Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459124 (CVE-2013-1763) - Kernel : sock_diag: out-of-bounds access to sock_diag_handlers[] (CVE-2013-1763)
Summary: Kernel : sock_diag: out-of-bounds access to sock_diag_handlers[] (CVE-2013-1763)
Status: RESOLVED OBSOLETE
Alias: CVE-2013-1763
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard:
Keywords:
Depends on: 459810 459812 460126
Blocks:
  Show dependency tree
 
Reported: 2013-02-25 09:54 UTC by Agostino Sarubbo
Modified: 2018-04-04 18:35 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-25 09:54:25 UTC
From $URL :

Description:
An unprivileged user can send a netlink message resulting in an out-of-bounds access of the 
sock_diag_handlers[] array which, in turn, allows userland to take over control while in kernel 
mode.

References:
http://seclists.org/oss-sec/2013/q1/420
http://thread.gmane.org/gmane.linux.network/260061

Upstream fix:
http://thread.gmane.org/gmane.linux.network/260061
Comment 1 Anthony Basile gentoo-dev 2013-02-26 15:28:51 UTC
hardened-sources-3.7.5-r1 has this patch and will be rapid stabilize to replace 3.7.5
Comment 2 Richard Yao (RETIRED) gentoo-dev 2013-02-28 17:57:48 UTC
gregkh has tagged kernels 3.4.34, 3.7.10 and 3.8.1. Each one has the patch.

3.3.y, 3.5.7 and 3.6.7 appear to be end-of-life and have not had the patch backported. We probably should remove affected ebuilds from the tree.
Comment 3 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-03-01 19:40:47 UTC
Tagged kernels have been introduced and fast track stabilized such that stable users get a proper upgrade (thank you ago and jer), affected versions have been removed (thank you ago) now that most of the fast track stabilization has finished.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-04-04 18:35:05 UTC
There are no longer any 2.x or <3.8.1 kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.