Description of problem: CIFS can allocate a few bytes to little for the nativeFileSystem field during tree connect response processing during mount. This can result in a "Redzone overwritten" message to be logged. Upstream commit: http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b References: http://blog.fefe.de/?ts=b72905a8 http://git.kernel.org/linus/15bd8021d870d2c4fbf8c16578d72d03cfddd3a7 http://article.gmane.org/gmane.comp.security.oss.general/1620
More references: https://bugzilla.novell.com/show_bug.cgi?id=492282 http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1439 to the following vulnerability: Name: CVE-2009-1439 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 Assigned: 20090427 Reference: MLIST:[linux-cifs-client] 20090406 [PATCH] cifs: Fix insufficient memory allocation for nativeFileSystem field Reference: URL: http://lists.samba.org/archive/linux-cifs-client/2009-April/004322.html Reference: MLIST:[oss-security] 20090405 CVE request? buffer overflow in CIFS in 2.6.* Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/04/1 Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.* Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/7 Reference: MLIST:[oss-security] 20090407 Re: CVE request? buffer overflow in CIFS in 2.6.* Reference: URL: http://www.openwall.com/lists/oss-security/2009/04/07/3 Reference: MISC: http://blog.fefe.de/?ts=b72905a8 Reference: CONFIRM: https://bugzilla.novell.com/show_bug.cgi?id=492282 Buffer overflow in fs/cifs/connect.c in CIFS in the Linux kernel 2.6.29 and earlier allows remote attackers to cause a denial of service (crash) via a long nativeFileSystem field in a Tree Connect response to an SMB mount request.
Update: These patches are needed too: f083def68f84b04fe3f97312498911afce79609e (fix for b363b330) 27b87fe52baba0a55e9723030e76fce94fabcea4 (another issue) 313fecfa69bbad0a10d3313a50a89d3064f47ce1 (add cFYI messages) 22c9d52bc03b880045ab1081890a38f11b272ae7 (remove unneeded pointer) to be patched on top of: b363b3304bcf68c4541683b2eff70b29f0446a5b. http://git.kernel.org/linus/b363b3304bcf68c4541683b2eff70b29f0446a5b http://git.kernel.org/linus/f083def68f84b04fe3f97312498911afce79609e http://git.kernel.org/linus/27b87fe52baba0a55e9723030e76fce94fabcea4 http://git.kernel.org/linus/313fecfa69bbad0a10d3313a50a89d3064f47ce1 http://git.kernel.org/linus/22c9d52bc03b880045ab1081890a38f11b272ae7
It looks like this bug is fixed in the upstream 2.6.27.24 and 2.6.29.4 updates.
kernel-2.6.27.24-78.2.53.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/kernel-2.6.27.24-78.2.53.fc9
kernel-2.6.27.24-170.2.68.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.24-170.2.68.fc10
kernel-2.6.27.24-170.2.68.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.27.24-78.2.53.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1211 https://rhn.redhat.com/errata/RHSA-2009-1211.html
All children bugs have been closed, parent is no longer needed.