Bug 266308 (CVE-2009-1265)

Corrected Status Whiteboard. It seems that nist.gov cannot be relied upon to disseminate accurate information in terms of affected versions; 2.6.24.4 is not the earliest affected version as the patch applies to 2.6.24 and 2.6.23 (I couldn't be bothered to go back any further). Of course, it may be that the bug hasn't existed since 2.6.0 but I would suggest that is best to assume that it has unless definitively proven otherwise, hence the reference to "<2.6.27.22" - the earliest stable release to contain the patch. This, and the rest, was determined by grepping the upstream ChangeLogs.

Is there a patch for the 2.4 kernel on this bug?

Is there a patch for the 2.4 kernel on this bug?

Comment 4 Mike Pagano 2010-07-07 16:41:06 UTC

(In reply to comment #3)
> Is there a patch for the 2.4 kernel on this bug?
> 

yes

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=f4f44a112f92ce8a9d0fa283050ce2dc28162657

(In reply to comment #0)
> CVE-2009-1265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1265):
>   Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux
>   kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow
>   remote attackers to obtain sensitive information via a large length
>   value, which causes "garbage" memory to be sent.
> 

What object file does the patch show up in?

Comment 7 Alex Legler (RETIRED) 2010-07-15 16:40:01 UTC

(In reply to comment #6)
> What object file does the patch show up in?

Such questions do not belong here. Please consult a kernel-related mailing list or forum.