[kernel] r6327 - patch-tracking
Moritz Muehlenhoff
jmm-guest at costa.debian.org
Tue Mar 28 21:49:14 UTC 2006
Author: jmm-guest
Date: Tue Mar 28 21:49:14 2006
New Revision: 6327
Added:
patch-tracking/CVE-2006-1242
Log:
new issue
Added: patch-tracking/CVE-2006-1242
==============================================================================
--- (empty file)
+++ patch-tracking/CVE-2006-1242 Tue Mar 28 21:49:14 2006
@@ -0,0 +1,37 @@
+Candidate: CVE-2006-1242
+References:
+http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a55d57b107c3e06935763905dc0fb235214569d
+Description:
+ [TCP]: Do not use inet->id of global tcp_socket when sending RST.
+ .
+ The problem is in ip_push_pending_frames(), which uses:
+ . if (!df) {
+ . __ip_select_ident(iph, &rt->u.dst, 0);
+ . } else {
+ . iph->id = htons(inet->id++);
+ . }
+ .
+ instead of ip_select_ident().
+ .
+ Right now I think the code is a nonsense. Most likely, I copied it from
+ old ip_build_xmit(), where it was really special, we had to decide
+ whether to generate unique ID when generating the first (well, the last)
+ fragment.
+ .
+ In ip_push_pending_frames() it does not make sense, it should use plain
+ ip_select_ident() instead.
+Notes:
+ jmm> 2.4 doesn't seem to be affected, but I'd prefer a second look before
+ jmm> marking it N/A
+Bugs:
+upstream: released (2.6.16.1)
+linux-2.6: released (2.6.16-4)
+2.6.8-sarge-security: needed
+2.4.27-sarge-security:
+2.4.27:
+2.4.19-woody-security:
+2.4.18-woody-security:
+2.4.17-woody-security:
+2.4.16-woody-security:
+2.4.17-woody-security-hppa:
+2.4.17-woody-security-ia64:
More information about the Kernel-svn-changes
mailing list