CVE-2009-1897 (GCVE-0-2009-1897)
Vulnerability from cvelistv5
Published
2009-07-20 17:00
Modified
2024-08-07 05:27
Severity ?
CWE
  • n/a
Summary
The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.
References
secalert@redhat.com http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html
secalert@redhat.com http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html
secalert@redhat.com http://article.gmane.org/gmane.linux.network/124939
secalert@redhat.com http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
secalert@redhat.com http://grsecurity.net/~spender/cheddar_bay.tgz Patch
secalert@redhat.com http://isc.sans.org/diary.html?storyid=6820 Exploit
secalert@redhat.com http://lkml.org/lkml/2009/7/6/19 Exploit
secalert@redhat.com http://secunia.com/advisories/35839 Vendor Advisory
secalert@redhat.com http://www.openwall.com/lists/oss-security/2009/07/17/1
secalert@redhat.com http://www.vupen.com/english/advisories/2009/1925 Patch, Vendor Advisory
secalert@redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=512284
secalert@redhat.com https://exchange.xforce.ibmcloud.com/vulnerabilities/51803
secalert@redhat.com https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations
af854a3a-2127-422b-91ae-364da2661108 http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html
af854a3a-2127-422b-91ae-364da2661108 http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html
af854a3a-2127-422b-91ae-364da2661108 http://article.gmane.org/gmane.linux.network/124939
af854a3a-2127-422b-91ae-364da2661108 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13
af854a3a-2127-422b-91ae-364da2661108 http://grsecurity.net/~spender/cheddar_bay.tgz Patch
af854a3a-2127-422b-91ae-364da2661108 http://isc.sans.org/diary.html?storyid=6820 Exploit
af854a3a-2127-422b-91ae-364da2661108 http://lkml.org/lkml/2009/7/6/19 Exploit
af854a3a-2127-422b-91ae-364da2661108 http://secunia.com/advisories/35839 Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2009/07/17/1
af854a3a-2127-422b-91ae-364da2661108 http://www.vupen.com/english/advisories/2009/1925 Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108 https://bugzilla.redhat.com/show_bug.cgi?id=512284
af854a3a-2127-422b-91ae-364da2661108 https://exchange.xforce.ibmcloud.com/vulnerabilities/51803
af854a3a-2127-422b-91ae-364da2661108 https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:27:54.800Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ADV-2009-1925",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2009/1925"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://isc.sans.org/diary.html?storyid=6820"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://grsecurity.net/~spender/cheddar_bay.tgz"
          },
          {
            "name": "[oss-security] 20090717 Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2009/07/17/1"
          },
          {
            "name": "20090716 Re: Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html"
          },
          {
            "name": "linux-kernel-tunchrpoll-code-execution(51803)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51803"
          },
          {
            "name": "[netdev] 20090409 Oops in tun: bisected to Limit amount of queued packets per device",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://article.gmane.org/gmane.linux.network/124939"
          },
          {
            "name": "35839",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/35839"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512284"
          },
          {
            "name": "[linux-kernel] 20090706 Re: PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://lkml.org/lkml/2009/7/6/19"
          },
          {
            "name": "20090716 Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-07-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-21T18:05:42",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "ADV-2009-1925",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2009/1925"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://isc.sans.org/diary.html?storyid=6820"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://grsecurity.net/~spender/cheddar_bay.tgz"
        },
        {
          "name": "[oss-security] 20090717 Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2009/07/17/1"
        },
        {
          "name": "20090716 Re: Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html"
        },
        {
          "name": "linux-kernel-tunchrpoll-code-execution(51803)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51803"
        },
        {
          "name": "[netdev] 20090409 Oops in tun: bisected to Limit amount of queued packets per device",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://article.gmane.org/gmane.linux.network/124939"
        },
        {
          "name": "35839",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/35839"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512284"
        },
        {
          "name": "[linux-kernel] 20090706 Re: PROBLEM: tun/tap crashes if open() /dev/net/tun and then poll() it.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://lkml.org/lkml/2009/7/6/19"
        },
        {
          "name": "20090716 Linux 2.6.30+/SELinux/RHEL5 test kernel 0day, exploiting the unexploitable",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2009-1897",
    "datePublished": "2009-07-20T17:00:00",
    "dateReserved": "2009-06-02T00:00:00",
    "dateUpdated": "2024-08-07T05:27:54.800Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-1897\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2009-07-20T17:30:54.733\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n tun_chr_poll en drivers/net/tun.c en el subsistema tun del kernel de Linux v2.6.30 y v2.6.30.1, cuando se omite la opci\u00f3n -fno-delete-null-pointer-checks en gcc, permite a atacantes locales obtener privilegios a trav\u00e9s de vectores que implican desreferenciacion de punteros NULL y un nmap de /dev/net/tun, es una vulnerabilidad diferente a CVE-2009-1894.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":6.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"10E55450-F6D9-483C-9CC8-E651E5A12AB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"45273823-29EA-44DE-8444-3933402C5793\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"88F60E74-09DB-4D4A-B922-4A46EED0EC20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E242D3DE-D1DC-406A-BCC3-C4380B7EC369\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc4:x86_32:*:*:*:*:*\",\"matchCriteriaId\":\"06EFB3F7-2EAE-4A56-A9A1-E8C734E6B91E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"8598D6E5-0C5C-4A31-841A-C12801DB7D91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"59800B0A-477B-42F8-A58A-5144F455AE01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30:rc7-git6:*:*:*:*:*:*\",\"matchCriteriaId\":\"F166BF6B-BFB0-4206-BD59-179701572F1C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.30.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99AC6D46-A0BF-4F1D-88BB-03BF74FDB84F\"}]}]}],\"references\":[{\"url\":\"http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://article.gmane.org/gmane.linux.network/124939\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://grsecurity.net/~spender/cheddar_bay.tgz\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://isc.sans.org/diary.html?storyid=6820\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://lkml.org/lkml/2009/7/6/19\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\"]},{\"url\":\"http://secunia.com/advisories/35839\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2009/07/17/1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vupen.com/english/advisories/2009/1925\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=512284\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/51803\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0241.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0246.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://article.gmane.org/gmane.linux.network/124939\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c8a9c63d5fd738c261bd0ceece04d9c8357ca13\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://grsecurity.net/~spender/cheddar_bay.tgz\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://isc.sans.org/diary.html?storyid=6820\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://lkml.org/lkml/2009/7/6/19\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://secunia.com/advisories/35839\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2009/07/17/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2009/1925\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=512284\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/51803\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.redhat.com/en/blog/security-flaws-caused-compiler-optimizations\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"Red Hat is aware of this issue and is tracking it via the following bug:\\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-1897\\n\\nThe flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel.  It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only.\\n\\nThis issue does not affect any other released kernel in any Red Hat product.\",\"lastModified\":\"2009-09-02T00:00:00\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.