Package: kernel-source-2.6.8 Version: 2.6.8-16 Severity: critical Justification: root security hole
SecurityFocus http://www.securityfocus.com/bid/14477 mentions an array index buffer overflow. In short, the suspect it can cause a denial of service attack, but aren't sure whether or not it allows code execution. Balaz Scheidler says at http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html: "While reading through the xfrm code I've found a possible array overflow in struct sock" He goes on to suggest some patches. However the patch at http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a4f1bac62564049ea4718c4624b0fadc9f597c84 is in the xfrm_user file instead. I suspect this second patch that was commited will work, and checks the direction earlier in the code flow than the original email from Balaz in the first link. The xfrm_user patch is: --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_ if (nr > XFRM_MAX_DEPTH) return NULL; + if (p->dir > XFRM_POLICY_OUT) + return NULL; + xp = xfrm_policy_alloc(GFP_KERNEL); if (xp == NULL) { *dir = -ENOBUFS; On another note, when I'm looking at bugs like this, and I haven't found them in the bug tracking database, should I be putting them against just kernel-source-2.6.8, or against kernel-source-2.6.11 as well, or is there a generic kernel-source-2.6 package? -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-686-smp Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1) Versions of packages kernel-source-2.6.8 depends on: ii binutils 2.15-6 The GNU assembler, linker and bina ii bzip2 1.0.2-7 high-quality block-sorting file co ii coreutils [fileutils] 5.2.1-2 The GNU core utilities -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
