Bug 133465 - Kernel: netfilter do_add_counters race (CVE-2006-0039)
Not sure wether we already fixed this one or was unaffected. Filing to be sure:
Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation
size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.
Fixed in genpatches-2.6.16-10 (gentoo-sources-2.6.16-r8)
P.S. The patch you linked to is not the complete fix
2.6.16.17 has the full fix along with some more SCTP goodies.
Maintainers please bump to genpatches-2.6.16-10 or 2.6.16.18:
hardened-sources-2.6: johnm, hardened herd
hppa-sources-2.6: GMSoft
rsbac-sources-2.6: kang
sh-sources-2.6: vapier
suspend2-sources-2.6: brix
usermode-sources-2.6: dang
xbox-sources-2.6: chrb, gimli
xen-sources-2.6: chrb, agriffis
hppa-sources-2.6.16.18-pa11 in the tree.
Fixed in sys-kernel/suspend2-sources-2.6.16-r7.
usermode bumped to 2.6.16-r1
All fixed, closing. vapier please bump sh-sources.
