Bug 181647

A null pointer dereference in netfilter can cause the kernel to crash when processing certain connections. This bug can be triggered remotely. In addition, as a result of a bug in the cpuset_tasks_read function, users logged onto the system can read part of the kernel memory. This may allow an attacker to access protected information. Finally the kernel also harbours a bug which affects the way seeds for generating random numbers are generated where the system has no entropy source. This may result in applications which rely on random number generators being less secure.

Comment 2 Christian Heim (RETIRED) 2007-06-11 16:45:23 UTC

This also applies to Linux 2.6.20 (bugs supposedly fixed in 2.6.20.13).

Here are the git diffs for the respective CVE's:

random: fix error in entropy extraction (CVE-2007-2453 1 of 2)
Git-ID: 602b6aeefe8932dd8bb15014e8fe6bb25d736361
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commitdiff;h=54bb290bb2bad45d45cae1399181a233ffbc487b
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.21.y.git;a=commitdiff;h=374f167dfb97c1785515a0c41e32a66b414859a8

random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
Git-ID: 7f397dcdb78d699a20d96bfcfb595a2411a5bbd2
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commitdiff;h=f5939fcd7378c7a26cc8101dff373c90d269d769
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.21.y.git;a=commitdiff;h=7bd369b1346bf7f15bba42ddf369fb79fe759b50

cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)
Git-ID: 85badbdf5120d246ce2bb3f1a7689a805f9c9006
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commitdiff;h=6a5357887e4ebfd9c0f472cffc58bcdf426f4cad
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.21.y.git;a=commitdiff;h=c23e7e4c94647c2c47d2c835b21cc7d745f62d05

NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
Git-ID: Not yet upstream
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commitdiff;h=13ad357c616a85828fa224c0876a393d1dd6f59f
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.21.y.git;a=commitdiff;h=8c640bd0c68201dd0d71b78a07bb224973580ad3

Comment 3 Christian Faulhammer (RETIRED) 2007-06-19 07:44:46 UTC

This is fixed in 2.6.20-r9, not yet stable though.

Comment 4 Matt Drew (RETIRED) 2007-07-16 17:49:23 UTC

*** Bug 185449 has been marked as a duplicate of this bug. ***

Comment 5 Robert Buchholz (RETIRED) 2007-11-16 00:08:27 UTC

Is this bug still valid?

Comment 6 Christian Faulhammer (RETIRED) 2008-01-23 07:51:41 UTC

Newer version who address the problem have long gone stable...so closing.

Comment 7 Bjoern Tropf (RETIRED) 2009-07-22 14:10:07 UTC

Interval chosen in a way to match all three CVE's.
(CVE-2007-2453 and CVE-2007-2876 have been, respectively, backported in 2.6.16.55-rc1 and 2.6.16.53-rc1, too.)