Bugzilla Bug 55694

A recent exploit has been detected in net/ipv4/netfilter/ip_tables.c in version
2.6 kernels.

Version 2.4 kernels and below are not affected.  As noted in the url:

char opt[60 - sizeof(struct tcphdr)];

is the exploitable code.  Being cast to a character, anything over ascii value
127 (the last character of the standard ascii table) would be cast to a
negative number, causing a possible infinite loop and an unresponsive system.

A patch has already been made avaliable by Adam Osuchowski
and Tomasz Dubinski, who also discovered the exploit.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Created an attachment (id=34501) [edit]
Kernel 2.6 iptables patch

OK, I've patched everything 2.6-based in Portage, and I'm now CCing the
following who maintain external kernel sources:

gentoo-dev-sources: CCing gregkh.
hardened-dev-sources: CCing tseng.
hppa-dev-sources: CCing gmsoft.
mips-sources: CCing `Kumba.
pegasos-dev-sources: CCing dholm.
rsbac-dev-sources: CCing kang.
ppc64-sources: CCing tgall.

What packages are 2.6 based in the portage tree that you fixed already?

I'll go roll g-d-s with this patch and a few others in a few hours...

rsbac-dev-sources has now been fixed.

gentoo-dev-sources is now fixed with this patch (well a whitespace fixed up
one)

*** Bug 55776 has been marked as a duplicate of this bug. ***

CAN-2004-0626 has been assigned to this bug.

*** Bug 55809 has been marked as a duplicate of this bug. ***

Added to mips-sources

I commited a fix yesterday, removing CC

pegasos-dev-sources fixed

Finally fixed on hppa. Sorry for the delay.

I've now moved ppc64 to use gentoo-dev-sources with the rest of the crowd. Use
of ppc64-sources will be officially depricated this evening

Yeah, thanks Tom, that's one less kernel package we have to worry about now :)

Looks like all sources have been fixed (?)
Then it's ready for GLSA.

Waiting for ppc64-sources to disappear from portage

GLSA 200407-12.