[Full-disclosure] [PRE-SA-2012-01] Denial-of-service vulnerability in java.util.zip
PRE-CERT Security Advisory
==
* Advisory: PRE-SA-2012-01
* Released on: 16th February 2012
* Affected products: Oracle Java SE 7 below Update 3
Oracle Java SE 6 below Update 31
IcedTea6 1.8.x below 1.8.13
IcedTea6 1.9.x below 1.9.13
IcedTea6 1.10.x below 1.10.6
IcedTea6 1.11.x below 1.11.1
IcedTea 2.x below 2.0.1
Older versions may also be affected.
* Impact: denial-of-service
* Origin: java.util.zip
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-0501
Summary
---
The function countCENHeaders() in zip_util.c of the java.util.zip
implementation contains an off-by-one bug. The bug can be exploited via
corrupted ZIP files to cause an endless recursion. The endless recursion
results in a segmentation fault of the JVM.
The following assessment is based on the JDK sources available from
Oracle's website (jdk-6u23-fcs-src-b05-jrl-12_nov_2010.jar).
readCEN() in zip_util.c is used by java.util.zip to read the central
directory of ZIP files.
It reads the total number of entries from the ZIP file via the
ENDTOT field:
(543) total = (knownTotal != -1) ? knownTotal : ENDTOT(endbuf);
A corrupted ZIP file may have set the total number of entries to 0.
Alternatively, knownTotal may have been passed as a parameter with
value 0.
readCEN() iterates over all directory entries
(552) for (i = 0, cp = cenbuf; cp <= cenend - CENHDR; i++, cp +=
CENSIZE(cp)) {
and recognizes an incorrect total field
(557) if (i >= total) {
In this case, readCEN() counts the total number of fields via
countCENHeaders() before calling itself recursively
(561) cenpos = readCEN(zip, countCENHeaders(cenbuf, cenend));
However, countCENHeaders() has an off-by-one bug. It fails to count
an entry that is precisely CENHDR bytes long
(431) for (i = 0; i + CENHDR < end - beg; i += CENSIZE(beg + i))
and returns 0 in this case.
Hence, readCEN() is called recursively with knownTotal = 0 resulting
in an endless recursion.
Solution
The issue was fixed in the following versions:
Oracle Java SE 7 Update 3
Oracle Java SE 6 Update 31
IcedTea6 1.8.13
IcedTea6 1.9.13
IcedTea6 1.10.6
IcedTea6 1.11.1
IcedTea 2.0.1
IcedTea 2.1
References
--
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
http://blog.fuseyism.com/index.php/2012/02/15/security-icedtea6-1-8-13-1-9-13-1-10-6-and-icedtea-2-0-1-released/
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-February/017233.html
http://blog.fuseyism.com/index.php/2012/02/15/icedtea-2-1-released-openjdk7-u3-release/
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-01.txt
Contact
PRE-CERT can be reached under prec...@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2012-02] Incorrect loop construct and numeric overflow in libzip
PRE-CERT Security Advisory
==
* Advisory: PRE-SA-2012-02
* Released on: 21st March 2012
* Affected products: libzip <= 0.10
PHP 5.4.0
PHP <= 5.3.10
zipruby <= 0.3.6
* Impact: heap overflow, information leak
* Credit: - Thomas Klausner
- Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2012-1162
- CVE-2012-1163
Summary
---
libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.
* CVE-2012-1162
libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.
On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:
(192)/* number of cdir-entries */
(193)nentry = _zip_read2(&cdp);
Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:
(104)if ((cd->entry=(struct zip_dirent
*)malloc(sizeof(*(cd->entry))*nentry))
If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.
_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:
(260)do {
(261)if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error))
< 0) {
...
(277)} while (inentry && left > 0);
If cd->entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.
* CVE-2012-1163
libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).
On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:
(198)cd->size = _zip_read4(&cdp);
(199)cd->offset = _zip_read4(&cdp);
libzip performs a consistency check on these values, but does not
anticipate an integer overflow:
(203)if (cd->offset+cd->size > buf_offset + (eocd-buf)) {
On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.
Solution
The issue was fixed in the following versions:
libzip 0.10.1
The issue was not fixed in PHP and zipruby yet.
References
--
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-02.txt
Contact
PRE-CERT can be reached under prec...@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2011-02] Information disclosure vulnerability in the OSF partition handling code of the Linux kernel
PRE-CERT Security Advisory == * Advisory: PRE-SA-2011-02 * Released on: 16 Mar 2011 * Last updated on: 16 Mar 2011 * Affected product: Linux Kernel 2.4 and 2.6 * Impact: disclosure of sensitive information * Origin: storage devices * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2011-1163 Summary --- The Linux kernel contains a vulnerability that may lead to information leakage due to corrupted partition tables. The kernel automatically evaluates partition tables of storage devices. This happens independently of whether any auto-mounting is enabled or not. The code for evaluating OSF partition tables contains a buffer overflow bug that allows to leak data from the kernel heap to userspace. Workaround -- Compile and use a kernel that does not evaluate OSF partition tables. The corresponding configuration key is CONFIG_OSF_PARTITION. Solution The bug has been fixed in Linux kernel 2.6.38. References -- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-02.txt Contact --- PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2011-03] Denial-of-service vulnerability in EFI partition handling code of the Linux kernel
PRE-CERT Security Advisory == * Advisory: PRE-SA-2011-03 * Released on: 13 Apr 2011 * Last updated on: 13 Apr 2011 * Affected product: Linux Kernel 2.4 and 2.6 * Impact: denial-of-service * Origin: storage devices * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2011-1577 Summary --- The Linux kernel contains a vulnerability that may lead to a denial-of-service due to corrupted partition tables on storage devices. The kernel automatically evaluates partition tables of storage devices. This happens independently of whether any auto-mounting is enabled or not. The code for evaluating EFI GUID partition tables contains a buffer overflow bug that allows to cause kernel oops resulting in a denial of service. Workaround -- Compile and use a kernel that does not evaluate EFI GUID partition tables. The corresponding configuration key is CONFIG_EFI_PARTITION. Solution A patch is available at http://www.spinics.net/lists/mm-commits/msg83274.html References -- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-03.txt Contact --- PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2011-04] Heap overflow in EFI partition handling code of the Linux kernel
PRE-CERT Security Advisory == * Advisory: PRE-SA-2011-04 * Released on: 10 May 2011 * Last updated on: 10 May 2011 * Affected product: Linux Kernel 2.4 and 2.6 * Impact: information disclosure, denial-of-service * Origin: storage devices * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2011-1776 Summary --- The Linux kernel contains a vulnerability that may lead to an information disclosure or a denial-of-service due to corrupted partition tables on storage devices. The kernel automatically evaluates partition tables of storage devices. The code for evaluating EFI GUID partition tables contains a buffer overflow bug that allows to leak data from the kernel heap to userspace or that may allow to cause a kernel oops resulting in a denial of service. Workaround -- Compile and use a kernel that does not evaluate EFI GUID partition tables. The corresponding configuration key is CONFIG_EFI_PARTITION. Solution A patch is available at http://git.kernel.org/linus/fa039d5f6b126fbd65eefa05db2f67e44df8f121 References -- https://bugzilla.redhat.com/show_bug.cgi?id=703026 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-04.txt Contact PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2011-05] Buffer overflow in tftp-hpa daemon
PRE-CERT Security Advisory == * Advisory: PRE-SA-2011-05 * Released on: 22 Jun 2011 * Last updated on: 22 Jun 2011 * Affected product: tftp-hpa 0.30 - 5.0 * Impact: buffer overflow * Origin: remote tftp client * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2011-2199 Summary --- The tftp-hpa daemon contains a buffer overflow vulnerability in the function for setting the utimeout option. As the daemon accepts the option from clients, the vulnerability can be remotely exploited. Solution For a patch, see http://git.kernel.org/?p=network/tftp/tftp-hpa.git;a=commitdiff;h=f3035c45bc50bb5cac87ca01e7ef6a12485184f8 References -- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-05.txt Contact --- PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2011-06] Linux kernel: ZERO_SIZE_PTR dereference for long symlinks in Be FS
PRE-CERT Security Advisory == * Advisory: PRE-SA-2011-06 * Released on: 19 August 2011 * Last updated on: 19 August 2011 * Affected product: Linux Kernel 2.4, 2.6, and 3.0 * Impact: denial-of-service * Origin: Be file system * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2011-2928 Summary --- The Linux kernel contains a vulnerability in the driver for Be file systems that may lead to a kernel oops via a corrupted Be file system. In fs/befs/linuxvfs.c, befs_follow_link() reads a length attribute for a long symlink from a data stream of a Be file system. befs_data_stream *data = &befs_ino->i_data.ds; befs_off_t len = data->size; The data->size / len value is not validated and can be 0 on a corrupted file system. befs_follow_link() allocates some memory based on len. Effectively, kmalloc returns ZERO_SIZE_PTR in this case. link = kmalloc(len, GFP_NOFS); Subsequently, an assignment dereferences ZERO_SIZE_PTR causing a kernel oops: link[len - 1] = '\0'; Workaround -- Compile and use a kernel that does not support the Be file system. The corresponding configuration key is CONFIG_BEFS_FS. Solution A patch is available at http://git.kernel.org/linus/338d0f0a6fbc82407864606f5b64b75aeb3c70f2 References -- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-06.txt Contact PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2012-03] Linux kernel: Buffer overflow in HFS plus filesystem
PRE-CERT Security Advisory
==
* Advisory: PRE-SA-2012-03
* Released on: 10 May 2012
* Affected product: Linux Kernel 3.3.x <= 3.3.4
2.6.x <= 2.6.35.13
* Impact: code execution / privilege escalation
* Origin: HFS plus file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2319
Summary
---
The Linux kernel contains a vulnerability in the driver for HFS plus
file systems that may be exploited for code execution or privilege
escalation.
A specially-crafted HFS plus filesystem can cause a buffer overflow via
the memcpy() call of hfs_bnode_read() (in fs/hfsplus/bnode.c). The
functions
hfsplus_rename_cat() (in fs/hfsplus/catalog.c) and
hfsplus_readdir() (in fs/hfsplus/dir.c)
call hfs_bnode_read() with values that result in a memcpy() call with
a fixed-length destination buffer and both, a source buffer and length,
that are read from the filesystem without sufficient validation.
The buffer overflows were previously fixed in the HFS filesystem driver
and have been assigned CVE-2009-4020
(commit ec81aecb29668ad71f699f4e7b96ec46691895b6 [1]).
Commit 6f24f892871acc47b40dd594c63606a17c714f77 ("hfsplus: fix
a potential buffer overflow") [2] also fixes the issue in the HFS plus
filesystem driver.
Workaround
--
Compile and use a kernel that does not support the HFS plus file system.
The corresponding configuration key is CONFIG_HFSPLUS_FS.
Solution
A patch is available at
http://git.kernel.org/linus/6f24f892871acc47b40dd594c63606a17c714f77
The issue has been fixed in Linux 3.3.5.
References
--
[1] http://git.kernel.org/linus/ec81aecb29668ad71f699f4e7b96ec46691895b6
[2] http://git.kernel.org/linus/6f24f892871acc47b40dd594c63606a17c714f77
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-03.txt
Contact
PRE-CERT can be reached under prec...@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2012-05] Multiple heap-based buffer overflows in LibreOffice / OpenOffice
PRE-CERT Security Advisory == * Advisory: PRE-SA-2012-05 * Released on: 6 August 2012 * Affected product: LibreOffice < 3.5.5 Apache OpenOffice <= 3.4.0 * Impact: code execution * Origin: encrypted office files * CVSS Base Score: 9.3 Impact Subscore: 10 Exploitability Subscore: 8.6 CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-2665 Summary --- Multiple issues have been identified in LibreOffice / OpenOffice that allow to execute arbitrary code via specially crafted office files. Elements outside expected parent elements - Initially, the aSequence attribute of a ManifestImport instance has no memory allocated for PropertyValue elements. ManifestImport::startElement() (re)allocates memory when a "manifest:file-entry" XML element is encountered in the manifest file. The property values are, for example, accessed when a "manifest:encryption-data" XML element is found. If such elements are located outside an expected parent element "manifest:file-entry", ManifestImport::startElement() accesses aSequence out-of-bounds. Writes beyond fixed size buffer --- ManifestImport::startElement() allocates memory for 12 (= PKG_SIZE_ENCR_MNFST) PropertValue elements. If a "manifest:file-entry" XML element has child elements that cause startElement() to access more than 12 PropertValues, startElement() accesses aSequence out-of-bounds. Base64Codec::decodeBase64() --- ManifestImport::startElement() calls Base64Codec::decodeBase64() to decode the XML attributes for checksums, initialization vectors, and salt values. Base64Codec::decodeBase64() implicitly assumes that the source buffer sBuffer contains a number of characters divisible by 4. If this is not the case, the called method FourByteToThreeByte() writes up to 3 bytes past a buffer allocated on the heap. Solution The issue has been fixed in LibreOffice 3.5.5. An update to Apache OpenOffice is pending. References -- http://www.libreoffice.org/advisories/CVE-2012-2665/ https://bugzilla.redhat.com/show_bug.cgi?id=826077 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-05.txt Contact PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2012-06] FreeRADIUS: Stack Overflow in TLS-based EAP Methods
PRE-CERT Security Advisory
==
* Advisory: PRE-SA-2012-06
* Released on: 10 September 2012
* Affected product: FreeRADIUS 2.1.10 - 2.1.12
* Impact: remote code execution
* Origin: specially crafted client certificates
* CVSS Base Score: 10
Impact Subscore: 10
Exploitability Subscore: 10
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-3547
Summary
---
A stack overflow vulnerability has been identified in FreeRADIUS that allows to
remotely execute arbitrary code via specially crafted client certificates
(before authentication). The vulnerability affects setups using TLS-based EAP
methods (including EAP-TLS, EAP-TTLS, and PEAP).
FreeRADIUS defines a callback function cbtls_verify() for certificate
verification. The function has a local buf array with a size of 64
bytes. It copies the validity timestamp "not after" of a client
certificate to the buf array:
asn_time = X509_get_notAfter(client_cert);
if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';
The MAX_STRING_LEN constant is defined to be 254. If asn_time->length is
greater than 64 bytes, but less than 254 bytes, buf overflows via the memcpy.
Depending on the stack layout chosen by the compiler, the vulnerability allows
to overflow the return address on the stack, which can be exploited for code
execution.
Solution
The issue has been fixed in FreeRADIUS 2.2.0. Updates should be installed as
soon as possible.
References
--
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-06.txt
Contact
PRE-CERT can be reached under prec...@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2012-07] hostapd: Missing EAP-TLS message length validation
PRE-CERT Security Advisory == * Advisory: PRE-SA-2012-07 * Released on: 8 October 2012 * Affected product: Hostapd 0.6 - 1.0 * Impact: denial of service * Origin: specially crafted EAP-TLS messages * CVSS Base Score: 7.8 Impact Subscore: 6.9 Exploitability Subscore: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: CVE-2012-4445 Summary --- The internal EAP authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages, which can be exploited for a denial-of-service via specially crafted EAP-TLS messages (before authentication). Hostapd has a function eap_server_tls_process_fragment() used by its internal EAP authentication server for handling fragmented EAP-TLS messages. The function (indirectly) calls wpabuf_overflow() aborting the application in case of potential buffer overflows. Such a situation can be triggered by an attacker sending an EAP-TLS message with a) the "More Fragments" flag set and b) an "TLS Message Length" value that is smaller than the size of the "TLS Data" field. The vulnerability can be exploited only if hostapd is configured to use its internal EAP authentication server, either directly for IEEE 802.11x or when using hostapd as a RADIUS authentication server. Affected is hostapd in versions 0.6 - 1.0. The issue was introduced with commit http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=34f564dbd5168626da55a7119b04832e98793160 Solution A patch is available at http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff;h=586c446e0ff42ae00315b014924ec669023bd8de References -- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2012-07.txt Contact PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [PRE-SA-2011-01] Multiple Linux kernel vulnerabilities in partition handling code of LDM and MAC partition tables
# PRE-CERT Security Advisory # * Advisory: PRE-SA-2011-01 * Released on: 23 Feb 2011 * Last updated on: 23 Feb 2011 * Affected product: Linux Kernel 2.4 and 2.6 * Impact: - privilege Escalation - denial-of-service - disclosure of sensitive information * Origin: storage devices * CVE Identifier: - CVE-2011-1010 ## Summary ## Timo Warns (PRESENSE Technologies GmbH) reported some vulnerabilities in the Linux kernel that may lead to privilege escalation, denial-of-service, or information leakage via corrupted partition tables. Exploiting these vulnerabilities has been demonstrated by a "USB Stick of Death" that crashes the Linux kernel upon connecting the stick. The kernel automatically evaluates partition tables of storage devices. Note that this happens independently of whether auto-mounting is enabled or not. The code for evaluating MAC and LDM partition tables contains the following vulnerabilities: * CVE-2011-1010 A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC partition tables) allows to cause a denial-of-service (kernel panic) via a corrupted MAC partition table. For a patch, see http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed * A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for LDM partition tables) allows to cause a denial-of-service (kernel oops) via a corrupted LDM partition table. For a patch, see http://www.spinics.net/lists/mm-commits/msg82429.html * A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM partition tables) may allow to escalate privileges or to disclose sensitive information via a corrupted LDM partition table. ## Workaround ## Compile and use a kernel that does not evaluate MAC and LDM partition tables. The corresponding configuration keys are CONFIG_MAC_PARTITION and CONFIG_LDM_PARTITION. ## References ## https://bugzilla.redhat.com/show_bug.cgi?id=679282 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt ## Contact ## PRE-CERT can be reached under prec...@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
