Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 475618 (CVE-2013-1059) - Kernel : Ceph NULL Pointer Dereference Denial of Service Vulnerability (CVE-2013-1059)
Summary: Kernel : Ceph NULL Pointer Dereference Denial of Service Vulnerability (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2013-1059
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54042/
Whiteboard: A3 [noglsa]
Keywords:
: 476446 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-07-03 11:41 UTC by Agostino Sarubbo
Modified: 2016-06-30 10:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-03 11:41:26 UTC
From ${URL} :

Description

A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to 
cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error in Ceph when handling 
"auth_reply" messages. This can be exploited to crash the kernel by a specially crafted Ceph 
message.

Successful exploitation requires that the kernel is built and configured with Ceph.

The vulnerability is reported in versions 3.9.8 and 3.10. Other versions may also be affected.


Solution:
No official solution is currently available.
Comment 1 Agostino Sarubbo gentoo-dev 2013-07-10 19:24:26 UTC
*** Bug 476446 has been marked as a duplicate of this bug. ***
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 22:45:36 UTC
CVE-2013-1059 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1059):
  net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote
  attackers to cause a denial of service (NULL pointer dereference and system
  crash) or possibly have unspecified other impact via an auth_reply message
  that triggers an attempted build_request operation.
Comment 3 Sergey Popov gentoo-dev Security 2013-08-30 09:13:54 UTC
According to CVE vulnerable versions are <3.9.10 and <3.10.1

@kernel team: please check and report
Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-08-30 14:16:32 UTC
(In reply to Sergey Popov from comment #3)
> According to CVE vulnerable versions are <3.9.10 and <3.10.1

Fix introduced in 3.0.86 as 314d3e7c43ea9125ef257dad74f494c0c82b7fe3.
Fix introduced in 3.2.49 as 88a4055704b39e5c67c9cbc837cc15ec6a6d8671.
Fix introduced in 3.4.53 as a0d7384148e8e828f71f46ab10698daca41e64d8.
Fix introduced in 3.9.10 as fa074f3906ba77bc79d3b519e4a4b8ae08b98ea1.
Fix introduced in 3.10.1 as b96e7dacf24315a84f71ba0f15a603ba5f82b010.

> @kernel team: please check and report

Only vulnerable version in tree is v3.8.13.

Will decide soon with lead whether to backport (applies clean) or mask it.
Comment 5 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-08-31 19:50:38 UTC
(In reply to Tom Wijsman (TomWij) from comment #4)
> Will decide soon with lead whether to backport (applies clean) or mask it.

We have to decided to mask it to encourage users to upgrade to a more secure and stable release; 3.8.13 will then be removed from the Portage tree after 3.11 enters the Portage tree, giving people a reasonable amount of time to upgrade.

Two questions:

1. Does this affect hardened-sources or is it not a problem there because they have patches or this in place? I see they have affected 3.9 versions.

2. What do we do about stabilized vulnerable package versions like =sys-kernel/tuxonice-sources-3.8.13? Do these fall outside security even when stable?
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-30 10:28:59 UTC
No 3.8.13 kernels are in the tree.  Cleanup complete.