[kernel-sec-discuss] r863 - active
jmm at alioth.debian.org
jmm at alioth.debian.org
Thu Jun 21 12:54:59 UTC 2007
Author: jmm
Date: 2007-06-21 12:54:59 +0000 (Thu, 21 Jun 2007)
New Revision: 863
Removed:
active/CVE-2007-1388
Log:
retire CVE-2007-1388
Deleted: active/CVE-2007-1388
===================================================================
--- active/CVE-2007-1388 2007-06-19 00:14:41 UTC (rev 862)
+++ active/CVE-2007-1388 2007-06-21 12:54:59 UTC (rev 863)
@@ -1,28 +0,0 @@
-Candidate: CVE-2007-1388
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=4cabf6ba5496bc4a5a59871693145880b240b07b
- http://bugzilla.kernel.org/show_bug.cgi?id=8155
-Description:
- The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel
- 2.6.17, and possibly other versions, allows local users to cause a denial of
- service (oops) by calling setsockopt with the IPV6_RTHDR option name and
- possibly a zero option length or invalid option value, which triggers a NULL
- pointer dereference.
-Ubuntu-Description:
- Gabriel Campana discovered that the do_ipv6_setsockopt() function did
- not sufficiently verifiy option values for IPV6_RTHDR. A local
- attacker could exploit this to trigger a kernel crash.
-Notes:
- dannf> Reproducer in the RH bug doesn't work on debian as-is - you need
- to use a hardcoded '57' instead of IPV6_RTHDR. That allows you
- to trigger an oops on unpatched 2.6.18-era kernels, but it is not
- reproducible in 2.4.27/2.6.8
-Bugs:
-upstream: released (2.6.21-rc4)
-linux-2.6: released (2.6.21-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-12) [bugfix/ipv6_getsockopt_sticky-null-opt.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-28.54)
-2.6.17-edgy-security: released (2.6.17.1-11.38)
-2.6.20-feisty-security: released (2.6.20-16.28)
More information about the kernel-sec-discuss
mailing list