CVE-2009-3288 - OpenCVE

The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:L/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kernel	Linux Kernel
Linux	Linux Kernel

Configuration 1 [-]

OR	cpe:2.3:a:kernel:linux_kernel:2.6.28-rc1:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc2:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc3:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc4:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc5:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc6:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc7:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc8:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc9:::::::*
	cpe:2.3:o:linux:linux_kernel:2.6.31-rc10:::::::*

No data.

References

Link	Providers
http://lkml.org/lkml/2009/9/3/1
http://lkml.org/lkml/2009/9/3/107
http://secunia.com/advisories/37105
http://www.openwall.com/lists/oss-security/2009/09/03/4
http://www.ubuntu.com/usn/USN-852-1

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-09-22T10:00:00

Updated: 2024-08-07T06:22:24.085Z

Reserved: 2009-09-22T00:00:00

Link: CVE-2009-3288

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-09-22T10:30:00.670

Modified: 2011-09-15T03:06:30.957

Link: CVE-2009-3288

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-09-02T00:00:00", "descriptions": [{"lang": "en", "value": "The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-09-15T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[linux-kernel] 20090903 [PATCH] sg: fix oops in the error path in sg_build_indirect()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lkml.org/lkml/2009/9/3/107"}, {"name": "[oss-security] 20090904 CVE request: kernel: NULL pointer dereference in sg_build_indirect()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/09/03/4"}, {"name": "USN-852-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-852-1"}, {"name": "[linux-kernel] 20090902 [BUG] 2.6.31-rc8 readcd Oops", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lkml.org/lkml/2009/9/3/1"}, {"name": "37105", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37105"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3288", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[linux-kernel] 20090903 [PATCH] sg: fix oops in the error path in sg_build_indirect()", "refsource": "MLIST", "url": "http://lkml.org/lkml/2009/9/3/107"}, {"name": "[oss-security] 20090904 CVE request: kernel: NULL pointer dereference in sg_build_indirect()", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/09/03/4"}, {"name": "USN-852-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-852-1"}, {"name": "[linux-kernel] 20090902 [BUG] 2.6.31-rc8 readcd Oops", "refsource": "MLIST", "url": "http://lkml.org/lkml/2009/9/3/1"}, {"name": "37105", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37105"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:22:24.085Z"}, "title": "CVE Program Container", "references": [{"name": "[linux-kernel] 20090903 [PATCH] sg: fix oops in the error path in sg_build_indirect()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lkml.org/lkml/2009/9/3/107"}, {"name": "[oss-security] 20090904 CVE request: kernel: NULL pointer dereference in sg_build_indirect()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/09/03/4"}, {"name": "USN-852-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-852-1"}, {"name": "[linux-kernel] 20090902 [BUG] 2.6.31-rc8 readcd Oops", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lkml.org/lkml/2009/9/3/1"}, {"name": "37105", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/37105"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3288", "datePublished": "2009-09-22T10:00:00", "dateReserved": "2009-09-22T00:00:00", "dateUpdated": "2024-08-07T06:22:24.085Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kernel:linux_kernel:2.6.28-rc1:*:*:*:*:*:*:*", "matchCriteriaId": "EB876AB2-97A5-42DE-AC69-C564513FA837", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc2:*:*:*:*:*:*:*", "matchCriteriaId": "3C86BC69-06B6-45C7-9821-45D42D44B240", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc3:*:*:*:*:*:*:*", "matchCriteriaId": "EA0353B9-907F-4B89-9104-2F4434159F0F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc4:*:*:*:*:*:*:*", "matchCriteriaId": "7D1FF505-4135-4005-BD1A-3AC913FEE20A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc5:*:*:*:*:*:*:*", "matchCriteriaId": "5D31D04B-1E65-4FD6-AEED-3F365C65FCDE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc6:*:*:*:*:*:*:*", "matchCriteriaId": "24CFD647-3926-462F-B264-56E136B74F81", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc7:*:*:*:*:*:*:*", "matchCriteriaId": "BE71B9D7-B52E-426A-831D-ADEDC38318E1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc8:*:*:*:*:*:*:*", "matchCriteriaId": "C6FFA2CD-0EC9-4FBB-93DC-80736622CFCA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc9:*:*:*:*:*:*:*", "matchCriteriaId": "B64401A9-58F5-4CB6-B0E2-A3A2B92659EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.31-rc10:*:*:*:*:*:*:*", "matchCriteriaId": "89137307-D97D-4D8B-9291-21DE1E6C56D3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The sg_build_indirect function in drivers/scsi/sg.c in Linux kernel 2.6.28-rc1 through 2.6.31-rc8 uses an incorrect variable when accessing an array, which allows local users to cause a denial of service (kernel OOPS and NULL pointer dereference), as demonstrated by using xcdroast to duplicate a CD. NOTE: this is only exploitable by users who can open the cdrom device."}, {"lang": "es", "value": "La funci\u00f3n sg_build_indirect en drivers/scsi/sg.c en el kernel de linux v 2.6.28-rc1 a la v2.6.31-rc8 emplea una variable incorrecta cuando accede a una matriz, lo que permite a usuarios locales provocar una denegaci\u00f3n de servicio (Kernel OOPS y una deferencia a puntero NULL), como se ha demostrado usando xcdroast para duplicar un CD. NOTA: esto es explotable \u00fanicamente por usuarios que pueden abrir la unidad de CD."}], "id": "CVE-2009-3288", "lastModified": "2011-09-15T03:06:30.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-09-22T10:30:00.670", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://lkml.org/lkml/2009/9/3/1"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://lkml.org/lkml/2009/9/3/107"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/37105"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.openwall.com/lists/oss-security/2009/09/03/4"}, {"source": "cve@mitre.org", "url": "http://www.ubuntu.com/usn/USN-852-1"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Not vulnerable. This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 or Red Hat Enterprise MRG. This issue was introduced by upstream commit 10db10d1, and only affected kernels version 2.6.28-rc1 and later.", "lastModified": "2009-09-22T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}