Suse just released the following. 1) problem description, brief discussion Various signedness issues and integer overflows have been fixed within kNFSd and the XDR decode functions of kernel 2.6. These bugs can be triggered remotely by sending a package with a trusted source IP address and a write request with a size greater then 2^31. The result will be a kernel Oops, it is unknown if this bug is otherwise exploitable yet. Kernel 2.4 nfsd code is different but may suffer from the same vulnerability. Additionally a local denial-of-service condition via /dev/ptmx, which affects kernel 2.6 only has been fixed. Thanks to Jan Engelhardt for reporting this issue to us.
Reply to the SuSe announcement on bugtraq from Paul Starzetz <paul starzetz de> http://www.securityfocus.com/archive/1/373887 : The iSEC people have read the nfsd code from 2.4 and it seems to be vulnerable too, however only authenticated clients could reach the problematic places at all. Having a writeable NFS share is probably a bad idea anyway...
Created attachment 39082 [details, diff] 2.4 NFS Patch
Created attachment 39083 [details, diff] 2.6 /dev/ptmx Patch
Created attachment 39084 [details, diff] 2.6 /dev/ptmx Patch
Greg, can you have a look upstream regarding this XDR issue for 2.6 - I can't confirm whether it is affected or not, and does this needs fixing upstream? Or was this XDR issue fixed by the recent signed->unsigned transitions?
I'm pretty sure this is already fixed in the latest 2.6.8.1 kernel release, right?
Well, there don't seem to be any changes suggesting that - looking through SuSE's patches, it seems that they are patching a backported NFS rather than the one present by 2.6.5... Hence the dilemma of whether the upstream source is vulnerable.
Moving to newly-created kernel-specific category
Ok, all patched. The following are externally maintained, so I'm CCing the relevant maintainers. Patches are attached on this bug. grsec-sources -- Adding solar. hardened-dev-sources -- Adding Gentoo/Hardened team. hardened-sources -- Adding scox. hppa(-dev)-sources -- Adding GMSoft. mips-sources -- Adding `Kumba. openmosix-sources -- Adding cluster herd. rsbac(-dev)-sources -- Adding kang. selinux-sources -- Adding pebenito. sparc-sources -- Adding Joker.
Is there a CAN- number for this one yet?
patches clean.. Sending linux-2.4.27-nfs3-xdr.patch.bz2 to the mirrors so others can grab it via SRC_URI so we don't end up with alot of kernels with {FILESDIR}/same-patch-as-all-other-2.4.kernels
grsec-sources patched. Old ebuilds removed. All arches assumed stable. Removing myself from CC:
openmosix-sources patched.
Fixed in sparc-sources-2.4.27-r2
selinux-sources p.mask'ed as it will be removed soon
mips-sources updated.
- hardened-dev-sources updated - rsbac-dev-sources updated
hppa-(dev-)sources done.
hardened-sources bumped to 2.4.28
rsba-sources bumped to 2.4.28
All kernels fixed, closing bug; notifications are being migrated away from GLSAs for kernels, more news coming soon so stay tuned :-]
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=8cc423214cd76091611f167b3f2695295b814186
