Bug 49100 - (CVE-2004-0010) VUL-0: CVE-2004-0010: ncpfs: buffer overflow
VUL-0: CVE-2004-0010: ncpfs: buffer overflow
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Thomas Biege
Security Team bot
CVE-2004-0010: CVSS v2 Base Score: 7....
Depends on:
  Show dependency treegraph
Reported: 2004-01-22 21:47 UTC by Thomas Biege
Modified: 2021-10-12 13:29 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

ncpfs-check (9.0-i386) (576 bytes, patch)
2004-02-19 23:40 UTC, Thomas Biege
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-01-22 21:47:33 UTC
Hi Olaf, 
The following was reported on vendor-sec: 
Date: Thu, 22 Jan 2004 13:25:50 +0000 (GMT) 
From: Mark J Cox <mjc@redhat.com> 
To: vendor-sec@lst.de 
Subject: [vendor-sec] CAN-2004-0010 kernel ncpfs roothole 
ncpfs allows you to mount volumes of NetWare servers under Linux and to 
print to NetWare print queues and spool NetWare print queues to the Linux 
printing system. 
Arjan van de Ven discovered a possible roothole in ncpfs which he shared 
with the maintainer.  He says this has been discussed in public.  No valid 
fix yet from the maintainer.  I gave this CAN-2004-0010. 
Thanks, Mark 
Mark J Cox / Red Hat Security Response Team 
----- Forwarded message from Arjan van de Ven 
<arjanv@devserv.devel.redhat.com> ----- 
Date: Wed, 21 Jan 2004 23:51:25 +0100 
From: Arjan van de Ven <arjanv@devserv.devel.redhat.com> 
To: vandrove@vc.cvut.cz 
Subject: possible security issue in ncpfs 
ncp_lookup has the following code in it: 
static struct dentry *ncp_lookup(struct inode *dir, struct dentry *dentry, 
struct nameidata *nd) 
        struct ncp_server *server = NCP_SERVER(dir); 
        struct inode *inode = NULL; 
        struct ncp_entry_info finfo; 
        int error, res, len = dentry->d_name.len + 1; 
        __u8 __name[len]; 
where d_name.len is user controlled (in case of rename or following 
symlinks) and can thus be 4Kb on x86. In the case of symlinks the user can 
also control like 2Kb of previously-used stackspace so that you get a 
*controlled* stack overflow, something which can be used to overwrite the 
UID fields in the task struct... to 0. 
The practical expoitability is not going to be easy but .. the same was 
thought of mremap and do_brk issues. So I would like to ask you to consider 
to get rid of these variable sized arrays on the stack entirely, since I 
suspect lookup is not the only one that suffers from this issue. 
   Arjan van de Ven
Comment 1 Thomas Biege 2004-01-22 21:47:33 UTC
<!-- SBZ_reproduce  -->
Comment 2 Thomas Biege 2004-01-22 21:52:41 UTC
Can you keep an eye on this issue. I think there will be an official update 
Comment 3 Olaf Hering 2004-01-23 03:25:40 UTC
ok, its a kernel bug. Andi has a/the patch and will commit it.
Comment 4 Thomas Biege 2004-01-23 22:49:14 UTC
Comment 5 Thomas Biege 2004-01-27 01:00:15 UTC
Hi Andi, 
we need this patch ASAP because we have a coordinated release date for 
09.02.2004 and this stuff needs a lot of testing. Bu twho do I tell... :) 
Additionally Hubert seems to start updating the kernel source at the moment 
and this bug should go in it too. 
Comment 6 Andreas Kleen 2004-01-27 01:12:17 UTC
The fix is already checked in in 2.4 kernel-source CVS head
Comment 7 Thomas Biege 2004-01-27 20:33:47 UTC
Thank you. 
Comment 8 Thomas Biege 2004-01-29 19:09:10 UTC
reassign to Hubert as reminder... 
Comment 9 Hubert Mantel 2004-01-29 22:13:25 UTC
Since the fix is already in CVS, we can close this bug. The only remaining issue
currently is the mremap thing...
Comment 10 Thomas Biege 2004-02-16 18:37:38 UTC
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Mon Feb 16 11:37:38 2004
Comment 11 Thomas Biege 2004-02-16 18:37:38 UTC
reopen, reassigned for tracking. 
Comment 12 Thomas Biege 2004-02-19 23:40:15 UTC
Created attachment 16075 [details]
ncpfs-check (9.0-i386)
Comment 13 Thomas Biege 2004-03-24 00:57:22 UTC
packages released. 
Comment 14 Thomas Biege 2009-10-13 19:57:22 UTC
CVE-2004-0010: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)