CVE-2015-1420: Race Condition
First published: Fri Jan 30 2015(Updated: )
A specially crafted user space application may exploit a bug in handle_to_path to copy additional data to a target application. This defect is caused by the kernel incorrectly assuming that the arguments provided do not change. This is problematic since the kernel does size verifications only after the first read, so if the number of extra bytes changes in userspace between the first and second calls, we'll have an incoherent view of file_handle. The fix is to read the size once, and copy that over to the final structure referencing it from that point rather than the value from the application which may change. The patch is not yet present in official kernel tree: <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c</a> Proposed Patch: <a href="http://marc.info/?l=linux-kernel&m=142247707318982&w=2">http://marc.info/?l=linux-kernel&m=142247707318982&w=2</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Debian Linux | =7.0 | |
| Linux Linux kernel | <=3.18.9 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00021.html
- http://marc.info/?l=linux-kernel&m=142247707318982&w=2
- http://www.debian.org/security/2015/dsa-3170
- http://www.openwall.com/lists/oss-security/2015/01/29/12
- http://www.securityfocus.com/bid/72357
- http://www.ubuntu.com/usn/USN-2660-1
- http://www.ubuntu.com/usn/USN-2661-1
- http://www.ubuntu.com/usn/USN-2665-1
- http://www.ubuntu.com/usn/USN-2667-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1187534
- http://marc.info/?l=linux-kernel&m=142247707318982&w=2
- https://launchpad.net/bugs/cve/CVE-2015-1420
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1227417
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=161f873b89136eb1e69477c847d5a5033239d9ba
- https://security-tracker.debian.org/tracker/CVE-2015-1420
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1420
- https://nvd.nist.gov/vuln/detail/CVE-2015-1420
- https://ubuntu.com/security/CVE-2015-1420
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-1420
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- agent/description
- agent/last-modified-date
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/3.18.9
- package-manager/debian