Summary: | Kernel: sendmsg() DOS during AF_UNIX GC (CVE-2008-5300) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Kernel | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hardened-kernel+disabled, kernel |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 | ||
Whiteboard: | [linux <2.6.27.8] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2008-12-03 20:27:31 UTC
This is the fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 It's in 2.6.27.8, that is in stable review cycle. It's not in 2.6.28-rc7, but will be in 2.6.28-rc8 as it's already in linus tree. Security Focus says that there is a lot of vulnerable versions: http://www.securityfocus.com/bid/32516/info I think when 2.6.27.8 is released, genpatches will be updated and then gentoo-sources-2.6.27-r5 will be released. But to 2.6.26, what we will do? Backport to genpatches and release gentoo-sources-2.6.26-r4? (In reply to comment #2) > This is the fix: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 > > It's in 2.6.27.8, that is in stable review cycle. > It's not in 2.6.28-rc7, but will be in 2.6.28-rc8 as it's already in linus > tree. > > > Security Focus says that there is a lot of vulnerable versions: > http://www.securityfocus.com/bid/32516/info > > I think when 2.6.27.8 is released, genpatches will be updated and then > gentoo-sources-2.6.27-r5 will be released. > But to 2.6.26, what we will do? Backport to genpatches and release > gentoo-sources-2.6.26-r4? no need to backport, the diff applies cleanly, builds fine and runs cool here. I tried the experiment that triggered the DoS as described here: http://marc.info/?l=linux-netdev&m=122721862313564&w=2#1 and was enable to trigger any OOM condition or soft lockups. I suggest the diff be added to genpatches as is, and release 2.6.26-r4 as you proposed it. |