Is there really such a problem with the SLE10 kernel tree that can be proven to be vulnerable?

Do you have a test/exploit to verify that it is fixed?

I have not seen anything to show that this is anything more than a possible local DoS, not a code execution issue. Do you know anything to the contrary?

Patch applied to SLE10 SP2 kernel tree, awaiting test script to verify it is done properly.

this is the at-most-3 byte kmalloc area overwrite, possible from linux console.

explotability unproven, no CVE assigned yet I think.

Closing out as this is commited to our SLE10 tree, and it's not a real issue.

Thank you Greg.  As long as it is in the tree and will be part of the next maintenance release, this will be sufficient.

(In reply to comment #5)
> Thank you Greg.  As long as it is in the tree and will be part of the next
> maintenance release, this will be sufficient.

Sufficient for what?  I'm curious as to what the real issue here is, can you please explain?

i guess for the paranoid customer/partner.

Name: CVE-2009-1046

The console selection feature in the Linux kernel 2.6.28 before 2.6.28.4, 2.6.25, and possibly earlier versions, when the UTF-8 console is used, allows physically proximate attackers to cause a denial of service (memory corruption) by selecting a small number of 3-byte UTF-8 characters, which triggers an "an off-by-two memory error." NOTE: it is not clear whether this issue crosses privilege boundaries.      
        

Reference: BID: http://www.securityfocus.com/bid/33672
Reference: MLIST: http://lists.openwall.net/linux-kernel/2009/02/02/364
Reference: MLIST: http://lists.openwall.net/linux-kernel/2009/01/30/333
Reference: MLIST: http://www.openwall.com/lists/oss-security/2009/02/12/9
Reference: MLIST: http://www.openwall.com/lists/oss-security/2009/02/12/11
Reference: MLIST: http://www.openwall.com/lists/oss-security/2009/02/12/10
Reference: CONFIRM: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.28.4

A kernel update for SUSE Linux Enterprise 10 SP2 was just released that mentions/fixes this bug. The version is 2.6.16.60-0.37_f594963d (last hex string is a GIT id).

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP2 (i386)
SLE-DESKTOP 10-SP2 (i386)
SLE-SDK 10-SP2 (i386)
SLE-SERVER 10-SP2 (i386)

root exploit with this issue was confirmed:

http://kernelbof.blogspot.com/2009/07/even-when-one-byte-matters.html

should be fixed in all branches as it is exploitable.

SLE11 / 11.1 was shipped non-affected (it has it via: patches.kernel.org/patch-2.6.27.14-15)


SL103_BRANCH did not have the utf8 console.

So just SL110_BRANCH needs the fix.

Patch committed to SL110_BRANCH.

Update released for: acerhk-kmp-debug, acx-kmp-debug, appleir-kmp-debug, at76_usb-kmp-debug, atl2-kmp-debug, aufs-kmp-debug, dazuko-kmp-debug, drbd-kmp-debug, gspcav-kmp-debug, iscsitarget-kmp-debug, ivtv-kmp-debug, kernel-debug, kernel-default, kernel-docs, kernel-kdump, kernel-pae, kernel-ppc64, kernel-ps3, kernel-source, kernel-syms, kernel-vanilla, kernel-xen, kqemu-kmp-debug, nouveau-kmp-debug, omnibook-kmp-debug, pcc-acpi-kmp-debug, pcfclock-kmp-debug, tpctl-kmp-debug, uvcvideo-kmp-debug, virtualbox-ose-kmp-debug, vmware-kmp-debug, wlan-ng-kmp-debug
Products:
openSUSE 11.0 (debug, i386, ppc, x86_64)

released

CVE-2009-1046: CVSS v2 Base Score: 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)