From RedHat advisory: Herbert Xu reported that iproute can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to this issue. I'm attaching the RedHat patch. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 21221 [details, diff] iproute netlink security patch
Andrea, Pleae add this patch to iproute if it's needed and package mask older versions. Also please inform arch herds if they need to mark stable where applicable.
Unfortunately this bug is really old, I'll handle it this week.
This bug was apparently acknowledged only by RedHat, I'm attaching an updated ebuild + patch. I've tested it and it works fine. Could someone review this and commit the update? Anyway I don't think that we need a GLSA for this.
Created attachment 28787 [details] updated ebuild
Created attachment 28788 [details, diff] filesdir patch
added the patch to iproute-20010824-r5
Thanks vapier. Please everybody test the new ebuild and mark it stable when ready.
when building against 2.4 headers we see Bug 46978 ... i'm tracking it down now
Bug 46978 has been squashed so we can start pushing at arch maintainers ... i tested it on my x86/hppa/mips/sparc and they all worked ... could someone from ppc/alpha/amd64 test -r5 and make sure it's happy please ?
Works fine for me on ppc.
Works fine on alpha.
Stable on AMD64.
OK so we're ready for a GLSA, if one is needed. Changing product/component. -K
It's still marked unstable on ppc and alpha. btw I vote against a GLSA, any comments?
Setting component to Security as this is a vulnerability.
Marked stable on Alpha.
The vuln is 5 month-old and not very severe (DoS by very determined local users, only on systems having iproute installed). I also vote against a GLSA for this one. -K
it's your call daddy-o
the bug may be old, but our arches were still vulnerable to it until just a couple days ago. Thus, I think we need to issue a GLSA for this one.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0856 As of now it's still currently under review and has no votes. Is anybody aware of any other vendors doing a sec announcements for this?
GLSA 200404-10 published.
*** Bug 48290 has been marked as a duplicate of this bug. ***