225757 – (CVE-2008-2358) Kernel: DCCP DoS / remote code execution (CVE-2008-2358)

Bug 225757 (CVE-2008-2358) - Kernel: DCCP DoS / remote code execution (CVE-2008-2358)

Summary: Kernel: DCCP DoS / remote code execution (CVE-2008-2358)

Status:	RESOLVED FIXED

Alias:	CVE-2008-2358

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://git.kernel.org/?p=linux/kernel...
Whiteboard:	[linux <2.6.20]
Keywords:

Depends on:
Blocks:

Reported:	2008-06-10 14:25 UTC by Stefan Behte (RETIRED)
Modified:	2013-09-15 18:44 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2008-06-10 14:25:02 UTC

http://securitytracker.com/alerts/2008/Jun/1020211.html
http://securitytracker.com/alerts/2008/Jun/1020210.html

Sorry if this is a dup, I searched for:
ALL sys-kernel
ALL gentoo-sources

and didn't find it, which seems strange to me. If this was already filed, please tell me how I could have found it so that I don't spam you in the future.

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev

2008-06-10 14:53:00 UTC

Adding hardened@, trying to populate whiteboard (security, please review ;)).

Comment 2 Christian Hoffmann (RETIRED) gentoo-dev

2008-06-10 15:01:23 UTC

The CIFS/snmp issue is already tracked in bug 225461. Leaving this bug open to track the DCCP issue (first URL).

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-06-10 15:25:06 UTC

Christian, thanks for setting the whiteboard. Craig, please search for bugs in the Gentoo Security product, Kernel component. We do not track bugs marked as "gentoo-sources".

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-06-10 15:45:28 UTC

The patch Debian added looks like this:
--- linux-2.6-2.6.18.dfsg.1.orig/debian/patches/bugfix/dccp-feature-length-check.patch
+++ linux-2.6-2.6.18.dfsg.1/debian/patches/bugfix/dccp-feature-length-check.patch
@@ -0,0 +1,15 @@
+diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
+--- linux-source-2.6.18.orig/net/dccp/feat.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/dccp/feat.c	2008-06-05 19:57:08.000000000 -0600
+@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
+ 
+ 	dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+ 
++	if (len > 3) {
++		if (net_ratelimit())
++			printk("%s: invalid length %d\n", __func__, len);
++		return -EINVAL;
++	}
+ 	/* XXX sanity check feat change request */
+ 
+ 	/* check if that feature is already being negotiated */


A similar code path is in Linux mainline since this commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=net/dccp/feat.c;h=084744e624d3fc874d74b7acecc9511140f9ed42;hp=5ebdd86c1b99f34ae2c86c36e8cbda2b23fed0cc;hb=dd6303df095d18b0c524a76a42f57bcc679b2039;hpb=af3b867e2f6b72422bc7aacb1f1e26f47a9649bc

It seems there was a length check even before that, but I have no time to look into this right now. Kernel team, can you confirm this?

Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-20 22:02:04 UTC

please don't close security bugs.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2009-02-27 22:58:57 UTC

We've got hardened-sources 2.6.25-r13.