where the kernel might dereference a NULL pointer.
III. Impact
Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.
IV. Workaround
=============================================================================
FreeBSD-SA-10:07.mbuf Security Advisory
The FreeBSD Project
Topic: Lost mbuf flag resulting in data corruption
Category: core
Module: kern
Announced: 2010-07-13
Credits: Ming Fu
I think you mistake my posting. I did not want to say that this issue is a (real) *security* vulnerability but I definitely would call it a DoS bug.
> DoS is not software crash, DoS is Denial of Service. It means,
> security impact of DoS vulnerability should be preventing (blocking)
> access of legitimate user to some data or service (via data
> corruption, service malfuction, etc).
It seems we have a different understanding of the term "Denial Of Service". In my opinion your explanation exactly matches this issue. As you said DoS is the attempt to make a (computer) resource unavailable to its user via data corruption etc. Here Winamp is the computer resource and the M3U file is the corrupted data. Sure the user can easily recover from this "DoS" by restarting the audio player and to be exact the M3U file is not a great example for corrupted data but I would still call this issue a DoS bug.
How would you name it? "Winamp 5.35 (Infinite) M3U File Inclusion Stack Overflow Exception"?
locate the message to send to the client; it may resend a previously
generated response, send some other arbitrary chunk of process memory,
perhaps including secret key data, or crash the process by attempting
to access an invalid address. If the process doesn't crash, random
addresses will be passed to free(), likely corrupting the free pool,
and potentially leading to later crashes, data corruption, jumps to
arbitrary locations in process memory, etc.
The KDC normally runs without write access to its database, so it is
not likely to corrupt the database, except insofar as arbitrary code
execution could theoretically corrupt anything the process has access
========================
Status: Critical
Critical - this update fixes a potential security threat, a possible
data corruption, calculation, search set, or other function that may
lead to inaccurate results. The update should be applied at the earliest
possible time as it may affect a large number of users.
Recommended - this update fixes non-critical issues that may impede
general usage and require undesirable work-arounds affecting a limited
corruption, and other unpredictable results.
III. Impact
Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code on
the target system.
IV. Workaround
| | cdr_addon_mysql could escape out of a SQL data field and |
| | create another query. This vulnerability is made all the |
| | more severe if a user were using realtime data, since |
| | the data may exist in the same database as the inserted |
| | call detail record, thus creating all sorts of possible |
| | data corruption and invalidation issues. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Resolution | The Asterisk-addons package is not distributed with |
| | Asterisk, nor is it installed by default. The module may |
real bug was not in asn1_get_length_der() even if that is the function we
patch[ed]. The callers of that function that did not check that the return
values are sane were buggy. However, instead of fixing all callers, ... we
went for the simpler solution to let the function return an error for a
situation that is unlikely to occur without malicious interaction or data
corruption."
The asn1_der_decoding function shown above is now safe, because
asn1_get_length_der was updated to "[return] -4 when the decoded length value
plus @len would exceed @der_len," so asn1_der_decoding returns ASN1_DER_ERROR
before it can call _asn1_set_value to trigger the segmentation fault.
