Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266308 (CVE-2009-1265) - Kernel: rose_sendmsg information leak (CVE-2009-1265)
Summary: Kernel: rose_sendmsg information leak (CVE-2009-1265)
Status: RESOLVED FIXED
Alias: CVE-2009-1265
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.kernel.org/?p=linux/kernel...
Whiteboard: [linux <2.6.27.22] [linux >=2.6.28 <2...
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-15 21:49 UTC by Stefan Behte (RETIRED)
Modified: 2013-09-15 19:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-04-15 21:49:27 UTC
CVE-2009-1265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1265):
  Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux
  kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow
  remote attackers to obtain sensitive information via a large length
  value, which causes "garbage" memory to be sent.
Comment 1 Kerin Millar 2009-07-21 22:09:18 UTC
Corrected Status Whiteboard. It seems that nist.gov cannot be relied upon to disseminate accurate information in terms of affected versions; 2.6.24.4 is not the earliest affected version as the patch applies to 2.6.24 and 2.6.23 (I couldn't be bothered to go back any further). Of course, it may be that the bug hasn't existed since 2.6.0 but I would suggest that is best to assume that it has unless definitively proven otherwise, hence the reference to "<2.6.27.22" - the earliest stable release to contain the patch. This, and the rest, was determined by grepping the upstream ChangeLogs.
Comment 2 Shahid Qamar 2010-07-07 14:13:09 UTC
Is there a patch for the 2.4 kernel on this bug?
Comment 3 Shahid Qamar 2010-07-07 14:13:58 UTC
Is there a patch for the 2.4 kernel on this bug?
Comment 4 Mike Pagano gentoo-dev 2010-07-07 16:41:06 UTC
(In reply to comment #3)
> Is there a patch for the 2.4 kernel on this bug?
> 

yes

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=f4f44a112f92ce8a9d0fa283050ce2dc28162657
Comment 5 Shahid Qamar 2010-07-15 16:25:04 UTC
(In reply to comment #0)
> CVE-2009-1265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1265):
>   Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux
>   kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow
>   remote attackers to obtain sensitive information via a large length
>   value, which causes "garbage" memory to be sent.
> 

Comment 6 Shahid Qamar 2010-07-15 16:26:42 UTC
What object file does the patch show up in?
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-15 16:40:01 UTC
(In reply to comment #6)
> What object file does the patch show up in?

Such questions do not belong here. Please consult a kernel-related mailing list or forum.