Bug 209887 (CVE-2008-0177)

Comment 1 Robert Buchholz (RETIRED) 2008-02-12 17:56:42 UTC

Seems like some BSDs are vulnerable to this.

Comment 2 Pierre-Yves Rofes (RETIRED) 2008-05-06 13:51:11 UTC

Is there anything to do here? BSD herd, please advise.

Comment 3 Alexis Ballier 2008-05-17 20:09:30 UTC

seems we're fine:

# grep -C 3 m_pulldown /usr/src/sys/netinet6/ipcomp_input.c
		goto fail;
	}

	md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
	if (!md) {
		m = NULL;	/* already freed */
		ipseclog((LOG_DEBUG, "IPv4 IPComp input: assumption failed "
--
	m = *mp;
	off = *offp;

	md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
	if (!md) {
		m = NULL;	/* already freed */
		ipseclog((LOG_DEBUG, "IPv6 IPComp input: assumption failed "


and:
http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.asc

which refers to:
http://security.freebsd.org/patches/SA-08:04/ipsec.patch

Index: sys/netinet6/ipcomp_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet6/Attic/ipcomp_input.c,v
retrieving revision 1.7.4.1
diff -u -r1.7.4.1 ipcomp_input.c
--- sys/netinet6/ipcomp_input.c	31 Jan 2005 23:26:39 -0000	1.7.4.1
+++ sys/netinet6/ipcomp_input.c	13 Feb 2008 13:44:24 -0000
@@ -258,7 +258,7 @@
 	off = *offp;
 
 	md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
-	if (!m) {
+	if (!md) {
 		m = NULL;	/* already freed */
 		ipseclog((LOG_DEBUG, "IPv6 IPComp input: assumption failed "
 		    "(pulldown failure)\n"));


Corrected:      2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE)
                2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19)
CVE Name:       CVE-2008-0177


so that's only freebsd 5 :)

Comment 4 Pierre-Yves Rofes (RETIRED) 2008-05-17 20:33:27 UTC

ok, so closing as INVALID. Feel free to reopen if I missed something.