Bug 134720
Summary: | CAN-2004-0883 smbfs potential DOS (CAN-2004-0949) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Josh Bressers <bressers> | ||||||
Component: | kernel | Assignee: | Alexander Viro <aviro> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 3.0 | CC: | davej, jbaron, peterm, petrides, riel, security-response-team, tburke | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | impact=moderate,public=20041115 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2004-12-02 11:41:07 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Josh Bressers
2004-10-05 19:02:41 UTC
Created attachment 105808 [details]
Proposed patch for this issue.
Can someone take a look at this? This issue has pretty much died down on vendor-sec, and I worry that patch is not as complete as it should be. Al, could you please follow up on this? Thanks. -ernie as far as I can see, both issues are real and proposed patch looks right. IOW, ACK on both bug and proposed fix (I've removed reference to 2.6 kernel in below list) CAN-2004-0883: 2.4 smb_proc_read(X) malicious data count overflow [Explained in mail Message-ID: <20040927083504.GA5287>] 2.4 smb_recveive_trans2 missing fragment information leak [Explained in mail Message-ID: <20040927083504.GA5287>] 2.4 smb_proc_readX malicious data offset information leak [Explained in Message-ID: <20041023144344.GA32227>] 2.4 smb_recveive_trans2 malicious parm/data offset information leak/DOS [Explained in Message-ID: <20041023144344.GA32227>] These issues are all of the type "user supplied data not bounds checked" (leading to DoS or info leak). Linux 2.4 CAN-2004-0949: > 2.4 + smb_recveive_trans2 defragmentation overflow [Explained in mail Message-ID: <20041019161226.GA10715>] Both are "SMB fragment reconstruction does not ensure that all data in the reconstructed packet is initialised and that a possible attacker can send always fragments with the same data in it to leave lots of the packet uninitialised, leading to DoS or leak of kernel memory" Created attachment 106654 [details]
Updated patch to solve all issues
My breakdown of which issues were in which CVE names was not correct; the following is agreed: CAN-2004-0883 "remote supplied data not bounds checked" 2.4 smb_proc_read(X) malicious data count overflow 2.4 smb_proc_readX malicious data offset information leak 2.4 smb_recveive_trans2 malicious parm/data offset information leak/DOS 2.4 smb_receive_trans2 defragmentation overflow possible overflow 2.6 smb_recv_trans2 malicious parm/data offset information leak/DOS(?? 2.6 smb_proc_readX_data malicious data offset DOS (-=hdrlen underflow) CAN-2004-0949 "failure to initialise structure/memory" (CAN-2004-0949) 2.4 smb_receive_trans2 missing fragment information leak 2.6 smb_recv_trans2 missing fragment information leak 2.6 smb_recv_trans2 fragment resending leads to invalid counters A fix for this problem has just been committed to the RHEL3 E4 patch pool this evening (in kernel version 2.4.21-20.0.1.EL). I'm leaving this in ASSIGNED state until the fix is also propagated to the RHEL3 U4 and U5 patch pools. Removing embargo A fix for this problem has just been committed to the RHEL3 U4 patch pool this evening (in kernel version 2.4.21-27.EL). I'm leaving this in ASSIGNED state until the fix is also propagated to the RHEL3 U5 patch pool. A fix for this problem has just been committed to the RHEL3 U5 patch pool this evening (in kernel version 2.4.21-27.3.EL). Work on this problem has now been completed. |