On Mon, Oct 26, 2009 at 07:37:38PM +0100, Ansgar Wiechers wrote:
> On 2009-10-24 Derek Martin wrote:
> > 1. It circumvents the fact that to write to a file, you MUST be able
> > to write to its directory, so that the file attributes can be updated.
>
> Wrong, because the file's attributes aren't stored in the directory, but
> in the respective inode.
Ah, sorry, you're right, but if (as in the example) the user has no
permissions on the directory, he normally won't be able to write to
function. (CVE-2009-3638)
The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in
the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause
a denial of service (NULL pointer dereference and panic) by sending a
certain response containing incorrect file attributes, which trigger
attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726)
The ip_frag_reasm function in ipv4/ip_fragment.c in Linux kernel
2.6.32-rc8, and possibly earlier versions, calls IP_INC_STATS_BH with
an incorrect argument, which allows remote attackers to cause a denial
binary. (CVE-2009-2768)
The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client
in the Linux kernel allows remote NFS servers to cause a denial of
service (NULL pointer dereference and panic) by sending a certain
response containing incorrect file attributes, which trigger attempted
use of an open file that lacks NFSv4 state. (CVE-2009-3726)
The UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c
in the Linux kernel allows local users to gain privileges or cause
a denial of service (NULL pointer dereference and system crash) via
On 2009-10-24 Derek Martin wrote:
> 1. It circumvents the fact that to write to a file, you MUST be able
> to write to its directory, so that the file attributes can be updated.
Wrong, because the file's attributes aren't stored in the directory, but
in the respective inode.
Regards
Ansgar Wiechers
--
|| I don't think what Pavel described is a very serious hole, but it *IS*
|| a hole, because:
||
|| 1. It circumvents the fact that to write to a file, you MUST be able
|| to write to its directory, so that the file attributes can be updated.
|| That's an important part of accountability.
As already remarked, this is not true. Write access to the directory is
necessary for creating and deleting the file (which changes the contents
of the directory), but not for writing to the file.
function. (CVE-2009-3638)
The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in
the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause
a denial of service (NULL pointer dereference and panic) by sending a
certain response containing incorrect file attributes, which trigger
attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726)
Additionaly, it includes the fixes from the stable kernel version
2.6.27.39. It also fixes issues with the bnx2 module in which the
machine could become unresponsive. For details, see the package
Netware:
'file:/SYS:/tomcat/4/email.xsl': (1): mismatched end tag: expected
"subject" but got "SCRIPT"
#3 - File Attribute Malformed Input Server DoS
When interacting with files, a user can right click on the file and click
either 'NFS Info' or 'Netware Info'. Supplying script code into various fields
will cause the Netware server to abend and lock up.
