retire CVE-2007-1407

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@865 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 28 insertions, 0 deletions

diff --git a/retired/CVE-2007-1388 b/retired/CVE-2007-1388
new file mode 100644
index 00000000..592e2d89
--- /dev/null
+++ b/retired/CVE-2007-1388
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-1388
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=4cabf6ba5496bc4a5a59871693145880b240b07b
+ http://bugzilla.kernel.org/show_bug.cgi?id=8155
+Description: 
+ The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel
+ 2.6.17, and possibly other versions, allows local users to cause a denial of
+ service (oops) by calling setsockopt with the IPV6_RTHDR option name and
+ possibly a zero option length or invalid option value, which triggers a NULL
+ pointer dereference.
+Ubuntu-Description: 
+ Gabriel Campana discovered that the do_ipv6_setsockopt() function did
+ not sufficiently verifiy option values for IPV6_RTHDR. A local
+ attacker could exploit this to trigger a kernel crash.
+Notes: 
+ dannf> Reproducer in the RH bug doesn't work on debian as-is - you need
+        to use a hardcoded '57' instead of IPV6_RTHDR. That allows you
+        to trigger an oops on unpatched 2.6.18-era kernels, but it is not
+        reproducible in 2.4.27/2.6.8
+Bugs: 
+upstream: released (2.6.21-rc4)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12) [bugfix/ipv6_getsockopt_sticky-null-opt.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: released (2.6.20-16.28)