Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4BB2A342.2010903@redhat.com>
Date: Wed, 31 Mar 2010 09:20:02 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kernel: ipv6: skb is unexpectedly
 freed (remote DoS)

On 03/31/2010 03:38 AM, Steven M. Christey wrote:
> On Mon, 29 Mar 2010, Eugene Teo wrote:
>
>> Upstream commit:
>> http://git.kernel.org/linus/fb7e2399ec17f1004c0e0ccfd17439f8759ede01
>
> I'm not clear on the role of ipv6 here. The affected code is in
> ipv4/tcp_input.c and there's no mention of tcp_v6_conn_request() there.

To trigger this issue, the server actually needs to do something like:
if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &on, ...)) {
on the listening socket.

tcp_rcv_state_process() is in ipv4/tcp_input.c but was called in 
net/ipv6/tcp_ipv6.c.

> I'm guessing this was fixed in Linux 2.6.20.

v2.6.20-rc6

> Arguably this could have been given a 2007 ID, but the patch didn't
> clearly label the problem as a security issue, so I will treat Eugene's
> request as the first widely-public disclosure - thus a 2010 date.
>
> Use CVE-2010-1188

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.