Bug 491787 - (CVE-2009-1046) CVE-2009-1046 kernel: utf8 selection memory corruption
CVE-2009-1046 kernel: utf8 selection memory corruption
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 491788
  Show dependency treegraph
Reported: 2009-03-23 23:02 EDT by Eugene Teo (Security Response)
Modified: 2009-07-04 12:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch (1.56 KB, patch)
2009-03-23 23:06 EDT, Eugene Teo (Security Response)
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2009-03-23 23:02:42 EDT
Fix an off-by-two memory error in console selection.

The loop below goes from sel_start to sel_end (inclusive), so it writes one more character.  This one more character was added to the allocated size (+1), but it was not multiplied by an UTF-8 multiplier.

This patch fixes a memory corruption when UTF-8 console is used and the user selects a few characters, all of them 3-byte in UTF-8 (for example a frame line).

When memory redzones are enabled, a redzone corruption is reported. When they are not enabled, trashing of random memory occurs.
Comment 3 Eugene Teo (Security Response) 2009-03-24 00:04:32 EDT
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)

The attacker needs to be at console to exploit this.
Comment 4 Jan Lieskovsky 2009-03-26 06:15:45 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1046 to
this vulnerability:

The console selection feature in the Linux kernel 2.6.28 before, 2.6.25, and possibly earlier versions, when the UTF-8
console is used, allows physically proximate attackers to cause a
denial of service (memory corruption) by selecting a small number of
3-byte UTF-8 characters, which triggers an "an off-by-two memory
error." NOTE: it is not clear whether this issue crosses privilege

Comment 5 errata-xmlrpc 2009-04-29 05:28:39 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html

Note You need to log in before you can comment on or make changes to this bug.