oss-sec mailing list archives
CVE Request: Linux kernel - Denial of service in notify_change for xattrs.
From: Wade Mealing <wmealing () redhat com>
Date: Thu, 22 Jan 2015 23:05:35 -0500 (EST)
I'd like to request a CVE for an issue brought up on this list on Jan 17th 2015. I did not see one created for this issue titled: "Re: [RFC PATCH RESEND] vfs: Move security_inode_killpriv() after permission checks" http://www.openwall.com/lists/oss-security/2015/01/21/3t This issue can be classified as a denial of service. Example: [wmealing]$ ping -c1 www.google.com PING www.google.com (216.58.220.100) 56(84) bytes of data. 64 bytes from syd10s01-in-f4.1e100.net (216.58.220.100): icmp_seq=1 ttl=51 time=14.1 ms --- www.google.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 14.162/14.162/14.162/0.000 ms [wmealing]$ chown root:root /usr/bin/ping chown: changing ownership of ‘/usr/bin/ping’: Operation not permitted [wmealing]$ ping www.google.com ping: icmp open socket: Operation not permitted This can cause a denial of service for applications which use the capabilities subsystem such as pirahnah (arping), netconsole (arping), some kdump implementations, etc. Thank you. Wade Mealing -- Red Hat Product Security
Current thread:
- CVE Request: Linux kernel - Denial of service in notify_change for xattrs. Wade Mealing (Jan 22)
- Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs. cve-assign (Jan 24)