Bug 491787 (CVE-2009-1046) - CVE-2009-1046 kernel: utf8 selection memory corruption
Summary: CVE-2009-1046 kernel: utf8 selection memory corruption
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1046
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 491788
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-24 03:02 UTC by Eugene Teo (Security Response)
Modified: 2022-04-20 12:57 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 09:06:33 UTC


Attachments (Terms of Use)
Upstream patch (1.56 KB, patch)
2009-03-24 03:06 UTC, Eugene Teo (Security Response)
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0451 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2009-04-29 09:28:23 UTC

Description Eugene Teo (Security Response) 2009-03-24 03:02:42 UTC
Fix an off-by-two memory error in console selection.

The loop below goes from sel_start to sel_end (inclusive), so it writes one more character.  This one more character was added to the allocated size (+1), but it was not multiplied by an UTF-8 multiplier.

This patch fixes a memory corruption when UTF-8 console is used and the user selects a few characters, all of them 3-byte in UTF-8 (for example a frame line).

When memory redzones are enabled, a redzone corruption is reported. When they are not enabled, trashing of random memory occurs.

Comment 3 Eugene Teo (Security Response) 2009-03-24 04:04:32 UTC
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)

The attacker needs to be at console to exploit this.

Comment 4 Jan Lieskovsky 2009-03-26 10:15:45 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1046 to
this vulnerability:

The console selection feature in the Linux kernel 2.6.28 before
2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8
console is used, allows physically proximate attackers to cause a
denial of service (memory corruption) by selecting a small number of
3-byte UTF-8 characters, which triggers an "an off-by-two memory
error." NOTE: it is not clear whether this issue crosses privilege
boundaries.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1046
http://lists.openwall.net/linux-kernel/2009/01/30/333
http://lists.openwall.net/linux-kernel/2009/02/02/364
http://www.openwall.com/lists/oss-security/2009/02/12/10
http://www.openwall.com/lists/oss-security/2009/02/12/11
http://www.openwall.com/lists/oss-security/2009/02/12/9
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.4
http://www.securityfocus.com/bid/33672

Comment 5 errata-xmlrpc 2009-04-29 09:28:39 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html


Note You need to log in before you can comment on or make changes to this bug.