[kernel-sec-discuss] r1485 - active

Michael Gilbert gilbert-guest at alioth.debian.org
Mon Sep 14 03:51:31 UTC 2009 

Author: gilbert-guest
Date: 2009-09-14 03:51:30 +0000 (Mon, 14 Sep 2009)
New Revision: 1485

Added:
   active/CVE-2009-2903
   active/CVE-2009-3043
Removed:
   active/CVE-2009-need-to-flush-ldisc_halt
Log:
cve assigned and new issue

Added: active/CVE-2009-2903
===================================================================
--- active/CVE-2009-2903	                        (rev 0)
+++ active/CVE-2009-2903	2009-09-14 03:51:30 UTC (rev 1485)
@@ -0,0 +1,26 @@
+Candidate: CVE-2009-2903
+Description:
+ The check for the ipddpN device in the handle_ip_over_ddp() function 
+ returns -NODEV to the atalk_rcv() function when the device does not 
+ exist. The atalk_rcv() function then directly returns that value to its 
+ caller. There is a missing call to kfree_skb() in these unaccepted 
+ IP-DDP datagram that can exhaust the kernel memory eventually. It 
+ affects Linux hosts with appletalk and ipddp modules loaded, that are 
+ attached to the same link. Thanks to Mark Smith for reporting this issue 
+ to us.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git;a=commit;h=ffcfb8db540ff879c2a85bf7e404954281443414
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903#c3
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ipddp.txt;h=661a5558dd8e928f15771c07ef34b3ee9cb81e57;hb=HEAD
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: pending [ffcfb8db540ff879c2a85bf7e404954281443414]
+linux-2.6:
+2.6.18-etch-security:
+2.6.24-etch-security:
+2.6.26-lenny-security:
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Copied: active/CVE-2009-3043 (from rev 1484, active/CVE-2009-need-to-flush-ldisc_halt)
===================================================================
--- active/CVE-2009-3043	                        (rev 0)
+++ active/CVE-2009-3043	2009-09-14 03:51:30 UTC (rev 1485)
@@ -0,0 +1,29 @@
+Candidate: requested on oss-sec
+Description:
+ The tty ldisc code was rewritten to use proper reference counts (commits 
+ 65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, but 
+ it also introduced another bug that can result in various problems such 
+ as a NULL pointer dereference in run_timer_softirq() or a BUG() in 
+ worker_thread. More info in the patch.
+References:
+ http://git.kernel.org/linus/5c58ceff103d8a654f24769bb1baaf84a841b0cc
+ http://lkml.org/lkml/2009/8/20/27
+ http://lkml.org/lkml/2009/8/20/68
+ http://lkml.org/lkml/2009/8/20/21
+Ubuntu-Description:
+Notes:
+ gilbert> supposedly only affects >2.6.26.  oss-sec note says:
+   I believe this affects kernel versions greater than v2.6.26. The code in 
+   drivers/char/tty_ldisc.c was from drivers/char/tty_io.c before it was 
+   splitted into its own file in v2.6.27-rc1 (commit 01e1abb2). I did not 
+   investigate further.
+Bugs:
+upstream: pending (2.6.31) [5c58ceff103d8a654f24769bb1baaf84a841b0cc]
+linux-2.6: needed
+2.6.18-etch-security:
+2.6.24-etch-security:
+2.6.26-lenny-security:
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:

Deleted: active/CVE-2009-need-to-flush-ldisc_halt
===================================================================
--- active/CVE-2009-need-to-flush-ldisc_halt	2009-09-08 21:47:13 UTC (rev 1484)
+++ active/CVE-2009-need-to-flush-ldisc_halt	2009-09-14 03:51:30 UTC (rev 1485)
@@ -1,29 +0,0 @@
-Candidate: requested on oss-sec
-Description:
- The tty ldisc code was rewritten to use proper reference counts (commits 
- 65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, but 
- it also introduced another bug that can result in various problems such 
- as a NULL pointer dereference in run_timer_softirq() or a BUG() in 
- worker_thread. More info in the patch.
-References:
- http://git.kernel.org/linus/5c58ceff103d8a654f24769bb1baaf84a841b0cc
- http://lkml.org/lkml/2009/8/20/27
- http://lkml.org/lkml/2009/8/20/68
- http://lkml.org/lkml/2009/8/20/21
-Ubuntu-Description:
-Notes:
- gilbert> supposedly only affects >2.6.26.  oss-sec note says:
-   I believe this affects kernel versions greater than v2.6.26. The code in 
-   drivers/char/tty_ldisc.c was from drivers/char/tty_io.c before it was 
-   splitted into its own file in v2.6.27-rc1 (commit 01e1abb2). I did not 
-   investigate further.
-Bugs:
-upstream: pending (2.6.31) [5c58ceff103d8a654f24769bb1baaf84a841b0cc]
-linux-2.6: needed
-2.6.18-etch-security:
-2.6.24-etch-security:
-2.6.26-lenny-security:
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:

More information about the kernel-sec-discuss mailing list