Bug 127162 - Linux Kernel Netfilter do_replace() Local Buffer Overflow Vulnerability (CVE-2006-0038)
Bug#: 127162 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: INVALID Assigned To: security@gentoo.org Reported By: christian@bricart.de
Component: Kernel
URL:  http://www.securityfocus.com/bid/17178/info
Summary: Linux Kernel Netfilter do_replace() Local Buffer Overflow Vulnerability (CVE-2006-0038)
Keywords:  
Status Whiteboard: 
Opened: 2006-03-22 02:13 0000
Description:   Opened: 2006-03-22 02:13 0000 
Quoting SecurityFocus:

The Linux kernel is susceptible to a remote buffer-overflow vulnerability. This
issue is due to the kernel's failure to properly bounds-check user-supplied
input before using it in a memory copy operation.

This issue allows remote attackers to overwrite kernel memory with arbitrary
data, potentially allowing them to execute malicious machine code in the
context of affected kernels. This vulnerability facilitates the complete
compromise of affected computers.

Linux kernel versions prior to 2.6.16 in the 2.6 series are affected by this
issue.

------- Comment #1 From Christian Bricart 2006-03-22 03:36:51 0000 ------- 
Harald Welte (netfilter core team) commented on this:
http://www.mail-archive.com/netfilter-announce@lists.netfilter.org/msg00059.html

It seems that the bug is NOT remote exploitable.
So I removed "remote" from summary and decreased serverity to "major"

------- Comment #2 From Tim Yamin (RETIRED) 2006-03-27 13:16:04 0000 ------- 
This might affect openvz-sources/vserver-sources; maintainers please confirm...
No security risk otherwise.

------- Comment #3 From Tim Yamin (RETIRED) 2006-03-27 13:28:39 0000 ------- 
*** Bug 127216 has been marked as a duplicate of this bug. ***

------- Comment #4 From Benedikt Böhm 2006-03-29 07:02:24 0000 ------- 
regarding vserver only those guests with CAP_NET_ADMIN might be affected which
is off by default.

regarding openvz as per upstream it is not an issue

------- Comment #5 From Tim Yamin (RETIRED) 2006-04-15 13:14:02 0000 ------- 
@hollow: Understood, can you please patch the 2.6.15 series for this issue? Or
possibly send the 2.6.16 series to stable.

Thanks!

------- Comment #6 From Tim Yamin (RETIRED) 2006-04-16 10:59:07 0000 ------- 
Upon further inspection with phreak, vserver is not affected by this (they
implement the code themselves differently).

------- Comment #7 From Benedikt Böhm 2006-04-16 19:15:54 0000 ------- 
ok, good, since the 2.6.16 version will still take some time i'm afraid..

------- Comment #8 From Tim Yamin (RETIRED) 2006-04-17 06:41:48 0000 ------- 
openvz also not affected, so this bug can be closed :)