Bug 49841 (CVE-2004-0109)

Summary: VUL-0: CVE-2004-0109: kernel: ISO9660 filesystem: buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ihno, mfrueh, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0109: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Buffer Overflow in ISO9660 Filesystem Component of Linux Kernel.txt
Sample exploit provided by iDEFENSE. Maybe helps to trigger stuff
Proposed patch from me.

Description Thomas Biege 2004-02-23 17:06:50 UTC 
Hi,  
the following (private) announcement from iDEFENDE reached us on friday.  
 
  
iDEFENSE has identified a buffer overflow vulnerability in the ISO9660  
filesystem component of Linux kernel. This vulnerability was submitted  
to iDEFENSE through our Vulnerability Contributor Program  
(http://www.idefense.com/poi/teams/vcp.jsp). iDEFENSE Labs has validated  
this vulnerability and has drafted the attached advisory. In accordance  
with our vendor disclosure policy  
(http://www.idefense.com/legal_disclosure.jsp) we would request that you  
acknowledge receipt of this initial notification within five business  
days so that we may begin the process of coordinating an appropriate  
public disclosure date for this issue that will provide your company  
with adequate time to develop a patch or workaround to mitigate this  
vulnerability. If you have questions regarding this issue or require  
further details to assist with your own analysis, please do not hesitate  
to contact us.  
  
Regards,  
Michael Sutton  
  
Michael Sutton, CA, CISA  
Director, iDEFENSE Labs  
iDEFENSE  
1875 Campus Commons Drive, Suite 210  
Reston, VA 20191  
direct: 703.480.5628  
voice: 703.390.1230  
fax: 703.390.9456  
msutton@idefense.com  
www.idefense.com
Comment 1 Thomas Biege 2004-02-23 17:06:50 UTC 
<!-- SBZ_reproduce  -->
advisroy will be attached.
Comment 2 Thomas Biege 2004-02-23 17:09:28 UTC 
Created attachment 16111 [details]
Buffer Overflow in ISO9660 Filesystem Component of Linux Kernel.txt
Comment 3 Thomas Biege 2004-02-23 17:10:10 UTC 
Date: Sun, 22 Feb 2004 10:46:00 +0000 (GMT) 
From: Mark J Cox <mjc@redhat.com> 
To: security@suse.de, security@linux-mandrake.com, security@slackware.com 
Subject: [security@suse.de] Re: iso9660 (fwd) 
 
Please note I've reserved CAN-2004-0109 for the iDefense reported issue in 
iso9660 and sent this to them. 
 
I've also suggested a disclosure date of March 10th at 1400UTC. 
 
Best Regards, Mark 
-- 
Mark J Cox / Red Hat Security Response Team
Comment 4 Hubert Mantel 2004-02-24 00:39:31 UTC 
Do we already have a fix?
Comment 5 Thomas Biege 2004-02-24 01:30:18 UTC 
No, 
I think there will be one popping up in the next few dayson vendor-sec.
Comment 6 Roman Drahtmueller 2004-02-25 22:27:38 UTC 
iso9660 filesystems are not used on s390(x) unless mounted via loopback.
Therefore, the security problem does not apply to s390(x). Adding ihno@ to Cc:.
Ihno will include the patch to his kernels, but will not trigger an update
for this specific bug.
Comment 7 Sebastian Krahmer 2004-02-27 17:23:42 UTC 
Created attachment 16235 [details]
Sample exploit provided by iDEFENSE. Maybe helps to trigger stuff
Comment 8 Sebastian Krahmer 2004-02-27 17:49:14 UTC 
I am digging with the issue now, I hope I am aple to make
some senseful proposed patches which I will attach then.
Comment 9 Sebastian Krahmer 2004-02-27 17:57:25 UTC 
Created attachment 16236 [details]
Proposed patch from me.

I am not a kernel hacker. I assume that the kmap()
returns a address of a page, so we
should not write more than PAGE_SIZE byte
to this location. This chack has basically been
added.
Comment 10 Thomas Biege 2004-02-27 18:27:59 UTC 
That's was the only suspicious code I found too. Maybe we cought the right 
one. :) 
 
Did you run tests of the little exploit against the patched kernel?
Comment 11 Sebastian Krahmer 2004-02-27 18:42:27 UTC 
No, no tests except compilation.
Thing is when the exploit doesnt work against patched kernel,
it means nothing. :-)
Comment 12 Sebastian Krahmer 2004-02-27 18:53:45 UTC 
BTW, can symlink be arbitrary long?
If they can be as long as 2GB then we also need to
check for integer wraps. But they probably dont fit
onto a ISO9660 :)
Comment 13 Sebastian Krahmer 2004-02-27 19:02:56 UTC 
Ok. Just tested the patch on a 2.4.22grsec kernel. Worked
fine so far. The iso from the exploit did not cause
anything. CD mounts etc work fine. But this is not
a complete QA. Will test exploit against unpatched kernel now.
Comment 14 Sebastian Krahmer 2004-02-27 19:04:28 UTC 
Ok. On a 2.4.18 the exploit causes an oops.
So I guess the patch works.
Comment 15 Thomas Biege 2004-03-01 17:27:06 UTC 
comment #11: but if it works, it means a lot. ;)
Comment 16 Thomas Biege 2004-03-03 17:30:08 UTC 
I think we can use Sebastians patch.
Comment 17 Hubert Mantel 2004-03-04 00:49:51 UTC 
Fixes are in; kernels are waiting to be checked in.
Comment 18 Thomas Biege 2004-03-12 19:26:54 UTC 
CRD: Wednesday April 14, 2004 at 1400UTC/900EST
Comment 19 Thomas Biege 2004-04-14 23:18:15 UTC 
packages approved
Comment 20 Thomas Biege 2009-10-13 20:15:01 UTC 
CVE-2004-0109: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)