oss-sec mailing list archives

Re: CVE requests: kernel: hfsplus-related bugs

From: "Eugene Teo" <eugeneteo () kernel sg>
Date: Mon, 10 Nov 2008 23:34:53 +0800

Hi Steve,

On Mon, Nov 10, 2008 at 10:47 PM, Steven M. Christey
<coley () linus mitre org> wrote:


On Mon, 10 Nov 2008, Eugene Teo wrote:

1) hfsplus: fix Buffer overflow with a corrupted image
Upstream commit: efc7ffcb4237f8cb9938909041c4ed38f6e1bf40

...
There's an equivalent bug for hfs. The upstream commit is d38b7aa. We
will need a CVE name for this too.


Use CVE-2008-5025

Is the bug exactly equivalent?  Could you be more specific about existing
references?  "d38b7aa" doesn't look like a typical commit ID so the CVE is
currently marked as reserved.


Both patches validate the catalog name length.

The following is the description of the hfs bug:
"Fix a stack corruption caused by a corrupted hfs filesystem.  If the
catalog name length is corrupted the memcpy overwrites the catalog
btree structure.  Since the field is limited to HFS_NAMELEN bytes in
the structure and the file format, we throw an error if it is too
long."

It is possible to use the 7-hexdigit instead of the usual 40-hexdigit
SHA1 hash to refer to the commit ID.

Thanks, Eugene

Current thread:

CVE requests: kernel: hfsplus-related bugs Eugene Teo (Nov 03)
- Re: CVE requests: kernel: hfsplus-related bugs Eugene Teo (Nov 09)
  - Re: CVE requests: kernel: hfsplus-related bugs Steven M. Christey (Nov 10)
    - Re: CVE requests: kernel: hfsplus-related bugs Eugene Teo (Nov 10)
    - Re: CVE requests: kernel: hfsplus-related bugs Steven M. Christey (Nov 10)
    - Re: CVE requests: kernel: hfsplus-related bugs Eugene Teo (Nov 10)
  - Re: CVE requests: kernel: hfsplus-related bugs Greg KH (Nov 11)
- Re: CVE requests: kernel: hfsplus-related bugs Steven M. Christey (Nov 10)
  - Re: CVE requests: kernel: hfsplus-related bugs Greg KH (Nov 11)