http://securitytracker.com/alerts/2008/Jun/1020211.html http://securitytracker.com/alerts/2008/Jun/1020210.html Sorry if this is a dup, I searched for: ALL sys-kernel ALL gentoo-sources and didn't find it, which seems strange to me. If this was already filed, please tell me how I could have found it so that I don't spam you in the future.
Adding hardened@, trying to populate whiteboard (security, please review ;)).
The CIFS/snmp issue is already tracked in bug 225461. Leaving this bug open to track the DCCP issue (first URL).
Christian, thanks for setting the whiteboard. Craig, please search for bugs in the Gentoo Security product, Kernel component. We do not track bugs marked as "gentoo-sources".
The patch Debian added looks like this: --- linux-2.6-2.6.18.dfsg.1.orig/debian/patches/bugfix/dccp-feature-length-check.patch +++ linux-2.6-2.6.18.dfsg.1/debian/patches/bugfix/dccp-feature-length-check.patch @@ -0,0 +1,15 @@ +diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c +--- linux-source-2.6.18.orig/net/dccp/feat.c 2006-09-19 21:42:06.000000000 -0600 ++++ linux-source-2.6.18/net/dccp/feat.c 2008-06-05 19:57:08.000000000 -0600 +@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc + + dccp_pr_debug("feat change type=%d feat=%d\n", type, feature); + ++ if (len > 3) { ++ if (net_ratelimit()) ++ printk("%s: invalid length %d\n", __func__, len); ++ return -EINVAL; ++ } + /* XXX sanity check feat change request */ + + /* check if that feature is already being negotiated */ A similar code path is in Linux mainline since this commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=net/dccp/feat.c;h=084744e624d3fc874d74b7acecc9511140f9ed42;hp=5ebdd86c1b99f34ae2c86c36e8cbda2b23fed0cc;hb=dd6303df095d18b0c524a76a42f57bcc679b2039;hpb=af3b867e2f6b72422bc7aacb1f1e26f47a9649bc It seems there was a length check even before that, but I have no time to look into this right now. Kernel team, can you confirm this?
please don't close security bugs.
We've got hardened-sources 2.6.25-r13.