475618 – (CVE-2013-1059) Kernel : Ceph NULL Pointer Dereference Denial of Service Vulnerability (CVE-2013-1059)

Bug 475618 (CVE-2013-1059) - Kernel : Ceph NULL Pointer Dereference Denial of Service Vulnerability (CVE-2013-1059)

Summary: Kernel : Ceph NULL Pointer Dereference Denial of Service Vulnerability (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2013-1059

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/54042/
Whiteboard:	A3 [noglsa]
Keywords:

Duplicates (1):	476446 (view as bug list)
Depends on:
Blocks:

Reported:	2013-07-03 11:41 UTC by Agostino Sarubbo
Modified:	2016-06-30 10:28 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-07-03 11:41:26 UTC

From ${URL} :

Description

A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to 
cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error in Ceph when handling 
"auth_reply" messages. This can be exploited to crash the kernel by a specially crafted Ceph 
message.

Successful exploitation requires that the kernel is built and configured with Ceph.

The vulnerability is reported in versions 3.9.8 and 3.10. Other versions may also be affected.


Solution:
No official solution is currently available.

Comment 1 Agostino Sarubbo gentoo-dev

2013-07-10 19:24:26 UTC

*** Bug 476446 has been marked as a duplicate of this bug. ***

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2013-08-29 22:45:36 UTC

CVE-2013-1059 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1059):
  net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote
  attackers to cause a denial of service (NULL pointer dereference and system
  crash) or possibly have unspecified other impact via an auth_reply message
  that triggers an attempted build_request operation.

Comment 3 Sergey Popov gentoo-dev

2013-08-30 09:13:54 UTC

According to CVE vulnerable versions are <3.9.10 and <3.10.1

@kernel team: please check and report

Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-08-30 14:16:32 UTC

(In reply to Sergey Popov from comment #3)
> According to CVE vulnerable versions are <3.9.10 and <3.10.1

Fix introduced in 3.0.86 as 314d3e7c43ea9125ef257dad74f494c0c82b7fe3.
Fix introduced in 3.2.49 as 88a4055704b39e5c67c9cbc837cc15ec6a6d8671.
Fix introduced in 3.4.53 as a0d7384148e8e828f71f46ab10698daca41e64d8.
Fix introduced in 3.9.10 as fa074f3906ba77bc79d3b519e4a4b8ae08b98ea1.
Fix introduced in 3.10.1 as b96e7dacf24315a84f71ba0f15a603ba5f82b010.

> @kernel team: please check and report

Only vulnerable version in tree is v3.8.13.

Will decide soon with lead whether to backport (applies clean) or mask it.

Comment 5 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-08-31 19:50:38 UTC

(In reply to Tom Wijsman (TomWij) from comment #4)
> Will decide soon with lead whether to backport (applies clean) or mask it.

We have to decided to mask it to encourage users to upgrade to a more secure and stable release; 3.8.13 will then be removed from the Portage tree after 3.11 enters the Portage tree, giving people a reasonable amount of time to upgrade.

Two questions:

1. Does this affect hardened-sources or is it not a problem there because they have patches or this in place? I see they have affected 3.9 versions.

2. What do we do about stabilized vulnerable package versions like =sys-kernel/tuxonice-sources-3.8.13? Do these fall outside security even when stable?

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 10:28:59 UTC

No 3.8.13 kernels are in the tree.  Cleanup complete.