Secure testing team - Mar 2006 - Re: Bug#322273: [CAN-2005-2456]: XFRM array index buffer overflow

On Wed, Aug 10, 2005 at 11:47:12AM +0200, Moritz Muehlenhoff
wrote:
> Horms wrote:
> > As for which package to log a bug against, or cretion of duplicate
bugs.
> > To be honest it doesn''t matter. If you email
> > debian-kernel@lists.debian.org, then you should get a response,
> > regardless of if you open a bug in the BTS or not.
> > CCing secure-testing-team@lists.alioth.debian.org if its a bug testing
> > and team@security.debian.org if its a bug instable is also a good
idea.
> > 
> > When we find problems, we just fix them. The BTS is really a bit to
> > noisy for us to use it to track bugs effectively. Obviously this
> > is a bit of a problem, but what I am trying to say is adding a bug
> > to the BTS just emails debian-kernel anyway, and security bugs
> > sent there are acted on. So my my advice is tho email the addresses
> > above, and if you want to open a bug, just open it against any
> > of the above packages that have the vulnerability.
> 
> Hi Horms,
> there has been a CVE assignment for an overflow in xdr.c, which can be
> exploited by crafted data in the nfsacl protocol: CAN-2005-2500
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2500
> for some links to patches. I suspect it is already fixed in kernel-2.6,
> but 2.6.8 and 2.4.27 might need backports.
Thanks,

I don''t think I have seen that one before, so its probably
not in 2.6.8 or 2.4.27. I will look into adding it.

-- 
Horms

On Wed, Aug 10, 2005 at 11:47:12AM +0200, Moritz Muehlenhoff
wrote:
> Horms wrote:
> > As for which package to log a bug against, or cretion of duplicate
bugs.
> > To be honest it doesn''t matter. If you email
> > debian-kernel@lists.debian.org, then you should get a response,
> > regardless of if you open a bug in the BTS or not.
> > CCing secure-testing-team@lists.alioth.debian.org if its a bug testing
> > and team@security.debian.org if its a bug instable is also a good
idea.
> > 
> > When we find problems, we just fix them. The BTS is really a bit to
> > noisy for us to use it to track bugs effectively. Obviously this
> > is a bit of a problem, but what I am trying to say is adding a bug
> > to the BTS just emails debian-kernel anyway, and security bugs
> > sent there are acted on. So my my advice is tho email the addresses
> > above, and if you want to open a bug, just open it against any
> > of the above packages that have the vulnerability.
> 
> Hi Horms,
> there has been a CVE assignment for an overflow in xdr.c, which can be
> exploited by crafted data in the nfsacl protocol: CAN-2005-2500
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2500
> for some links to patches. I suspect it is already fixed in kernel-2.6,
> but 2.6.8 and 2.4.27 might need backports.
No, nfsacl has only been added very recently and is not present in 2.4.x
or 2.6.8.

Horms wrote:
> As for which package to log a bug against, or cretion of duplicate bugs.
> To be honest it doesn''t matter. If you email
> debian-kernel@lists.debian.org, then you should get a response,
> regardless of if you open a bug in the BTS or not.
> CCing secure-testing-team@lists.alioth.debian.org if its a bug testing
> and team@security.debian.org if its a bug instable is also a good idea.
> 
> When we find problems, we just fix them. The BTS is really a bit to
> noisy for us to use it to track bugs effectively. Obviously this
> is a bit of a problem, but what I am trying to say is adding a bug
> to the BTS just emails debian-kernel anyway, and security bugs
> sent there are acted on. So my my advice is tho email the addresses
> above, and if you want to open a bug, just open it against any
> of the above packages that have the vulnerability.
Hi Horms,
there has been a CVE assignment for an overflow in xdr.c, which can be
exploited by crafted data in the nfsacl protocol: CAN-2005-2500
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2500
for some links to patches. I suspect it is already fixed in kernel-2.6,
but 2.6.8 and 2.4.27 might need backports.

Cheers,
        Moritz

On Wed, Aug 10, 2005 at 12:04:05PM +0200, Christoph Hellwig
wrote:
> On Wed, Aug 10, 2005 at 11:47:12AM +0200, Moritz Muehlenhoff wrote:
> > Horms wrote:
> > > As for which package to log a bug against, or cretion of
duplicate bugs.
> > > To be honest it doesn''t matter. If you email
> > > debian-kernel@lists.debian.org, then you should get a response,
> > > regardless of if you open a bug in the BTS or not.
> > > CCing secure-testing-team@lists.alioth.debian.org if its a bug
testing
> > > and team@security.debian.org if its a bug instable is also a good
idea.
> > > 
> > > When we find problems, we just fix them. The BTS is really a bit
to
> > > noisy for us to use it to track bugs effectively. Obviously this
> > > is a bit of a problem, but what I am trying to say is adding a
bug
> > > to the BTS just emails debian-kernel anyway, and security bugs
> > > sent there are acted on. So my my advice is tho email the
addresses
> > > above, and if you want to open a bug, just open it against any
> > > of the above packages that have the vulnerability.
> > 
> > Hi Horms,
> > there has been a CVE assignment for an overflow in xdr.c, which can be
> > exploited by crafted data in the nfsacl protocol: CAN-2005-2500
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2500
> > for some links to patches. I suspect it is already fixed in
kernel-2.6,
> > but 2.6.8 and 2.4.27 might need backports.
> 
> No, nfsacl has only been added very recently and is not present in 2.4.x
> or 2.6.8.
Thanks Christoph,

I have confirmed that this code isn''t present in the 2.6.8 or 2.4.27 
debian kernels.

-- 
Horms

tag kernel-source-2.6.8 +pending
thanks

On Wed, Aug 10, 2005 at 02:53:07PM +1000, Geoff Crompton
wrote:
> Package: kernel-source-2.6.8
> Version: 2.6.8-16
> Severity: critical
> Justification: root security hole
> 
> SecurityFocus http://www.securityfocus.com/bid/14477 mentions an array
index
> buffer overflow.
> In short, the suspect it can cause a denial of service attack, but
> aren''t sure whether or not it allows code execution.
> 
> Balaz Scheidler says at
> http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html:
> "While reading through the xfrm code I''ve found a possible
array
> overflow in struct sock"
> 
> He goes on to suggest some patches. However the patch at
>
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a4f1bac62564049ea4718c4624b0fadc9f597c84
> is in the xfrm_user file instead.
> I suspect this second patch that was commited will work, and checks the
> direction earlier in the code flow than the original email from Balaz in
> the first link. The xfrm_user patch is:
> 
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_
>  	if (nr > XFRM_MAX_DEPTH)
>  		return NULL;
>  
> +	if (p->dir > XFRM_POLICY_OUT)
> +		return NULL;
> +
>  	xp = xfrm_policy_alloc(GFP_KERNEL);
>  	if (xp == NULL) {
>  		*dir = -ENOBUFS;
Hi Geoff,

Thanks, we became aware of this problem last week
and it has been added to SVN for 2.4.27 (kernel-source-2.4.27), 
2.6.8 (kernel-source-2.6.8) and 2.6.12 (linux-2.6)
The latter has been released. The former are taking a while
to get out the foor as we are still trying to iron out some
process issues relating to kernel updates for sarge.

For linux-2.6 it is bug #321401
> On another note, when I''m looking at bugs like this, and I
haven''t found
> them in the bug tracking database, should I be putting them against just
> kernel-source-2.6.8, or against kernel-source-2.6.11 as well, or is
> there a generic kernel-source-2.6 package?
Ok, this is pretty non-obvious, so thanks for asking.

Esentially we have three kernels that are being maintained right now,
and the packages you should log bugs against are kernel-source-2.4.27,
kernel-source-2.6.8 and linux-2.6 (which is 2.6.12 at the moment).
Older kernels, like 2.6.11 are currently being phased out and will
be removed from the Debian Archive shortly, so don''t bother with them.

You can see what patches have been applied by inspecting the ChangeLog
in SVN.

http://svn.debian.org/wsvn/kernel/trunk/kernel/source/linux-2.6/debian/changelog?op=file&rev=0&sc=0
http://svn.debian.org/wsvn/kernel/trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog?op=file&rev=0&sc=0
http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog?op=file&rev=0&sc=0

As for which package to log a bug against, or cretion of duplicate bugs.
To be honest it doesn''t matter. If you email
debian-kernel@lists.debian.org, then you should get a response,
regardless of if you open a bug in the BTS or not.
CCing secure-testing-team@lists.alioth.debian.org if its a bug testing
and team@security.debian.org if its a bug instable is also a good idea.

When we find problems, we just fix them. The BTS is really a bit to
noisy for us to use it to track bugs effectively. Obviously this
is a bit of a problem, but what I am trying to say is adding a bug
to the BTS just emails debian-kernel anyway, and security bugs
sent there are acted on. So my my advice is tho email the addresses
above, and if you want to open a bug, just open it against any
of the above packages that have the vulnerability.

-- 
Horms