Bug 73793 (CVE-2005-0815)

Summary:	VUL-0: CVE-2005-0815: potential iso9660 problems
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Hubert Mantel <mantel>
Status:	RESOLVED WONTFIX	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	klaus, security-team, smueller
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:	CVE-2005-0815: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	his program, exchanges random bytes

Description Ludwig Nussel 2005-03-18 10:06:37 UTC

We received the following report via bugtraq.
The issue is public.

Someone should check which kind of fixes he is referring to, eg:
http://linux.bkbits.net:8080/linux-2.6/cset%404239dad1BWUxd4WEx388lwZCb05Q0Q

Date: Thu, 17 Mar 2005 22:36:45 +0100 (CET)
From: Michal Zalewski <lcamtuf@dione.ids.pl>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Cc: full-disclosure@netsys.com
Subject: Linux ISO9660 handling flaws

Good morning,

There appears to be a fair number of kernel-level range checking flaws in
ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux
up to and including 2.6.11. These bugs range from DoS conditions to
potentially exploitable memory corruption - all this whenever a specially
crafted filesystem is mounted or directories are examined.

Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show
up by tomorrow or so), although, as per Linus words, "that code is
horrid", and it may take some time to work out all the issues.

The impact is not dramatic, but there are two obvious ways such flaws can
be used to benefit remote attackers:

  1) Bugs in removable media filesystems may be used to automatically
     compromise any system whose owner decided to examine a newly acquired
     CD-ROM, even if extreme caution is observed (that is, autorun is
     disabled, and no files are executed).

  2) For all types of filesystems, such problems can be additionally used
     to subvert forensic analysis efforts. Disk images from compromised
     machine may infect forensic examiner's system and alter results,
     or simply render the machine unusable.

Attached is a trivial fuzz script that can be used to test fs drivers
against most obvious fault conditions. With little effort, it can be
further altered to test filesystems other than ISO9660, and OSes other
than Linux.

Regards,
Michal Zalewski

Obligatory plug: http://lcamtuf.coredump.cx/silence/

Comment 1 Ludwig Nussel 2005-03-18 10:08:02 UTC

also 
http://linux.bkbits.net:8080/linux-2.6/cset%404238cb8e36_Z5Cgys8rTovspboIJpw

Comment 2 Ludwig Nussel 2005-03-18 10:08:47 UTC

Created attachment 32273 [details]
his program, exchanges random bytes

Comment 3 Hubert Mantel 2005-03-18 11:38:30 UTC

Well, since this requires the attacked to mount a specially prepared filesystem,
it should not be that severe...

Comment 4 Marcus Meissner 2005-03-18 12:07:54 UTC

you mean like inserting a CD into a machine?

Comment 5 Chris L Mason 2005-03-18 13:51:14 UTC

There are a number of different ways to upset the kernel with crafted filesystem images.  I don't 
consider this severe enough for a security update.

Comment 6 Ludwig Nussel 2005-03-22 09:06:05 UTC

CAN-2005-0815

Comment 7 Sebastian Krahmer 2005-03-22 09:57:51 UTC

Date: Mon, 21 Mar 2005 20:48:58 +0000 (GMT)
From: Mark J Cox <mjc@redhat.com>
To: Chris Wright <chrisw@osdl.org>
Cc: Mike O'Connor <mjo@dojo.mi.org>, vendor-sec List <vendor-sec@lst.de>
Subject: Re: [vendor-sec] Re: Linux ISO9660 handling flaws

> It's got a copy of the message, but no discussion.  Most I know of it is
> what Linus committed to bk last week.
> 
> http://linux.bkbits.net:8080/linux-2.6/cset@4238cb8e36_Z5Cgys8rTovspboIJpw
> http://linux.bkbits.net:8080/linux-2.6/cset@4239dad1BWUxd4WEx388lwZCb05Q0Q

All covered at the moment by CAN-2005-0815

Mark

Comment 8 Marcus Meissner 2005-04-04 07:59:29 UTC

we can consider this for updates once the dust on iso9660 fixes has settled

Comment 9 Hubert Mantel 2005-05-13 14:53:23 UTC

Should I try to commit those two patches to all of our trees? At least for some
2.4 tree, they do not apply cleanly, so I will need to adapt them and risk some
breakage. Ok to take that risk?

Comment 10 Chris L Mason 2005-05-13 15:33:30 UTC

I wouldn't back port these to 2.4

Comment 11 Marcus Meissner 2005-06-17 10:23:03 UTC

hubert, we just will not apply those (except an exploit shows up)  
but get them via mainline in 10.0.

Comment 12 Thomas Biege 2009-10-13 21:12:04 UTC

CVE-2005-0815: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)