vsecurity 0.2-cvs (security fix revision)

From: Lorenzo Hernández García-Hierro
Date: Mon Mar 21 2005 - 05:45:59 EST

Next message: Raphael Jacquot: "Re: Why is NFS write so slow?"
Previous message: Pavel Machek: "Re: swsusp smp problems... [was Re: swsusp: Remove arch-specific references from generic code]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

A week ago, some buffer overflow conditions inside the ACL handling code
of vsecurity were fixed, more concretely in the *_read_file functions
used within the vsecfs (sysfs) code to read ACL parameters.

I apologize for the inconveniences of being away for a week and not
announcing it before.

These buffer overflow conditions were noticed at first time by Brad
Spengler and more later by Nguyen Anh Quynh (who contributed many TPE
related enhancements to the under-development 0.3 revision).

Subsequently, the TPE code at issue, based in the first work made by IBM
and more concretely, by Niki Rahimi, is also vulnerable, and if the user
base makes it worthy, it should be fixed ASAP.

No proof of concept code is available, at least in the public eye or
under my knowledge, nor I have intention to prepare any as it's already
fixed.

The changes can be found in the CVS, also it's worthy to say that
currently vsecurity is not prepared for the new API changes since
2.6.10, and this is on-going work for the 0.3 release (among many other
enhancements and changes).

http://cvs.tuxedo-es.org/cgi-bin/viewcvs.cgi/vsecurity/

Thanks for your attention,
Cheers.
--
Lorenzo Hernández García-Hierro <lorenzo@xxxxxxx>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Raphael Jacquot: "Re: Why is NFS write so slow?"
Previous message: Pavel Machek: "Re: swsusp smp problems... [was Re: swsusp: Remove arch-specific references from generic code]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]