CVE-2015-1420: Race Condition
First published: Fri Jan 30 2015(Updated: )
A specially crafted user space application may exploit a bug in handle_to_path to copy additional data to a target application. This defect is caused by the kernel incorrectly assuming that the arguments provided do not change. This is problematic since the kernel does size verifications only after the first read, so if the number of extra bytes changes in userspace between the first and second calls, we'll have an incoherent view of file_handle. The fix is to read the size once, and copy that over to the final structure referencing it from that point rather than the value from the application which may change. The patch is not yet present in official kernel tree: <a href="http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c">http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c</a> Proposed Patch: <a href="http://marc.info/?l=linux-kernel&m=142247707318982&w=2">http://marc.info/?l=linux-kernel&m=142247707318982&w=2</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian | =7.0 | |
| Linux kernel | <=3.18.9 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.17-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00021.html
- http://marc.info/?l=linux-kernel&m=142247707318982&w=2
- http://www.debian.org/security/2015/dsa-3170
- http://www.openwall.com/lists/oss-security/2015/01/29/12
- http://www.securityfocus.com/bid/72357
- http://www.ubuntu.com/usn/USN-2660-1
- http://www.ubuntu.com/usn/USN-2661-1
- http://www.ubuntu.com/usn/USN-2665-1
- http://www.ubuntu.com/usn/USN-2667-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1187534
- http://marc.info/?l=linux-kernel&m=142247707318982&w=2
- https://launchpad.net/bugs/cve/CVE-2015-1420
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/fhandle.c
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1227417
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=161f873b89136eb1e69477c847d5a5033239d9ba
- https://security-tracker.debian.org/tracker/CVE-2015-1420
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1420
- https://nvd.nist.gov/vuln/detail/CVE-2015-1420
- https://ubuntu.com/security/CVE-2015-1420
Frequently Asked Questions
What is the vulnerability severity of CVE-2015-1420?
CVE-2015-1420 has been classified with a high severity due to potential data leakage and application manipulation.
How do I fix CVE-2015-1420?
To fix CVE-2015-1420, upgrade to the patched versions of the Linux kernel as specified in the advisory.
Which systems are affected by CVE-2015-1420?
CVE-2015-1420 affects several versions of the Linux kernel, specifically versions up to 3.18.9 and specific Debian kernel packages.
Can CVE-2015-1420 be exploited remotely?
CVE-2015-1420 is primarily an issue with local user applications, making remote exploitation unlikely but not impossible if local access is compromised.
What are the potential impacts of CVE-2015-1420?
The potential impacts of CVE-2015-1420 include unintended data copying, leading to information disclosure and application errors.
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-1420
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/last-modified-date
- agent/trending
- agent/source
- agent/event
- agent/author
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- vendor/debian
- canonical/debian
- version/debian/7.0
- vendor/linux
- canonical/linux kernel
- version/linux kernel/3.18.9