[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#300162: [CAN-2004-1191]: Improper command checking for CDs, allowing local users to conduct unauthorized writes to firmware

Package: kernel-source-2.6.8
Version: 2.6.8-14
Severity: normal
Tags: security patch

Hello,

CAN-2004-1190 reads:

SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not
properly check commands sent to CD devices that have been opened
read-only, which could allow local users to conduct unauthorized write
activities to modify the firmware of associated SCSI devices. 

The Suse Advisory is here:
http://www.novell.com/linux/security/advisories/2004_42_kernel.html

It unfortunately doesn't provide much detail, so I have been in
contact with the Suse security team to track down what this is, and
how they fixed it.

Apparantly there was a patched introduced in 2.6.8 to avoid firmware
overwrites happening with read-only opened /dev/cdrom devices. Some
burner programs opened those devices with O_RDONLY but then started to
burn or blank the CDs, but the more severe problem is that
unpriviledged users could destroy the firmware of SCSI related
devices, rendering the devices completely useless.

Although the fix was put into 2.6.8, it was found afterwards that
these were not a complete solution to the security problem, so there
were bug fixes done in later patches. Version 2.6.10 is completely
fixed, but there are some missing patches from 2.6.8 that leave this
unfixed in our 2.6.8, as far as I can determine.

According to the Suse security people, the details in the chagelog at
this location show what needs to be patched:

http://linux.bkbits.net:8080/linux-2.6/hist/drivers/block/scsi_ioctl.c

along with the thread on this subject here:

http://groups-beta.google.com/group/linux.kernel/browse_frm/thread/5cfe44b11c8a99c5/ed58b3d4b1cfa39b?q=scsi_ioctl+firmware#ed58b3d4b1cfa39b

Taking these two, I've compared our kernel-source-2.6.8 tree and found
that the following patches should be applied:

http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.57?nav=hist/drivers/block/scsi_ioctl.c
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.59?nav=hist/drivers/block/scsi_ioctl.c
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.60?nav=hist/drivers/block/scsi_ioctl.c
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.61?nav=hist/drivers/block/scsi_ioctl.c

I should note that I do not fully understand this issue, I simply have
done the legwork to determine that these patches have not been applied
to kernel-source-2.6.8 and that according to Suse, the last relevant
patch for this issue is the 1.61 revision patch (the last one in the
list of four above). 

N.B.: There is one changeset in the bkbits.net site from 10 weeks ago, that has the
changelog entry, "fix exploitable hole" -- according to Suse, this is
misleading and incorrect (and is not included in the patches above).

Micah


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-5     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-5    high-quality block-sorting file co
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 

-- no debconf information
Reply to: