Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 225757 (CVE-2008-2358) - Kernel: DCCP DoS / remote code execution (CVE-2008-2358)
Summary: Kernel: DCCP DoS / remote code execution (CVE-2008-2358)
Alias: CVE-2008-2358
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: [linux <2.6.20]
Depends on:
Reported: 2008-06-10 14:25 UTC by Stefan Behte (RETIRED)
Modified: 2013-09-15 18:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-06-10 14:25:02 UTC

Sorry if this is a dup, I searched for:
ALL sys-kernel
ALL gentoo-sources

and didn't find it, which seems strange to me. If this was already filed, please tell me how I could have found it so that I don't spam you in the future.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-06-10 14:53:00 UTC
Adding hardened@, trying to populate whiteboard (security, please review ;)).
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-06-10 15:01:23 UTC
The CIFS/snmp issue is already tracked in bug 225461. Leaving this bug open to track the DCCP issue (first URL).
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-06-10 15:25:06 UTC
Christian, thanks for setting the whiteboard. Craig, please search for bugs in the Gentoo Security product, Kernel component. We do not track bugs marked as "gentoo-sources".
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-06-10 15:45:28 UTC
The patch Debian added looks like this:
--- linux-2.6-2.6.18.dfsg.1.orig/debian/patches/bugfix/dccp-feature-length-check.patch
+++ linux-2.6-2.6.18.dfsg.1/debian/patches/bugfix/dccp-feature-length-check.patch
@@ -0,0 +1,15 @@
+diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
+--- linux-source-2.6.18.orig/net/dccp/feat.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/dccp/feat.c	2008-06-05 19:57:08.000000000 -0600
+@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
+ 	dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
++	if (len > 3) {
++		if (net_ratelimit())
++			printk("%s: invalid length %d\n", __func__, len);
++		return -EINVAL;
++	}
+ 	/* XXX sanity check feat change request */
+ 	/* check if that feature is already being negotiated */

A similar code path is in Linux mainline since this commit:;a=blobdiff;f=net/dccp/feat.c;h=084744e624d3fc874d74b7acecc9511140f9ed42;hp=5ebdd86c1b99f34ae2c86c36e8cbda2b23fed0cc;hb=dd6303df095d18b0c524a76a42f57bcc679b2039;hpb=af3b867e2f6b72422bc7aacb1f1e26f47a9649bc

It seems there was a length check even before that, but I have no time to look into this right now. Kernel team, can you confirm this?
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-20 22:02:04 UTC
please don't close security bugs.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-27 22:58:57 UTC
We've got hardened-sources 2.6.25-r13.