Bug 494275 - (CVE-2009-1439) CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem field during mount
CVE-2009-1439 kernel: cifs: memory overwrite when saving nativeFileSystem fie...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20090326,source=osssecurity,re...
: Security
Depends On: 494276 494277 494278 494279 494280
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-06 03:03 EDT by Eugene Teo (Security Response)
Modified: 2013-03-15 11:16 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-01 20:16:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2009-04-06 03:03:39 EDT
Description of problem:
CIFS can allocate a few bytes to little for the nativeFileSystem field
during tree connect response processing during mount.  This can result
in a "Redzone overwritten" message to be logged.

Upstream commit:
http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b

References:
http://blog.fefe.de/?ts=b72905a8
http://git.kernel.org/linus/15bd8021d870d2c4fbf8c16578d72d03cfddd3a7
http://article.gmane.org/gmane.comp.security.oss.general/1620
Comment 12 Vincent Danen 2009-04-27 14:39:15 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1439 to
the following vulnerability:

Name: CVE-2009-1439
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439
Assigned: 20090427
Reference: MLIST:[linux-cifs-client] 20090406 [PATCH] cifs: Fix insufficient memory allocation for nativeFileSystem field
Reference: URL: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
Reference: MLIST:[oss-security] 20090405 CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/04/1
Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/7
Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.*
Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/3
Reference: MISC: http://blog.fefe.de/?ts=b72905a8
Reference: CONFIRM: https://bugzilla.novell.com/show_bug.cgi?id=492282

Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel
2.6.29 and earlier allows remote attackers to cause a denial of
service (crash) via a long nativeFileSystem field in a Tree Connect
response to an SMB mount request.
Comment 13 Eugene Teo (Security Response) 2009-05-12 22:24:21 EDT
Update:
These patches are needed too:
f083def68f84b04fe3f97312498911afce79609e (fix for b363b330)
27b87fe52baba0a55e9723030e76fce94fabcea4 (another issue)
313fecfa69bbad0a10d3313a50a89d3064f47ce1 (add cFYI messages)
22c9d52bc03b880045ab1081890a38f11b272ae7 (remove unneeded pointer)
to be patched on top of:
b363b3304bcf68c4541683b2eff70b29f0446a5b.

http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b
http://git.kernel.org/linus/f083def68f84b04fe3f97312498911afce79609e
http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4
http://git.kernel.org/linus/313fecfa69bbad0a10d3313a50a89d3064f47ce1
http://git.kernel.org/linus/22c9d52bc03b880045ab1081890a38f11b272ae7
Comment 15 Chuck Ebbert 2009-05-21 13:13:12 EDT
It looks like this bug is fixed in the upstream 2.6.27.24 and 2.6.29.4 updates.
Comment 16 Fedora Update System 2009-05-21 18:16:12 EDT
kernel-2.6.27.24-78.2.53.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-78.2.53.fc9
Comment 17 Fedora Update System 2009-05-22 05:01:52 EDT
kernel-2.6.27.24-170.2.68.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.24-170.2.68.fc10
Comment 18 Fedora Update System 2009-05-25 17:09:25 EDT
kernel-2.6.27.24-170.2.68.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2009-05-27 15:05:48 EDT
kernel-2.6.27.24-78.2.53.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2009-06-03 11:36:53 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html
Comment 21 errata-xmlrpc 2009-06-16 18:34:16 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
Comment 23 errata-xmlrpc 2009-08-13 11:34:54 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1211 https://rhn.redhat.com/errata/RHSA-2009-1211.html
Comment 26 Kurt Seifried 2011-11-01 20:16:10 EDT
All children bugs have been closed, parent is no longer needed.

Note You need to log in before you can comment on or make changes to this bug.