First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 133465
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 133465 depends on: Show dependency tree
Bug 133465 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-05-16 03:15 0000 
Not sure wether we already fixed this one or was unaffected. Filing to be sure:

Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation
size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.

------- Comment #1 From Tim Yamin (RETIRED) 2006-05-19 07:02:08 0000 ------- 
Dan, please add this patch to genpatches, thanks:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698

------- Comment #2 From Tim Yamin (RETIRED) 2006-05-19 07:03:03 0000 ------- 
Patch URL: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=129163

------- Comment #3 From Daniel Drake 2006-05-21 08:47:53 0000 ------- 
Fixed in genpatches-2.6.16-10 (gentoo-sources-2.6.16-r8)

P.S. The patch you linked to is not the complete fix

------- Comment #4 From Tim Yamin (RETIRED) 2006-05-26 08:17:36 0000 ------- 
2.6.16.17 has the full fix along with some more SCTP goodies.

------- Comment #5 From Tim Yamin (RETIRED) 2006-05-26 08:40:35 0000 ------- 
Maintainers please bump to genpatches-2.6.16-10 or 2.6.16.18:

hardened-sources-2.6: johnm, hardened herd
hppa-sources-2.6: GMSoft
rsbac-sources-2.6: kang
sh-sources-2.6: vapier
suspend2-sources-2.6: brix
usermode-sources-2.6: dang
xbox-sources-2.6: chrb, gimli
xen-sources-2.6: chrb, agriffis

------- Comment #6 From Guy Martin 2006-05-26 09:05:39 0000 ------- 
hppa-sources-2.6.16.18-pa11 in the tree.

------- Comment #7 From Henrik Brix Andersen 2006-05-26 13:56:21 0000 ------- 
Fixed in sys-kernel/suspend2-sources-2.6.16-r7.

------- Comment #8 From Daniel Gryniewicz 2006-05-28 20:11:39 0000 ------- 
usermode bumped to 2.6.16-r1

------- Comment #9 From Tim Yamin (RETIRED) 2006-06-24 11:50:39 0000 ------- 
All fixed, closing. vapier please bump sh-sources.
First Last Prev Next    No search results available      Search page      Enter new bug