Bug 288201 - (CVE-2007-4570) CVE-2007-4570 mctransd DoS
CVE-2007-4570 mctransd DoS
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20070912,source=secalert,pub...
: Security
Depends On: 288941
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-12 14:47 EDT by Mark J. Cox (Product Security)
Modified: 2011-09-28 18:35 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-28 18:35:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch attempting to fix problem (756 bytes, patch)
2007-09-12 16:13 EDT, Steve Grubb
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2007-09-12 14:47:19 EDT
Reported via secalert@redhat.com:

        There is an algorithmic complexity weakness in the way the MCS
translation daemon handles ranges of compartments in sensitivity labels.
When translating a security context that includes a range of categories
separated by a period, e.g. "c0.c10", the daemon calls the
substitute_range() function to replace the range with an explicit
declaration of each category, e.g. "c0,c1,c2,c3,c4,c5,c6,c7,c8,c9,10".
The vulnerable logic in this function is shown below (with some lines
wrapped for readability):

        while (tok) {
                if ((r=strchr(tok, '.')) !=0) {
                        int begin=atoi(&tok[1]);
                        ++r;
                        int end=atoi(&r[1]);
                        for (;begin<end+1;begin++) {
                                tmp=sub;
                                if (asprintf(&sub, "%sc%d,", sub, begin) 
                            < 0) {
                                        error=1;
                                        break;
                                }
                                free(tmp);
                        }
                } else {
                        tmp=sub;
                        if (asprintf(&sub, "%s%s,", sub, tok) < 0) {
                                error=1;
                                break;
                        }
                        free(tmp);
                }
                tok=strtok_r(NULL, ",", &ptr);
        }

The attacker supplies the input string for this function, and the values
of 'begin' and 'end' are not checked. Consequently, by supplying an
abnormally long range, an attacker can cause the program to remain in
the above loop for an extremely long period of time. Since mcstransd is
a single-threaded, single-process daemon, it supports only one
concurrent request.

        This weakness allows a local attacker to trivially prevent the daemon
from responding to requests for an extended period of time (hours or
days). When the mcstrans service is enabled, the system calls upon
mcstransd for user logins and the execution of many programs. If
mcstransd does not respond, those operations silently hang.
Comment 1 Steve Grubb 2007-09-12 16:13:16 EDT
Created attachment 193951 [details]
patch attempting to fix problem

This is a proposed patch to sanity check the values before using them.
Comment 7 Mark J. Cox (Product Security) 2007-11-07 09:16:13 EST
removing embargo
Comment 8 Kurt Seifried 2011-09-28 18:35:18 EDT
This issue has been addressed in following products:

  Red Hat Linux Enterprise 5

Via RHSA-2007:0542 available at https://rhn.redhat.com/errata/RHSA-2007-0542.html

Note You need to log in before you can comment on or make changes to this bug.