Summary: | Kernel: DCCP DoS / remote code execution (CVE-2008-2358) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Kernel | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | kernel |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c02fdc0e81e9c735d8d895af1e201b235df326d8 | ||
Whiteboard: | [linux <2.6.20] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2008-06-10 14:25:02 UTC
Adding hardened@, trying to populate whiteboard (security, please review ;)). The CIFS/snmp issue is already tracked in bug 225461. Leaving this bug open to track the DCCP issue (first URL). Christian, thanks for setting the whiteboard. Craig, please search for bugs in the Gentoo Security product, Kernel component. We do not track bugs marked as "gentoo-sources". The patch Debian added looks like this: --- linux-2.6-2.6.18.dfsg.1.orig/debian/patches/bugfix/dccp-feature-length-check.patch +++ linux-2.6-2.6.18.dfsg.1/debian/patches/bugfix/dccp-feature-length-check.patch @@ -0,0 +1,15 @@ +diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c +--- linux-source-2.6.18.orig/net/dccp/feat.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/dccp/feat.c 2008-06-05 19:57:08.000000000 -0600 +@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc + + dccp_pr_debug("feat change type=%d feat=%d\n", type, feature); + ++ if (len > 3) { ++ if (net_ratelimit()) ++ printk("%s: invalid length %d\n", __func__, len); ++ return -EINVAL; ++ } + /* XXX sanity check feat change request */ + + /* check if that feature is already being negotiated */ A similar code path is in Linux mainline since this commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=net/dccp/feat.c;h=084744e624d3fc874d74b7acecc9511140f9ed42;hp=5ebdd86c1b99f34ae2c86c36e8cbda2b23fed0cc;hb=dd6303df095d18b0c524a76a42f57bcc679b2039;hpb=af3b867e2f6b72422bc7aacb1f1e26f47a9649bc It seems there was a length check even before that, but I have no time to look into this right now. Kernel team, can you confirm this? please don't close security bugs. We've got hardened-sources 2.6.25-r13. |