[kernel] r5429 - patch-tracking

Moritz Muehlenhoff jmm-guest at costa.debian.org
Fri Jan 13 14:04:48 UTC 2006 

Author: jmm-guest
Date: Fri Jan 13 14:04:46 2006
New Revision: 5429

Added:
   patch-tracking/CVE-2005-4440
   patch-tracking/CVE-2005-4441
Log:
add VLAN attacks that might affect the kernel implementation


Added: patch-tracking/CVE-2005-4440
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2005-4440	Fri Jan 13 14:04:46 2006
@@ -0,0 +1,42 @@
+Candidate: CVE-2005-4440
+References: 
+ http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
+ http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
+ http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
+Description: 
+ The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic
+ via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream
+ switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN
+ jumping attack."
+Notes:
+ Quoting Horms:
+ I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
+ Linux because of the following line near the bottom of vlan_skb_recv().
+ .
+ skb->protocol = __constant_htons(ETH_P_802_2);
+ .
+ I'm looking at Linus' Git tree as of this morning,
+ but I don't think there have been any relevnant changes
+ since Git began at 2.6.12-rc2.
+ .
+ This seems to imply that further processing will treat the packet
+ as an ethernet frame. Though I need to double check that it
+ can't be passed back into the vlan code. I'm doing that now,
+ but in about 15 minutes I have to leave, and I'll be on
+ leave for 6 days. At home, and possibly looking into this problem,
+ but not at my desk working sensible hours.
+ .
+ As for 2 (PVLAN jumping). I haven't looked into that yet but
+ it seems quite plausible.
+Bugs: 
+upstream: 
+linux-2.6:
+2.6.8-sarge-security: 
+2.4.27-sarge-security: 
+2.4.27:
+2.4.19-woody-security: 
+2.4.18-woody-security: 
+2.4.17-woody-security: 
+2.4.16-woody-security: 
+2.4.17-woody-security-hppa: 
+2.4.17-woody-security-ia64: 

Added: patch-tracking/CVE-2005-4441
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2005-4441	Fri Jan 13 14:04:46 2006
@@ -0,0 +1,38 @@
+Candidate: CVE-2005-4441
+References: 
+ http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
+ http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
+ http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
+Description: 
+Notes: 
+ Quoting Horms:
+ I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
+ Linux because of the following line near the bottom of vlan_skb_recv().
+ .
+ skb->protocol = __constant_htons(ETH_P_802_2);
+ .
+ I'm looking at Linus' Git tree as of this morning,
+ but I don't think there have been any relevnant changes
+ since Git began at 2.6.12-rc2.
+ .
+ This seems to imply that further processing will treat the packet
+ as an ethernet frame. Though I need to double check that it
+ can't be passed back into the vlan code. I'm doing that now,
+ but in about 15 minutes I have to leave, and I'll be on
+ leave for 6 days. At home, and possibly looking into this problem,
+ but not at my desk working sensible hours.
+ .
+ As for 2 (PVLAN jumping). I haven't looked into that yet but
+ it seems quite plausible.
+Bugs: 
+upstream: 
+linux-2.6:
+2.6.8-sarge-security: 
+2.4.27-sarge-security: 
+2.4.27:
+2.4.19-woody-security: 
+2.4.18-woody-security: 
+2.4.17-woody-security: 
+2.4.16-woody-security: 
+2.4.17-woody-security-hppa: 
+2.4.17-woody-security-ia64:

More information about the Kernel-svn-changes mailing list