[Secure-testing-team] r8169: Fix for CVE-2009-1389 introduces denial of service issue
Ben Hutchings
ben at decadent.org.uk
Thu Jan 7 19:02:24 UTC 2010
Package: linux-2.6
Version: 2.6.32-4
Severity: serious
Tags: security
Fabian Yamaguchi made a presentation at 26C3
<http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html> which
included a bug in r8169 reintroduced by:
commit fdd7b4c3302c93f6833e338903ea77245eb510b4
Author: Eric Dumazet <eric.dumazet at gmail.com>
Date: Tue Jun 9 04:01:02 2009 -0700
r8169: fix crash when large packets are received
On some older r8169 controllers this will enable scattering on receive,
and the first word of the second and subsequent RX buffers for a frame
will wrongly be treated as a status word. This can be used for denial
of service at the very least.
There is ongoing discussion on netdev about how to fix this. In the
mean time we should get a CVE number for this.
Ben.
-- System Information:
Debian Release: squeeze/sid
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500,
'stable'), (1, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
Ben Hutchings
To err is human; to really foul things up requires a computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100107/fbada7c9/attachment.pgp>
More information about the Secure-testing-team
mailing list