Bug 819471 (CVE-2012-2319) - CVE-2012-2319 kernel: Buffer overflow in the HFS plus filesystem (different issue than CVE-2009-4020)
Summary: CVE-2012-2319 kernel: Buffer overflow in the HFS plus filesystem (different i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2319
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering820255 Engineering820256 820259 Engineering825332
Blocks: Embargoed819473
TreeView+ depends on / blocked
 
Reported: 2012-05-07 10:52 UTC by Jan Lieskovsky
Modified: 2021-02-23 14:47 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-24 13:16:00 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1323 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-10-02 21:43:56 UTC
Red Hat Product Errata RHSA-2012:1347 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2012-10-09 14:27:27 UTC

Description Jan Lieskovsky 2012-05-07 10:52:49 UTC 
Previously Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-4020 to the following vulnerability:

Stack-based buffer overflow in the hfs subsystem in the Linux kernel 2.6.32 allows remote attackers to have an unspecified impact via a crafted Hierarchical File System (HFS) filesystem, related to the hfs_readdir function in fs/hfs/dir.c.

Recently:
[1] http://www.openwall.com/lists/oss-security/2012/05/07/3

Timo Warns pointed out similar flaws exists in the HFS plus file system.

Relevant upstream patch:
[2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6f24f892871acc47b40dd594c63606a17c714f77
Comment 1 Jan Lieskovsky 2012-05-07 16:15:49 UTC 
The CVE identifier of CVE-2012-2319 has been assigned to the HFS plus filesystem case:
[3] http://www.openwall.com/lists/oss-security/2012/05/07/11
Comment 3 Petr Matousek 2012-05-09 13:36:05 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 820259]
Comment 4 Petr Matousek 2012-05-09 14:07:09 UTC 
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG, as those versions do not have CONFIG_HFSPLUS_FS option enabled.

The Red Hat Security Response Team has rated this issue as having low security impact. A future kernel updates in Red Hat Enterprise Linux 5 may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 6 errata-xmlrpc 2012-10-02 17:45:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1323 https://rhn.redhat.com/errata/RHSA-2012-1323.html
Comment 7 errata-xmlrpc 2012-10-09 10:28:45 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:1347 https://rhn.redhat.com/errata/RHSA-2012-1347.html
Note You need to log in before you can comment on or make changes to this bug.