From b995fda901e16dd7fc4a12d05c7d728ffb8797eb Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 30 Apr 2007 17:18:40 +0000 Subject: move VLAN protocol bug entries to ignored/ git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@777 e094ebfe-e918-0410-adfb-c712417f3574 --- ignored/CVE-2005-4440 | 40 ++++++++++++++++++++++++++++++++++++++++ ignored/CVE-2005-4441 | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 ignored/CVE-2005-4440 create mode 100644 ignored/CVE-2005-4441 (limited to 'ignored') diff --git a/ignored/CVE-2005-4440 b/ignored/CVE-2005-4440 new file mode 100644 index 00000000..4c89f972 --- /dev/null +++ b/ignored/CVE-2005-4440 @@ -0,0 +1,40 @@ +Candidate: CVE-2005-4440 +References: + http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded + http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded + http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html +Description: + The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic + via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream + switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN + jumping attack." +Notes: + Quoting Horms: + I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects + Linux because of the following line near the bottom of vlan_skb_recv(). + . + skb->protocol = __constant_htons(ETH_P_802_2); + . + I'm looking at Linus' Git tree as of this morning, + but I don't think there have been any relevnant changes + since Git began at 2.6.12-rc2. + . + This seems to imply that further processing will treat the packet + as an ethernet frame. Though I need to double check that it + can't be passed back into the vlan code. I'm doing that now, + but in about 15 minutes I have to leave, and I'll be on + leave for 6 days. At home, and possibly looking into this problem, + but not at my desk working sensible hours. + . + As for 2 (PVLAN jumping). I haven't looked into that yet but + it seems quite plausible. + . + dannf> Horms believes these to be protocol bugs - they are legal + dannf> things to do. Therefore, we're gonna ignore them for the sarge2 + dannf> series of kernels & follow what upstream does. +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge5) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) +2.6.18-etch-security: diff --git a/ignored/CVE-2005-4441 b/ignored/CVE-2005-4441 new file mode 100644 index 00000000..642e3a14 --- /dev/null +++ b/ignored/CVE-2005-4441 @@ -0,0 +1,44 @@ +Candidate: CVE-2005-4441 +References: + BUGTRAQ:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional + URL:http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded + BUGTRAQ:20051219 Re: Making unidirectional VLAN and PVLAN jumping bidirectional + URL:http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded + FULLDISC:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional + URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html +Description: + The PVLAN protocol allows remote attackers to bypass network segmentation and + spoof PVLAN traffic via a PVLAN message with a target MAC address that is set + to a gateway router, which causes the packet to be sent to the router, where + the source MAC is modified, aka "Modification of the MAC spoofing PVLAN + jumping attack," as demonstrated by pvlan.c. +Notes: + Quoting Horms: + I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects + Linux because of the following line near the bottom of vlan_skb_recv(). + . + skb->protocol = __constant_htons(ETH_P_802_2); + . + I'm looking at Linus' Git tree as of this morning, + but I don't think there have been any relevnant changes + since Git began at 2.6.12-rc2. + . + This seems to imply that further processing will treat the packet + as an ethernet frame. Though I need to double check that it + can't be passed back into the vlan code. I'm doing that now, + but in about 15 minutes I have to leave, and I'll be on + leave for 6 days. At home, and possibly looking into this problem, + but not at my desk working sensible hours. + . + As for 2 (PVLAN jumping). I haven't looked into that yet but + it seems quite plausible. + . + dannf> Horms believes these to be protocol bugs - they are legal + dannf> things to do. Therefore, we're gonna ignore them for the sarge2 + dannf> series of kernels & follow what upstream does. +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge5) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) +2.6.18-etch-security: -- cgit v1.2.3