Bug 494275 (CVE-2009-1439) - CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem field during mount
Summary: CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem fie...
Status: CLOSED ERRATA
Alias: CVE-2009-1439
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20090326,source=osssecurity,re...
Keywords: Security
Depends On: 494276 494277 494278 494279 494280
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-06 07:03 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 12:44 UTC (History)
13 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-11-02 00:16:10 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1081 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-06-03 15:36:49 UTC
Red Hat Product Errata RHSA-2009:1106 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-16 22:34:13 UTC
Red Hat Product Errata RHSA-2009:1211 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-08-13 15:34:46 UTC

Description Eugene Teo (Security Response) 2009-04-06 07:03:39 UTC
Description of problem:
CIFS can allocate a few bytes to little for the nativeFileSystem field
during tree connect response processing during mount.  This can result
in a "Redzone overwritten" message to be logged.

Upstream commit:
http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b

References:
http://blog.fefe.de/?ts=b72905a8
http://git.kernel.org/linus/15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
http://article.gmane.org/gmane.comp.security.oss.general/1620

Comment 12 Vincent Danen 2009-04-27 18:39:15 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1439 to
the following vulnerability:

Name: CVE-2009-1439
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
Assigned: 20090427
Reference: MLIST:[linux-cifs-client] 20090406 [PATCH] cifs: Fix insufficient memory allocation for nativeFileSystem field
Reference: URL: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
Reference: MLIST:[oss-security] 20090405 CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/04/1
Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/7
Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/3
Reference: MISC: http://blog.fefe.de/?ts=b72905a8
Reference: CONFIRM: https://bugzilla.novell.com/show_bug.cgi?id=492282

Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel
2.6.29 and earlier allows remote attackers to cause a denial of
service (crash) via a long nativeFileSystem field in a Tree Connect
response to an SMB mount request.

Comment 13 Eugene Teo (Security Response) 2009-05-13 02:24:21 UTC
Update:
These patches are needed too:
f083def68f84b04fe3f97312498911afce79609e (fix for b363b330)
27b87fe52baba0a55e9723030e76fce94fabcea4 (another issue)
313fecfa69bbad0a10d3313a50a89d3064f47ce1 (add cFYI messages)
22c9d52bc03b880045ab1081890a38f11b272ae7 (remove unneeded pointer)
to be patched on top of:
b363b3304bcf68c4541683b2eff70b29f0446a5b.

http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b
http://git.kernel.org/linus/f083def68f84b04fe3f97312498911afce79609e
http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
http://git.kernel.org/linus/313fecfa69bbad0a10d3313a50a89d3064f47ce1
http://git.kernel.org/linus/22c9d52bc03b880045ab1081890a38f11b272ae7

Comment 15 Chuck Ebbert 2009-05-21 17:13:12 UTC
It looks like this bug is fixed in the upstream 2.6.27.24 and 2.6.29.4 updates.

Comment 16 Fedora Update System 2009-05-21 22:16:12 UTC
kernel-2.6.27.24-78.2.53.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-78.2.53.fc9

Comment 17 Fedora Update System 2009-05-22 09:01:52 UTC
kernel-2.6.27.24-170.2.68.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-170.2.68.fc10

Comment 18 Fedora Update System 2009-05-25 21:09:25 UTC
kernel-2.6.27.24-170.2.68.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2009-05-27 19:05:48 UTC
kernel-2.6.27.24-78.2.53.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 errata-xmlrpc 2009-06-03 15:36:53 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html

Comment 21 errata-xmlrpc 2009-06-16 22:34:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html

Comment 23 errata-xmlrpc 2009-08-13 15:34:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1211 https://rhn.redhat.com/errata/RHSA-2009-1211.html

Comment 26 Kurt Seifried 2011-11-02 00:16:10 UTC
All children bugs have been closed, parent is no longer needed.


Note You need to log in before you can comment on or make changes to this bug.