[Secure-testing-team] Re: Bug#322273: [CAN-2005-2456]: XFRM array
index buffer overflow
Horms
horms at debian.org
Wed Aug 10 05:39:21 UTC 2005
tag kernel-source-2.6.8 +pending
thanks
On Wed, Aug 10, 2005 at 02:53:07PM +1000, Geoff Crompton wrote:
> Package: kernel-source-2.6.8
> Version: 2.6.8-16
> Severity: critical
> Justification: root security hole
>
> SecurityFocus http://www.securityfocus.com/bid/14477 mentions an array index
> buffer overflow.
> In short, the suspect it can cause a denial of service attack, but
> aren't sure whether or not it allows code execution.
>
> Balaz Scheidler says at
> http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html:
> "While reading through the xfrm code I've found a possible array
> overflow in struct sock"
>
> He goes on to suggest some patches. However the patch at
> http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a4f1bac62564049ea4718c4624b0fadc9f597c84
> is in the xfrm_user file instead.
> I suspect this second patch that was commited will work, and checks the
> direction earlier in the code flow than the original email from Balaz in
> the first link. The xfrm_user patch is:
>
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_
> if (nr > XFRM_MAX_DEPTH)
> return NULL;
>
> + if (p->dir > XFRM_POLICY_OUT)
> + return NULL;
> +
> xp = xfrm_policy_alloc(GFP_KERNEL);
> if (xp == NULL) {
> *dir = -ENOBUFS;
Hi Geoff,
Thanks, we became aware of this problem last week
and it has been added to SVN for 2.4.27 (kernel-source-2.4.27),
2.6.8 (kernel-source-2.6.8) and 2.6.12 (linux-2.6)
The latter has been released. The former are taking a while
to get out the foor as we are still trying to iron out some
process issues relating to kernel updates for sarge.
For linux-2.6 it is bug #321401
> On another note, when I'm looking at bugs like this, and I haven't found
> them in the bug tracking database, should I be putting them against just
> kernel-source-2.6.8, or against kernel-source-2.6.11 as well, or is
> there a generic kernel-source-2.6 package?
Ok, this is pretty non-obvious, so thanks for asking.
Esentially we have three kernels that are being maintained right now,
and the packages you should log bugs against are kernel-source-2.4.27,
kernel-source-2.6.8 and linux-2.6 (which is 2.6.12 at the moment).
Older kernels, like 2.6.11 are currently being phased out and will
be removed from the Debian Archive shortly, so don't bother with them.
You can see what patches have been applied by inspecting the ChangeLog
in SVN.
http://svn.debian.org/wsvn/kernel/trunk/kernel/source/linux-2.6/debian/changelog?op=file&rev=0&sc=0
http://svn.debian.org/wsvn/kernel/trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog?op=file&rev=0&sc=0
http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog?op=file&rev=0&sc=0
As for which package to log a bug against, or cretion of duplicate bugs.
To be honest it doesn't matter. If you email
debian-kernel at lists.debian.org, then you should get a response,
regardless of if you open a bug in the BTS or not.
CCing secure-testing-team at lists.alioth.debian.org if its a bug testing
and team at security.debian.org if its a bug instable is also a good idea.
When we find problems, we just fix them. The BTS is really a bit to
noisy for us to use it to track bugs effectively. Obviously this
is a bit of a problem, but what I am trying to say is adding a bug
to the BTS just emails debian-kernel anyway, and security bugs
sent there are acted on. So my my advice is tho email the addresses
above, and if you want to open a bug, just open it against any
of the above packages that have the vulnerability.
--
Horms
More information about the Secure-testing-team
mailing list