A recent exploit has been detected in net/ipv4/netfilter/ip_tables.c in version 2.6 kernels. Version 2.4 kernels and below are not affected. As noted in the url: char opt[60 - sizeof(struct tcphdr)]; is the exploitable code. Being cast to a character, anything over ascii value 127 (the last character of the standard ascii table) would be cast to a negative number, causing a possible infinite loop and an unresponsive system. A patch has already been made avaliable by Adam Osuchowski and Tomasz Dubinski, who also discovered the exploit. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 34501 [details, diff] Kernel 2.6 iptables patch
OK, I've patched everything 2.6-based in Portage, and I'm now CCing the following who maintain external kernel sources: gentoo-dev-sources: CCing gregkh. hardened-dev-sources: CCing tseng. hppa-dev-sources: CCing gmsoft. mips-sources: CCing `Kumba. pegasos-dev-sources: CCing dholm. rsbac-dev-sources: CCing kang. ppc64-sources: CCing tgall.
What packages are 2.6 based in the portage tree that you fixed already? I'll go roll g-d-s with this patch and a few others in a few hours...
rsbac-dev-sources has now been fixed.
gentoo-dev-sources is now fixed with this patch (well a whitespace fixed up one)
*** Bug 55776 has been marked as a duplicate of this bug. ***
CAN-2004-0626 has been assigned to this bug.
*** Bug 55809 has been marked as a duplicate of this bug. ***
Added to mips-sources
I commited a fix yesterday, removing CC
pegasos-dev-sources fixed
Finally fixed on hppa. Sorry for the delay.
I've now moved ppc64 to use gentoo-dev-sources with the rest of the crowd. Use of ppc64-sources will be officially depricated this evening
Yeah, thanks Tom, that's one less kernel package we have to worry about now :)
Looks like all sources have been fixed (?) Then it's ready for GLSA.
Waiting for ppc64-sources to disappear from portage
GLSA 200407-12.