as well.

Thanks.

>======================================================
>Name: CVE-2010-0787
>Status: Candidate
>URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0787
>Final-Decision:
>Interim-Decision:
>Modified:
>Proposed:
>Assigned: 20100302
(Continue reading)

Permalink | Reply | 3 comments |
headers
Vincent Danen | 2 Mar 2010 21:57
Picon
Favicon
Gravatar

Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?

* [2010-03-02 13:52:05 -0700] Vincent Danen wrote:

>Hi, Steve.  I'm confused about these three CVEs, particularly since
>CVE-2009-3297 was assigned to this issue (I suppose it would be more
>correct to have 3 CVEs for the issue, but I'm not sure then why
>CVE-2009-3297 was completely ignored unless you intend for it to be not
>used/duplicated to one of these?).
>
>I'm also confused on using a 2010-based name since our bugzilla entry is
>dated 2009-11-04, and Samba upstream has their reported dated
>2009-10-28, so these should have received 2009-based names.
>
>We've used CVE-2009-3297 all over the place so it's pretty hard to miss.
>Looking at the references just for the samba issue (your CVE-2010-0787),
>all of the references except the git commits refer to CVE-2009-3297.
>
>Can you clarify why this was done?  CC'ing oss-security in case anyone
>else has noticed this as well.

Gah!  Sorry, I missed this other bit because I was looking on the
website and CVE-2009-3297 still says "** RESERVED **", but:

> Name: CVE-2009-3297
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297
> 
> ** REJECT **
> 
> DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2010-0787,
> CVE-2010-0788, CVE-2010-0789.  Reason: this candidate was intended for
> one issue in Samba, but it was used for multiple distinct issues,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eugene Teo | 3 Mar 2010 10:45
Picon

CVE request: kernel: NFS: Fix an Oops when truncating a file

"The VM/VFS does not allow mapping->a_ops->invalidatepage() to fail.
Unfortunately, nfs_wb_page_cancel() may fail if a fatal signal occurs. 
Since the NFS code assumes that the page stays mapped for as long as the 
writeback is active, we can end up Oopsing (among other things).

The only safe fix here is to convert nfs_wait_on_request(), so as to 
make it uninterruptible (as is already the case with 
wait_on_page_writeback())."

Upstream commit:
http://git.kernel.org/linus/9f557cd8073104b39528794d44e129331ded649f

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=567184
Permalink | Reply | 0 comments |
headers
Laurent OUDOT at TEHTRI-Security | 3 Mar 2010 10:59
Favicon

[cansecwest] Advanced PHP Hacking


Hi,

I'd like to announce a Security Master's Dojo course during next
CanSecWest 2010 in Vancouver (March 22-26 2010).

Title: Advanced PHP Hacking (!)

PHP is a worldwide web language used by individuals as well as companies
(Facebook...). This session aims at providing a hands-on focused PHP
Hacking experience. After this course, you will really know how
attackers work and move through PHP hax0ring so that they can jump
deeper down to your networks.

*BONUS*
This training will end with a final amazing exercise through a step by
step live hacking simulation. It will help students at coming back to
offensive and defensive hands-on actions seen during the whole day,
thanks to this complete information warfare operation.

For further information, just check :
 http://www.tehtri-security.com/en/trainings.php?t=cansecwest-2010

Register as soon as possible (!) and join us at Cansecwest 2010
(http://cansecwest.com)

See you soon in Vancouver for more PHP Hacking :)

--
Laurent OUDOT
(Continue reading)

Permalink | Reply | 9 comments |
headers
Solar Designer | 3 Mar 2010 16:30
Favicon

CFPs and con invitations on the list (was: [cansecwest] Advanced PHP Hacking)

Hi,

I've just approved Laurent's posting, even though this is sort of an
exception lately.  Several other postings of "this nature" (not training
courses but mostly conference CFPs, though) were not approved.  Yet I
thought it was time to revisit this issue, and Laurent's posting was a
good choice because I knew that Laurent had actually joined the list
first (unlike most others who try to cross-post their CFPs in here).

The last time this topic was brought up, two of the list members
("founding members", so to speak) said they were OK with these postings
getting through to the list "presuming they stay on the topic of Open
Source Security" and "are not badly cross-posted":

http://www.openwall.com/lists/oss-security/2009/01/07/4
http://www.openwall.com/lists/oss-security/2009/01/07/9
http://www.openwall.com/lists/oss-security/2009/01/07/12

In practice, many of the postings were in fact "badly cross-posted" and
none of the moderators approved them (so they should have bounced back
to the senders in a few days).  Sometimes it is difficult to determine
if a posting is cross-posted "badly enough" or not, though.

Another thing to keep in mind is that those cross-posts provide extra
visibility to oss-security, making more people aware of this list.  If
we don't approve them, then people will stop trying to CC: oss-security
on their announcements, so we won't be getting this extra visibility.
It is not clear whether this would be a good or a bad thing.  So far,
the visibility did not hurt, though - reasonable people were joining the
list, and we have pre-moderation for postings by new members anyway.
(Continue reading)

Permalink | Reply | 8 comments |
headers
Steven M. Christey | 3 Mar 2010 19:01
Picon

Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?


On Tue, 2 Mar 2010, Vincent Danen wrote:

> * [2010-03-02 13:05:28 -0500] nobody@... via RT wrote:
>
> Hi, Steve.  I'm confused about these three CVEs, particularly since
> CVE-2009-3297 was assigned to this issue (I suppose it would be more
> correct to have 3 CVEs for the issue, but I'm not sure then why
> CVE-2009-3297 was completely ignored unless you intend for it to be not
> used/duplicated to one of these?).

Sorry about not informing oss-security when I did this; I meant to.

CVE-2009-3297 has been rejected since it was used heavily for multiple 
issues that should have been assigned separate entries.  People weren't 
just using CVE-2009-3297 for Samba, they were using it for fuse and 
others.

This rejection has since been uploaded to the CVE site:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297

Along with the three new CVEs:

CVE-2010-0787 (Samba)
CVE-2010-0788 (ncpfs)
CVE-2010-0789 (FUSE)

I try very hard to avoid doing this kind of split (and REJECT) except when 
it seems like there will be a lot of confusion; I know how much work it is
(Continue reading)

Permalink | Reply | 1 comment |
headers
Tomas Hoger | 3 Mar 2010 21:16
Picon
Favicon

OpenSSL (with KRB5) remote crash - CVE-2010-0433

Hi!

We've been pointed out to public reports of remote SSL server crashes
in OpenSSL builds with kerberos support, triggered by the Nessus'
ssl_supported_ciphers test.

We've managed to track this problem to a missing return value check,
causing incorrect input to be passed to the krb5 library, resulting in
NULL pointer dereference crash in krb5 (recent MIT krb5 versions).

Issue can be reproduced with chrooted SSL servers (such as dovecot's
login process or chrooted stunnel).

Report we got, with references to previous public discussions:
  https://bugzilla.redhat.com/show_bug.cgi?id=567711

Details of the flaw:
  https://bugzilla.redhat.com/show_bug.cgi?id=569774

Upstream patch:
  http://cvs.openssl.org/chngview?cn=19374

We've assigned CVE-2010-0433 to this issue.

--

-- 
Tomas Hoger / Red Hat Security Response Team
Permalink | Reply | 0 comments |
headers
Kees Cook | 3 Mar 2010 22:58
Favicon
Gravatar

CVE Request: libesmtp does not check NULL bytes in commonName

Hello,

I just noticed that libesmtp does not appear to handle NULL-byte CNs, as
seen with the original browser-based issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408

Related to this are failures in wildcard handling:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191
and CN-specificity:
 https://bugzilla.redhat.com/show_bug.cgi?id=510202

Though it may be a non-issue if TLS doesn't function at all:
 http://bugs.gentoo.org/213066

-Kees

--

-- 
Kees Cook
Ubuntu Security Team
Permalink | Reply | 26 comments |
headers
Vincent Danen | 4 Mar 2010 02:45
Picon
Favicon
Gravatar

Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?

* [2010-03-03 13:01:18 -0500] Steven M. Christey wrote:

>On Tue, 2 Mar 2010, Vincent Danen wrote:
>
>>* [2010-03-02 13:05:28 -0500] nobody@... via RT wrote:
>>
>>Hi, Steve.  I'm confused about these three CVEs, particularly since
>>CVE-2009-3297 was assigned to this issue (I suppose it would be more
>>correct to have 3 CVEs for the issue, but I'm not sure then why
>>CVE-2009-3297 was completely ignored unless you intend for it to be not
>>used/duplicated to one of these?).
>
>Sorry about not informing oss-security when I did this; I meant to.
>
>CVE-2009-3297 has been rejected since it was used heavily for 
>multiple issues that should have been assigned separate entries.  
>People weren't just using CVE-2009-3297 for Samba, they were using it 
>for fuse and others.

Ok, fair enough.  I thought that might have been the reason, but I was
unsure why we would drop CVE-2009-3297 altogether, but it makes sense.

>This rejection has since been uploaded to the CVE site:
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297
>
>Along with the three new CVEs:
>
>CVE-2010-0787 (Samba)
>CVE-2010-0788 (ncpfs)
(Continue reading)

Permalink | Reply | 0 comments |

Gmane