Bug#300162: marked as done ([CAN-2004-1190]: Improper command checking for CDs, allowing local users to conduct unauthorized writes to firmware)
Your message dated Wed, 23 Mar 2005 15:47:59 +0900
with message-id <20050323064756.GB32642@verge.net.au>
and subject line Bug#300162: [CAN-2004-1191]: Improper command checking for CDs, allowing local users to conduct unauthorized writes to firmware
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Mar 2005 04:21:27 +0000
>From micah@riseup.net Thu Mar 17 20:21:27 2005
Return-path: <micah@riseup.net>
Received: from mail.riseup.net [69.90.134.155]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DC8zG-0000wd-00; Thu, 17 Mar 2005 20:21:26 -0800
Received: from localhost (localhost [127.0.0.1])
by mail.riseup.net (Postfix) with ESMTP id 86F3CA2CC6
for <submit@bugs.debian.org>; Thu, 17 Mar 2005 20:21:20 -0800 (PST)
Received: from mail.riseup.net ([127.0.0.1])
by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 15703-36 for <submit@bugs.debian.org>;
Thu, 17 Mar 2005 20:21:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.riseup.net (Postfix) with ESMTP id 85F0AA2BB4
for <submit@bugs.debian.org>; Thu, 17 Mar 2005 20:21:19 -0800 (PST)
Received: by pond (Postfix, from userid 1000)
id 9772C564F9; Thu, 17 Mar 2005 22:21:23 -0600 (CST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Micah Anderson <micah@riseup.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2004-1191]: Improper command checking for CDs,
allowing local users to conduct unauthorized writes to firmware
X-Mailer: reportbug 3.8
Date: Thu, 17 Mar 2005 22:21:23 -0600
Message-Id: <[🔎] 20050318042123.9772C564F9@pond>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: kernel-source-2.6.8
Version: 2.6.8-14
Severity: normal
Tags: security patch
Hello,
CAN-2004-1190 reads:
SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not
properly check commands sent to CD devices that have been opened
read-only, which could allow local users to conduct unauthorized write
activities to modify the firmware of associated SCSI devices.
The Suse Advisory is here:
http://www.novell.com/linux/security/advisories/2004_42_kernel.html
It unfortunately doesn't provide much detail, so I have been in
contact with the Suse security team to track down what this is, and
how they fixed it.
Apparantly there was a patched introduced in 2.6.8 to avoid firmware
overwrites happening with read-only opened /dev/cdrom devices. Some
burner programs opened those devices with O_RDONLY but then started to
burn or blank the CDs, but the more severe problem is that
unpriviledged users could destroy the firmware of SCSI related
devices, rendering the devices completely useless.
Although the fix was put into 2.6.8, it was found afterwards that
these were not a complete solution to the security problem, so there
were bug fixes done in later patches. Version 2.6.10 is completely
fixed, but there are some missing patches from 2.6.8 that leave this
unfixed in our 2.6.8, as far as I can determine.
According to the Suse security people, the details in the chagelog at
this location show what needs to be patched:
http://linux.bkbits.net:8080/linux-2.6/hist/drivers/block/scsi_ioctl.c
along with the thread on this subject here:
http://groups-beta.google.com/group/linux.kernel/browse_frm/thread/5cfe44b11c8a99c5/ed58b3d4b1cfa39b?q=scsi_ioctl+firmware#ed58b3d4b1cfa39b
Taking these two, I've compared our kernel-source-2.6.8 tree and found
that the following patches should be applied:
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.57?nav=hist/drivers/block/scsi_ioctl.c
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.59?nav=hist/drivers/block/scsi_ioctl.c
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.60?nav=hist/drivers/block/scsi_ioctl.c
http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.61?nav=hist/drivers/block/scsi_ioctl.c
I should note that I do not fully understand this issue, I simply have
done the legwork to determine that these patches have not been applied
to kernel-source-2.6.8 and that according to Suse, the last relevant
patch for this issue is the 1.61 revision patch (the last one in the
list of four above).
N.B.: There is one changeset in the bkbits.net site from 10 weeks ago, that has the
changelog entry, "fix exploitable hole" -- according to Suse, this is
misleading and incorrect (and is not included in the patches above).
Micah
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii bzip2 1.0.2-5 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
-- no debconf information
---------------------------------------
Received: (at 300162-done) by bugs.debian.org; 23 Mar 2005 06:58:28 +0000
>From horms@koto.vergenet.net Tue Mar 22 22:58:27 2005
Return-path: <horms@koto.vergenet.net>
Received: from koto.vergenet.net [210.128.90.7]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DDzox-0002FC-00; Tue, 22 Mar 2005 22:58:27 -0800
Received: by koto.vergenet.net (Postfix, from userid 7100)
id EDEB134003; Wed, 23 Mar 2005 15:35:15 +0900 (JST)
Date: Wed, 23 Mar 2005 15:47:59 +0900
From: Horms <horms@debian.org>
To: Micah Anderson <micah@riseup.net>, 300162-done@bugs.debian.org
Subject: Re: Bug#300162: [CAN-2004-1191]: Improper command checking for CDs, allowing local users to conduct unauthorized writes to firmware
Message-ID: <20050323064756.GB32642@verge.net.au>
References: <[🔎] 20050318042123.9772C564F9@pond>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20050318042123.9772C564F9@pond>
X-Cluestick: seven
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 300162-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
On Thu, Mar 17, 2005 at 10:21:23PM -0600, Micah Anderson wrote:
> Package: kernel-source-2.6.8
> Version: 2.6.8-14
> Severity: normal
> Tags: security patch
>
> Hello,
>
> CAN-2004-1190 reads:
>
> SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not
> properly check commands sent to CD devices that have been opened
> read-only, which could allow local users to conduct unauthorized write
> activities to modify the firmware of associated SCSI devices.
>
> The Suse Advisory is here:
> http://www.novell.com/linux/security/advisories/2004_42_kernel.html
>
> It unfortunately doesn't provide much detail, so I have been in
> contact with the Suse security team to track down what this is, and
> how they fixed it.
>
> Apparantly there was a patched introduced in 2.6.8 to avoid firmware
> overwrites happening with read-only opened /dev/cdrom devices. Some
> burner programs opened those devices with O_RDONLY but then started to
> burn or blank the CDs, but the more severe problem is that
> unpriviledged users could destroy the firmware of SCSI related
> devices, rendering the devices completely useless.
>
> Although the fix was put into 2.6.8, it was found afterwards that
> these were not a complete solution to the security problem, so there
> were bug fixes done in later patches. Version 2.6.10 is completely
> fixed, but there are some missing patches from 2.6.8 that leave this
> unfixed in our 2.6.8, as far as I can determine.
>
> According to the Suse security people, the details in the chagelog at
> this location show what needs to be patched:
Thanks, I believe all of the patches relating to this problem
are in kernel-source-2.6.8 as of 2.6.8-14. I have detailed
the names of the patches included in the package, as
well as the ChangeSet references and the references you gave.
I have also detailed previous patches which are related to
fixing / creating this problem.
I am closing this bug, please re-open if you think I am in mistaken.
N.B: Below CS=ChangeSet
> http://linux.bkbits.net:8080/linux-2.6/hist/drivers/block/scsi_ioctl.c
>
> along with the thread on this subject here:
>
> http://groups-beta.google.com/group/linux.kernel/browse_frm/thread/5cfe44b11c8a99c5/ed58b3d4b1cfa39b?q=scsi_ioctl+firmware#ed58b3d4b1cfa39b
>
> Taking these two, I've compared our kernel-source-2.6.8 tree and found
> that the following patches should be applied:
>
> http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.57?nav=hist/drivers/block/scsi_ioctl.c
CS: http://linux.bkbits.net:8080/linux-2.6/cset@4174b6326o_dlwZxDIUzeIC0UF8O9A
kernel-source-2.6.8: not included
Comment: This patch does not seem to be related and does not seem to be
a security patch.
> http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.59?nav=hist/drivers/block/scsi_ioctl.c
CS: http://linux.bkbits.net:8080/linux-2.6/cset@419813e33fcDXYh_LMNivkKwRZnLsA
kernel-source-2.6.8-14: scsi-ioctl-cmd-warned.dpatch
> http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.60?nav=hist/drivers/block/scsi_ioctl.c
CS: http://linux.bkbits.net:8080/linux-2.6/cset@41997e43QFUAZ66t-GOJI9Eqc4ZPpA
CS: http://linux.bkbits.net:8080/linux-2.6/cset@419a3d4dFBYvTLQuyOyGUy0bMRyATA
kernel-source-2.6.8-14: scsi-ioctl-remove-dup.dpatch
> http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/scsi_ioctl.c@1.61?nav=hist/drivers/block/scsi_ioctl.c
CS: http://linux.bkbits.net:8080/linux-2.6/cset@419e7b2aD7SJ6lRfPc7hXr1kDVCidg
kernel-source-2.6.8-14: scsi-ioctl-permit.dpatch
CS: http://linux.bkbits.net:8080/linux-2.6/cset@411de877ZwwvAvefJTKSmQyugJkdPw
kernel-source-2.6.8-1: SG_IO-cap.dpatch
CS: http://linux.bkbits.net:8080/linux-2.6/cset@412a53f2QNsqhYybefqcMSOffiZb2g
CS: http://linux.bkbits.net:8080/linux-2.6/cset@412b9807JFV5HTT_Io8LpcPoyii17w
CS: http://linux.bkbits.net:8080/linux-2.6/cset@412b9807JFV5HTT_Io8LpcPoyii17w
kernel-source-2.6.8-3: SG_IO-safe-commands.dpatch
(removed in kernel-source-2.6.8-4)
kernel-source-2.6.8-4: SG_IO-safe-commands-2.dpatch
kernel-source-2.6.8-8: SG_IO-safe-commands-3.dpatch
CS: http://linux.bkbits.net:8080/linux-2.6/cset@418a4f0df36yYLVdEKUY8xRMnS3HfA
kernel-source-2.6.8-8: SG_IO-safe-commands-5.dpatch
--
Horms
Reply to: