Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683020 - <sys-apps/iproute2-4.17.0-r1: Use after free in libnetlink
Summary: <sys-apps/iproute2-4.17.0-r1: Use after free in libnetlink
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lkml.org/lkml/2018/10/23/624
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-10 09:35 UTC by Hanno Böck
Modified: 2019-08-17 15:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-04-10 09:35:10 UTC 
iproute2 4.19.0 fixed a use after free bug.
From https://lkml.org/lkml/2018/10/23/624 :
"Vlad Buslov (1):
      libnetlink: fix use-after-free of message buf"

Unclear if there's a security risk, but uaf bug impact is hard to predict.

We had never versions in the tree for a while, but latest stable is still vulnerable (4.17.0-r1). Can we stabilize a newer version? (Let's directly go for the latest 5.0.0?)
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-04-13 08:30:31 UTC 
(In reply to Hanno Boeck from comment #0)
> 
> We had never versions in the tree for a while, but latest stable is still
> vulnerable (4.17.0-r1). Can we stabilize a newer version? (Let's directly go
> for the latest 5.0.0?)

I'd prefer to stick with LTS kernel versions which would be =iproute2-4.19.0-r1 in this case.