Bugzilla – Bug 73793
VUL-0: CVE-2005-0815: potential iso9660 problems
Last modified: 2021-11-08 16:35:51 UTC
We received the following report via bugtraq. The issue is public. Someone should check which kind of fixes he is referring to, eg: http://linux.bkbits.net:8080/linux-2.6/cset%404239dad1BWUxd4WEx388lwZCb05Q0Q Date: Thu, 17 Mar 2005 22:36:45 +0100 (CET) From: Michal Zalewski <lcamtuf@dione.ids.pl> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Cc: full-disclosure@netsys.com Subject: Linux ISO9660 handling flaws Good morning, There appears to be a fair number of kernel-level range checking flaws in ISO9660 filesystem handler (and Rock Ridge / Juliet extensions) in Linux up to and including 2.6.11. These bugs range from DoS conditions to potentially exploitable memory corruption - all this whenever a specially crafted filesystem is mounted or directories are examined. Most apparent flaws are expected to be fixed in Linux 2.6.12 (rc to show up by tomorrow or so), although, as per Linus words, "that code is horrid", and it may take some time to work out all the issues. The impact is not dramatic, but there are two obvious ways such flaws can be used to benefit remote attackers: 1) Bugs in removable media filesystems may be used to automatically compromise any system whose owner decided to examine a newly acquired CD-ROM, even if extreme caution is observed (that is, autorun is disabled, and no files are executed). 2) For all types of filesystems, such problems can be additionally used to subvert forensic analysis efforts. Disk images from compromised machine may infect forensic examiner's system and alter results, or simply render the machine unusable. Attached is a trivial fuzz script that can be used to test fs drivers against most obvious fault conditions. With little effort, it can be further altered to test filesystems other than ISO9660, and OSes other than Linux. Regards, Michal Zalewski Obligatory plug: http://lcamtuf.coredump.cx/silence/
also http://linux.bkbits.net:8080/linux-2.6/cset%404238cb8e36_Z5Cgys8rTovspboIJpw
Created attachment 32273 [details] his program, exchanges random bytes
Well, since this requires the attacked to mount a specially prepared filesystem, it should not be that severe...
you mean like inserting a CD into a machine?
There are a number of different ways to upset the kernel with crafted filesystem images. I don't consider this severe enough for a security update.
CAN-2005-0815
Date: Mon, 21 Mar 2005 20:48:58 +0000 (GMT) From: Mark J Cox <mjc@redhat.com> To: Chris Wright <chrisw@osdl.org> Cc: Mike O'Connor <mjo@dojo.mi.org>, vendor-sec List <vendor-sec@lst.de> Subject: Re: [vendor-sec] Re: Linux ISO9660 handling flaws > It's got a copy of the message, but no discussion. Most I know of it is > what Linus committed to bk last week. > > http://linux.bkbits.net:8080/linux-2.6/cset@4238cb8e36_Z5Cgys8rTovspboIJpw > http://linux.bkbits.net:8080/linux-2.6/cset@4239dad1BWUxd4WEx388lwZCb05Q0Q All covered at the moment by CAN-2005-0815 Mark
we can consider this for updates once the dust on iso9660 fixes has settled
Should I try to commit those two patches to all of our trees? At least for some 2.4 tree, they do not apply cleanly, so I will need to adapt them and risk some breakage. Ok to take that risk?
I wouldn't back port these to 2.4
hubert, we just will not apply those (except an exploit shows up) but get them via mainline in 10.0.
CVE-2005-0815: CVSS v2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)