First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 249729
Alias:
Product:
Component:
Status: NEW
Resolution:
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Behte <craig@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 249729 depends on: Show dependency tree
Bug 249729 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.








View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-12-03 20:27 0000 
CVE-2008-5300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5300):
  Linux kernel 2.6.28 allows local users to cause a denial of service
  ("soft lockup" and process loss) via a large number of sendmsg
  function calls, which does not block during AF_UNIX garbage
  collection and triggers an OOM condition, a different vulnerability
  than CVE-2008-5029.

------- Comment #1 From Stefan Behte 2008-12-03 20:34:17 0000 ------- 
Also see:

http://marc.info/?l=linux-netdev;m=122721862313564;w=2

------- Comment #2 From Bruno Buss 2008-12-05 12:18:26 0000 ------- 
This is the fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3

It's in 2.6.27.8, that is in stable review cycle.
It's not in 2.6.28-rc7, but will be in 2.6.28-rc8 as it's already in linus
tree.


Security Focus says that there is a lot of vulnerable versions:
http://www.securityfocus.com/bid/32516/info

I think when 2.6.27.8 is released, genpatches will be updated and then
gentoo-sources-2.6.27-r5 will be released.
But to 2.6.26, what we will do? Backport to genpatches and release
gentoo-sources-2.6.26-r4?

------- Comment #3 From Mathieu Segaud 2008-12-05 12:49:30 0000 ------- 
(In reply to comment #2)
> This is the fix:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3
> 
> It's in 2.6.27.8, that is in stable review cycle.
> It's not in 2.6.28-rc7, but will be in 2.6.28-rc8 as it's already in linus
> tree.
> 
> 
> Security Focus says that there is a lot of vulnerable versions:
> http://www.securityfocus.com/bid/32516/info
> 
> I think when 2.6.27.8 is released, genpatches will be updated and then
> gentoo-sources-2.6.27-r5 will be released.
> But to 2.6.26, what we will do? Backport to genpatches and release
> gentoo-sources-2.6.26-r4?

no need to backport, the diff applies cleanly, builds fine and runs cool here.
I tried the experiment that triggered the DoS as described here:
http://marc.info/?l=linux-netdev&m=122721862313564&w=2#1 and was enable to
trigger any OOM condition or soft lockups.
I suggest the diff be added to genpatches as is, and release 2.6.26-r4 as you
proposed it.
First Last Prev Next    No search results available      Search page      Enter new bug