[security-announce] fs/isofs: security update

Sona Sarmadi sona.sarmadi at enea.com
Fri Jan 9 13:22:31 CET 2015


                                             Security Advisory 
=================================================
Product/package: fs/isofs (FSL kernel: 3.8.11)
Severity: Low
Issue date: 2015-01-09
CVE Names: CVE-2014-5471 and CVE-2014-5472
Layer: meta-enea
=================================================
A security patch that CVE-2014-5471 and CVE-2014-5472 is now available in the 
"http://linux.enea.com/4.0/patches" folder. 

This Security patch fixes unbounded recursion when processing relocated 
directories, CVE-2014-5471 and CVE-2014-5472.

Patch file: 0010-fs-isofs-CVE-2014-5471_CVE-2014-5472.patch
README file: 0010-fs-isofs-CVE-2014-5471_CVE-2014-5472.README

Description
===========
CVE-2014-5471
Stack consumption vulnerability in the parse_rock_ridge_inode_internal
function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows
local users to cause a denial of service (uncontrolled recursion, and
system crash or reboot) via a crafted iso9660 image with a CL entry
referring to a directory entry that has a CL entry.

CVE-2014-5472
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the
Linux kernel through 3.16.1 allows local users to cause a denial of
service (unkillable mount process) via a crafted iso9660 image with a
self-referential CL entry.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5471 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5472 

How to apply the patches
=========================
If you don't have installed the Enea Linux 4.0 Release:

# wget http://linux.enea.com/4.0/Enea-Linux-4.0.tar.gz 
# tar zxvf Enea-Linux-4.0.tar.gz

If you have already installed the Enea Linux 4.0 Release:

# cd Enea-Linux-4.0/poky/meta-enea
# wget http://linux.enea.com/4.0/patches/0010-fs-isofs-CVE-2014-5471_CVE-2014-5472.patch
# patch -p1 < ./0010-fs-isofs-CVE-2014-5471_CVE-2014-5472.patch 

If you have any questions regarding the security patches and security updates please contact security at enea.com. 
ESRT (Enea Security Response Team) 

Sona Sarmadi
Software Engineer/Security Responsible for Enea Linux
Enea
Jan Stenbecks torg 17,
Box 1033, SE-164 21 Kista, Sweden
Direct: +46 8 5071  4475
Mobile: +46 70 971 4475
sona.sarmadi at enea.com
www.enea.com 



This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.




More information about the security-announce mailing list