tag kernel-source-2.6.8 +pending thanks On Wed, Aug 10, 2005 at 02:53:07PM +1000, Geoff Crompton wrote: > Package: kernel-source-2.6.8 > Version: 2.6.8-16 > Severity: critical > Justification: root security hole > > SecurityFocus http://www.securityfocus.com/bid/14477 mentions an array index > buffer overflow. > In short, the suspect it can cause a denial of service attack, but > aren't sure whether or not it allows code execution. > > Balaz Scheidler says at > http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html: > "While reading through the xfrm code I've found a possible array > overflow in struct sock" > > He goes on to suggest some patches. However the patch at > http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a4f1bac62564049ea4718c4624b0fadc9f597c84 > is in the xfrm_user file instead. > I suspect this second patch that was commited will work, and checks the > direction earlier in the code flow than the original email from Balaz in > the first link. The xfrm_user patch is: > > --- a/net/xfrm/xfrm_user.c > +++ b/net/xfrm/xfrm_user.c > @@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_ > if (nr > XFRM_MAX_DEPTH) > return NULL; > > + if (p->dir > XFRM_POLICY_OUT) > + return NULL; > + > xp = xfrm_policy_alloc(GFP_KERNEL); > if (xp == NULL) { > *dir = -ENOBUFS;
Hi Geoff, Thanks, we became aware of this problem last week and it has been added to SVN for 2.4.27 (kernel-source-2.4.27), 2.6.8 (kernel-source-2.6.8) and 2.6.12 (linux-2.6) The latter has been released. The former are taking a while to get out the foor as we are still trying to iron out some process issues relating to kernel updates for sarge. For linux-2.6 it is bug #321401 > On another note, when I'm looking at bugs like this, and I haven't found > them in the bug tracking database, should I be putting them against just > kernel-source-2.6.8, or against kernel-source-2.6.11 as well, or is > there a generic kernel-source-2.6 package? Ok, this is pretty non-obvious, so thanks for asking. Esentially we have three kernels that are being maintained right now, and the packages you should log bugs against are kernel-source-2.4.27, kernel-source-2.6.8 and linux-2.6 (which is 2.6.12 at the moment). Older kernels, like 2.6.11 are currently being phased out and will be removed from the Debian Archive shortly, so don't bother with them. You can see what patches have been applied by inspecting the ChangeLog in SVN. http://svn.debian.org/wsvn/kernel/trunk/kernel/source/linux-2.6/debian/changelog?op=file&rev=0&sc=0 http://svn.debian.org/wsvn/kernel/trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog?op=file&rev=0&sc=0 http://svn.debian.org/wsvn/kernel/trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog?op=file&rev=0&sc=0 As for which package to log a bug against, or cretion of duplicate bugs. To be honest it doesn't matter. If you email debian-kernel@lists.debian.org, then you should get a response, regardless of if you open a bug in the BTS or not. CCing secure-testing-team@lists.alioth.debian.org if its a bug testing and [EMAIL PROTECTED] if its a bug instable is also a good idea. When we find problems, we just fix them. The BTS is really a bit to noisy for us to use it to track bugs effectively. Obviously this is a bit of a problem, but what I am trying to say is adding a bug to the BTS just emails debian-kernel anyway, and security bugs sent there are acted on. So my my advice is tho email the addresses above, and if you want to open a bug, just open it against any of the above packages that have the vulnerability. -- Horms -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
