Bug#529326: linux-2.6: CVE-2009-0787 information disclosure in ecryptfs
Package: linux-2.6 Version: 2.6.26-15lenny2 Severity: important Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for linux-2.6. CVE-2009-0787[0]: | The ecryptfs_write_metadata_to_contents function in the eCryptfs | functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an | incorrect size when writing kernel memory to an eCryptfs file header, | which triggers an out-of-bounds read and allows local users to obtain | portions of kernel memory. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787 http://security-tracker.debian.net/tracker/CVE-2009-0787 -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529326: linux-2.6: CVE-2009-0787 information disclosure in ecryptfs
On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote: Package: linux-2.6 Version: 2.6.26-15lenny2 Severity: important Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for linux-2.6. CVE-2009-0787[0]: | The ecryptfs_write_metadata_to_contents function in the eCryptfs | functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an | incorrect size when writing kernel memory to an eCryptfs file header, | which triggers an out-of-bounds read and allows local users to obtain | portions of kernel memory. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787 http://security-tracker.debian.net/tracker/CVE-2009-0787 This issue supposedly only affected 2.6.28 - do you have information to the contrary? -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529326: linux-2.6: CVE-2009-0787 information disclosure in ecryptfs
On Mon, 18 May 2009 11:52:04 -0600, dann frazier wrote: On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote: Package: linux-2.6 Version: 2.6.26-15lenny2 Severity: important Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for linux-2.6. CVE-2009-0787[0]: | The ecryptfs_write_metadata_to_contents function in the eCryptfs | functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an | incorrect size when writing kernel memory to an eCryptfs file header, | which triggers an out-of-bounds read and allows local users to obtain | portions of kernel memory. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787 http://security-tracker.debian.net/tracker/CVE-2009-0787 This issue supposedly only affected 2.6.28 - do you have information to the contrary? yes, i have studied the code/patches for this issue. the 2.6.26 ecryptfs kernel code is identical to that of the affected 2.6.28 code. hence, it is my assessment that 2.6.26 is vulnerable. i anticipate that this also affects etch-and-a-half (2.6.24) as well, but i have not checked yet. mike -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529326: linux-2.6: CVE-2009-0787 information disclosure in ecryptfs
On Mon, May 18, 2009 at 02:20:20PM -0400, Michael S. Gilbert wrote: On Mon, 18 May 2009 11:52:04 -0600, dann frazier wrote: On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote: Package: linux-2.6 Version: 2.6.26-15lenny2 Severity: important Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for linux-2.6. CVE-2009-0787[0]: | The ecryptfs_write_metadata_to_contents function in the eCryptfs | functionality in the Linux kernel 2.6.28 before 2.6.28.9 uses an | incorrect size when writing kernel memory to an eCryptfs file header, | which triggers an out-of-bounds read and allows local users to obtain | portions of kernel memory. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787 http://security-tracker.debian.net/tracker/CVE-2009-0787 This issue supposedly only affected 2.6.28 - do you have information to the contrary? yes, i have studied the code/patches for this issue. the 2.6.26 ecryptfs kernel code is identical to that of the affected 2.6.28 code. hence, it is my assessment that 2.6.26 is vulnerable. i anticipate that this also affects etch-and-a-half (2.6.24) as well, but i have not checked yet. My understanding is that this issue was introduced by 87b811c (in 2.6.28), which resulted in only a single page getting allocated for the headers even though the size of the headers maybe the page size. -- dann frazier -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#529326: linux-2.6: CVE-2009-0787 information disclosure in ecryptfs
Hi, * dann frazier da...@dannf.org [2009-05-18 23:19]: On Mon, May 18, 2009 at 02:20:20PM -0400, Michael S. Gilbert wrote: On Mon, 18 May 2009 11:52:04 -0600, dann frazier wrote: On Mon, May 18, 2009 at 01:28:56PM -0400, Michael S. Gilbert wrote: [...] This issue supposedly only affected 2.6.28 - do you have information to the contrary? yes, i have studied the code/patches for this issue. the 2.6.26 ecryptfs kernel code is identical to that of the affected 2.6.28 code. hence, it is my assessment that 2.6.26 is vulnerable. i anticipate that this also affects etch-and-a-half (2.6.24) as well, but i have not checked yet. My understanding is that this issue was introduced by 87b811c (in 2.6.28), which resulted in only a single page getting allocated for the headers even though the size of the headers maybe the page size. Yes and you are correct with this, no other version included the vulnerable code. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpiFLvSwMX01.pgp Description: PGP signature