CVE-2008-5300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5300): Linux kernel 2.6.28 allows local users to cause a denial of service ("soft lockup" and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029.
Also see: http://marc.info/?l=linux-netdev;m=122721862313564;w=2
This is the fix: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 It's in 2.6.27.8, that is in stable review cycle. It's not in 2.6.28-rc7, but will be in 2.6.28-rc8 as it's already in linus tree. Security Focus says that there is a lot of vulnerable versions: http://www.securityfocus.com/bid/32516/info I think when 2.6.27.8 is released, genpatches will be updated and then gentoo-sources-2.6.27-r5 will be released. But to 2.6.26, what we will do? Backport to genpatches and release gentoo-sources-2.6.26-r4?
(In reply to comment #2) > This is the fix: > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5f23b734963ec7eaa3ebcd9050da0c9b7d143dd3 > > It's in 2.6.27.8, that is in stable review cycle. > It's not in 2.6.28-rc7, but will be in 2.6.28-rc8 as it's already in linus > tree. > > > Security Focus says that there is a lot of vulnerable versions: > http://www.securityfocus.com/bid/32516/info > > I think when 2.6.27.8 is released, genpatches will be updated and then > gentoo-sources-2.6.27-r5 will be released. > But to 2.6.26, what we will do? Backport to genpatches and release > gentoo-sources-2.6.26-r4? no need to backport, the diff applies cleanly, builds fine and runs cool here. I tried the experiment that triggered the DoS as described here: http://marc.info/?l=linux-netdev&m=122721862313564&w=2#1 and was enable to trigger any OOM condition or soft lockups. I suggest the diff be added to genpatches as is, and release 2.6.26-r4 as you proposed it.
