[kernel-sec-discuss] r865 - active retired

jmm at alioth.debian.org jmm at alioth.debian.org
Thu Jun 21 12:59:00 UTC 2007 

Author: jmm
Date: 2007-06-21 12:58:59 +0000 (Thu, 21 Jun 2007)
New Revision: 865

Added:
   retired/CVE-2007-1388
   retired/CVE-2007-1497
Removed:
   active/CVE-2007-1497
Log:
retire CVE-2007-1407


Deleted: active/CVE-2007-1497
===================================================================
--- active/CVE-2007-1497	2007-06-21 12:58:24 UTC (rev 864)
+++ active/CVE-2007-1497	2007-06-21 12:58:59 UTC (rev 865)
@@ -1,28 +0,0 @@
-Candidate: CVE-2007-1497
-References: 
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 
-Description: 
- The individual fragments of a packet reassembled by conntrack have
- the conntrack reference from the reassembled packet attached, but
- nfctinfo is not copied. This leaves it initialized to 0, which
- unfortunately is the value of IP_CT_ESTABLISHED.
- The result is that all IPv6 fragments are tracked as ESTABLISHED,
- allowing them to bypass a usual ruleset which accepts ESTABLISHED
- packets early.
-Ubuntu-Description: 
- The connection tracking module for IPv6 did not properly handle some
- the status field when reassembling fragmented packets, so that the
- final packet always had the 'established' state. A remote attacker
- could exploit this to bypass intended firewall rules.
-Notes: 
- dannf> code didn't exist in 2.4
- jmm> code didn't exist in 2.6.8
-Bugs: 
-upstream: released (2.6.20.3, 2.6.21)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-12etch2) [bugfix/nf_conntrack-set-nfctinfo.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-28.54)
-2.6.17-edgy-security: released (2.6.17.1-11.38)
-2.6.20-feisty-security: N/A

Copied: retired/CVE-2007-1388 (from rev 862, active/CVE-2007-1388)
===================================================================
--- retired/CVE-2007-1388	                        (rev 0)
+++ retired/CVE-2007-1388	2007-06-21 12:58:59 UTC (rev 865)
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-1388
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=4cabf6ba5496bc4a5a59871693145880b240b07b
+ http://bugzilla.kernel.org/show_bug.cgi?id=8155
+Description: 
+ The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel
+ 2.6.17, and possibly other versions, allows local users to cause a denial of
+ service (oops) by calling setsockopt with the IPV6_RTHDR option name and
+ possibly a zero option length or invalid option value, which triggers a NULL
+ pointer dereference.
+Ubuntu-Description: 
+ Gabriel Campana discovered that the do_ipv6_setsockopt() function did
+ not sufficiently verifiy option values for IPV6_RTHDR. A local
+ attacker could exploit this to trigger a kernel crash.
+Notes: 
+ dannf> Reproducer in the RH bug doesn't work on debian as-is - you need
+        to use a hardcoded '57' instead of IPV6_RTHDR. That allows you
+        to trigger an oops on unpatched 2.6.18-era kernels, but it is not
+        reproducible in 2.4.27/2.6.8
+Bugs: 
+upstream: released (2.6.21-rc4)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12) [bugfix/ipv6_getsockopt_sticky-null-opt.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: released (2.6.20-16.28)

Copied: retired/CVE-2007-1497 (from rev 864, active/CVE-2007-1497)
===================================================================
--- retired/CVE-2007-1497	                        (rev 0)
+++ retired/CVE-2007-1497	2007-06-21 12:58:59 UTC (rev 865)
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-1497
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7 
+Description: 
+ The individual fragments of a packet reassembled by conntrack have
+ the conntrack reference from the reassembled packet attached, but
+ nfctinfo is not copied. This leaves it initialized to 0, which
+ unfortunately is the value of IP_CT_ESTABLISHED.
+ The result is that all IPv6 fragments are tracked as ESTABLISHED,
+ allowing them to bypass a usual ruleset which accepts ESTABLISHED
+ packets early.
+Ubuntu-Description: 
+ The connection tracking module for IPv6 did not properly handle some
+ the status field when reassembling fragmented packets, so that the
+ final packet always had the 'established' state. A remote attacker
+ could exploit this to bypass intended firewall rules.
+Notes: 
+ dannf> code didn't exist in 2.4
+ jmm> code didn't exist in 2.6.8
+Bugs: 
+upstream: released (2.6.20.3, 2.6.21)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12etch2) [bugfix/nf_conntrack-set-nfctinfo.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: N/A

More information about the kernel-sec-discuss mailing list