[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Linux - ext4 support
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-06-18 2:13:46
Message-ID: 51BFC25A.80009 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/17/2013 04:40 PM, Greg KH wrote:
> On Mon, Jun 17, 2013 at 11:52:47PM +0200, Jonathan Salwan wrote:
>> On Mon, Jun 17, 2013 at 10:29 PM, Greg KH <greg@kroah.com>
>> wrote:
>>> On Mon, Jun 17, 2013 at 10:12:34PM +0200, Jonathan Salwan
>>> wrote:
>>>> Hi,
>>>>
>>>> Could you assign a CVE for this issue please?
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=971170
>>>
>>> I thought we (the ext4 developers and kernel security team)
>>> discussed this and determined that a user could _not_ trigger
>>> this problem. Or was I mistaken as to the output of that
>>> conversation?
>>>
>>> thanks,
>>>
>>> greg k-h
>>
>> Only with CAP_SYS_RESOURCE indeed.
>
> So, given that this really isn't a viable issue, why do you need a
> CVE?
>
> confused,
>
> greg k-h
>
Looking at man capabilities:
CAP_SYS_RESOURCE
* Use reserved space on ext2 file systems;
* override disk quota limits;
* increase resource limits (see setrlimit(2));
* override RLIMIT_NPROC resource limit;
so it would seem a user/process with this capability can DoS the
system regardless. However in this case would it be possible for the
attacker to trigger a DoS that is difficult (if not impossible) to
trace back to the attacker? In this case it might qualify for a CVE,
but I'd also want to get Steven's thoughts (cc'ed directly).
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJRv8JaAAoJEBYNRVNeJnmT3l0P/iMLejdRhqWNNjJXav1y00Bk
Wqd8U0gS69N8yUB8L56HcXVKCFt0qaM5CpN+HJ/q2Hiu1SDA1db9hK33JG13QvG+
X90HD2LUzDT2ZE3ILQ7OTu0OxhmFUMxdnXFojN91YsLbY0iWNpSnx6hhk9dZI1uD
U4OPP8Dd0TjFOVsZRkalhhn/1ppMFOUMmY/0zhU2v7dt4S3D4chpfxCDLEI5lDNs
x7Mj3pHiQa1dzITmQSvlQh0Yp2d373ShepUPTHiK7R/2qYI8kSqe8MF4vGIwvt/0
mved8Hstf6/Y7NMu5j6pPwcxUw8CodgWHSS/EvL7uQ+rTeZGh7499BZgBnSLz1Vt
noXo3JmZijQ75rqxLk5lZBTl6t2PHYxDtxvPhpOwVbrxhCWxJL9ucjbe1mjOQZml
jKaDr+fOm8K8V19DCW3hByMGx/eBykNUbwpHawA210y/k/Ez0nylK/mL8bCfom5p
NLy0u6Uqq9SahjFQ6e22itpJcTmeW4FXpLId62uegIA4Bpz/gIbRVliP+FWlc5ze
BYKjbeBgfWIfiRv2ZvnF1B6WYmQGD06kEcm3ESW6GUGTj/8Mesm2lP6zoKuSWvLA
A5/ExkQlV85m5xr7KPs/+ejWstFd1Rf4TV3AxiyDWgojNe4Q1e5D0/7SI4Ejg7XE
ztTTYMAgzWYPp3D9KUAu
=YKK0
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic