Bug 49841 - (CVE-2004-0109) VUL-0: CVE-2004-0109: kernel: ISO9660 filesystem: buffer overflow
VUL-0: CVE-2004-0109: kernel: ISO9660 filesystem: buffer overflow
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Thomas Biege
Security Team bot
CVE-2004-0109: CVSS v2 Base Score: 4....
Depends on:
  Show dependency treegraph
Reported: 2004-02-23 17:06 UTC by Thomas Biege
Modified: 2021-10-02 08:58 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Buffer Overflow in ISO9660 Filesystem Component of Linux Kernel.txt (3.35 KB, text/plain)
2004-02-23 17:09 UTC, Thomas Biege
Sample exploit provided by iDEFENSE. Maybe helps to trigger stuff (7.51 KB, text/plain)
2004-02-27 17:23 UTC, Sebastian Krahmer
Proposed patch from me. (1.81 KB, patch)
2004-02-27 17:57 UTC, Sebastian Krahmer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-02-23 17:06:50 UTC
the following (private) announcement from iDEFENDE reached us on friday.  
iDEFENSE has identified a buffer overflow vulnerability in the ISO9660  
filesystem component of Linux kernel. This vulnerability was submitted  
to iDEFENSE through our Vulnerability Contributor Program  
(http://www.idefense.com/poi/teams/vcp.jsp). iDEFENSE Labs has validated  
this vulnerability and has drafted the attached advisory. In accordance  
with our vendor disclosure policy  
(http://www.idefense.com/legal_disclosure.jsp) we would request that you  
acknowledge receipt of this initial notification within five business  
days so that we may begin the process of coordinating an appropriate  
public disclosure date for this issue that will provide your company  
with adequate time to develop a patch or workaround to mitigate this  
vulnerability. If you have questions regarding this issue or require  
further details to assist with your own analysis, please do not hesitate  
to contact us.  
Michael Sutton  
Michael Sutton, CA, CISA  
Director, iDEFENSE Labs  
1875 Campus Commons Drive, Suite 210  
Reston, VA 20191  
direct: 703.480.5628  
voice: 703.390.1230  
fax: 703.390.9456  
Comment 1 Thomas Biege 2004-02-23 17:06:50 UTC
<!-- SBZ_reproduce  -->
advisroy will be attached.
Comment 2 Thomas Biege 2004-02-23 17:09:28 UTC
Created attachment 16111 [details]
Buffer Overflow in ISO9660 Filesystem Component of Linux Kernel.txt
Comment 3 Thomas Biege 2004-02-23 17:10:10 UTC
Date: Sun, 22 Feb 2004 10:46:00 +0000 (GMT) 
From: Mark J Cox <mjc@redhat.com> 
To: security@suse.de, security@linux-mandrake.com, security@slackware.com 
Subject: [security@suse.de] Re: iso9660 (fwd) 
Please note I've reserved CAN-2004-0109 for the iDefense reported issue in 
iso9660 and sent this to them. 
I've also suggested a disclosure date of March 10th at 1400UTC. 
Best Regards, Mark 
Mark J Cox / Red Hat Security Response Team 
Comment 4 Hubert Mantel 2004-02-24 00:39:31 UTC
Do we already have a fix?
Comment 5 Thomas Biege 2004-02-24 01:30:18 UTC
I think there will be one popping up in the next few dayson vendor-sec. 
Comment 6 Roman Drahtmueller 2004-02-25 22:27:38 UTC
iso9660 filesystems are not used on s390(x) unless mounted via loopback.
Therefore, the security problem does not apply to s390(x). Adding ihno@ to Cc:.
Ihno will include the patch to his kernels, but will not trigger an update
for this specific bug.
Comment 7 Sebastian Krahmer 2004-02-27 17:23:42 UTC
Created attachment 16235 [details]
Sample exploit provided by iDEFENSE. Maybe helps to trigger stuff
Comment 8 Sebastian Krahmer 2004-02-27 17:49:14 UTC
I am digging with the issue now, I hope I am aple to make
some senseful proposed patches which I will attach then.
Comment 9 Sebastian Krahmer 2004-02-27 17:57:25 UTC
Created attachment 16236 [details]
Proposed patch from me.

I am not a kernel hacker. I assume that the kmap()
returns a address of a page, so we
should not write more than PAGE_SIZE byte
to this location. This chack has basically been
Comment 10 Thomas Biege 2004-02-27 18:27:59 UTC
That's was the only suspicious code I found too. Maybe we cought the right 
one. :) 
Did you run tests of the little exploit against the patched kernel? 
Comment 11 Sebastian Krahmer 2004-02-27 18:42:27 UTC
No, no tests except compilation.
Thing is when the exploit doesnt work against patched kernel,
it means nothing. :-)
Comment 12 Sebastian Krahmer 2004-02-27 18:53:45 UTC
BTW, can symlink be arbitrary long?
If they can be as long as 2GB then we also need to
check for integer wraps. But they probably dont fit
onto a ISO9660 :)
Comment 13 Sebastian Krahmer 2004-02-27 19:02:56 UTC
Ok. Just tested the patch on a 2.4.22grsec kernel. Worked
fine so far. The iso from the exploit did not cause
anything. CD mounts etc work fine. But this is not
a complete QA. Will test exploit against unpatched kernel now.
Comment 14 Sebastian Krahmer 2004-02-27 19:04:28 UTC
Ok. On a 2.4.18 the exploit causes an oops.
So I guess the patch works.
Comment 15 Thomas Biege 2004-03-01 17:27:06 UTC
comment #11: but if it works, it means a lot. ;) 
Comment 16 Thomas Biege 2004-03-03 17:30:08 UTC
I think we can use Sebastians patch. 
Comment 17 Hubert Mantel 2004-03-04 00:49:51 UTC
Fixes are in; kernels are waiting to be checked in.
Comment 18 Thomas Biege 2004-03-12 19:26:54 UTC
CRD: Wednesday April 14, 2004 at 1400UTC/900EST 
Comment 19 Thomas Biege 2004-04-14 23:18:15 UTC
packages approved 
Comment 20 Thomas Biege 2009-10-13 20:15:01 UTC
CVE-2004-0109: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)