Candidate: CVE-2006-5751 References: MISC:http://projects.info-pull.com/mokb/MOKB-29-11-2006.html MISC:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=4c61a7e0a86e1ae9e16867f9f8e4b0412b8edbaf;hp=4e4119a1213925568b8a1acdef9bf52b98b19da3;hb=ba8379b220509e9448c00a77cf6c15ac2a559cc7;f=net/bridge/br_ioctl.c CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ba8379b220509e9448c00a77cf6c15ac2a559cc7 CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.18.4 BID:21353 URL:http://www.securityfocus.com/bid/21353 FRSIRT:ADV-2006-4781 URL:http://www.frsirt.com/english/advisories/2006/4781 SECUNIA:23073 XF:linux-getfdbentries-integer-overflow(30588) URL:http://xforce.iss.net/xforce/xfdb/30588 Description: Integer overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request. Ubuntu-Description: An integer overflow was found in the get_fdb_entries() function of the network bridging code. By executing a specially crafted ioctl, a local attacker could exploit this to execute arbitrary code with root privileges. Notes: dannf> Marking 2.4 as N/A - the code is much different now, and nothing dannf> seemed to be checking PAGE_SIZE at all in 2.4 Bugs: upstream: released (2.6.18.4, 2.6.19) linux-2.6: released (2.6.18-8) [bugfix/2.6.18.4] 2.6.18-etch-security: released (2.6.18-8) [bugfix/2.6.18.4] 2.6.8-sarge-security: released (2.6.8-16sarge6) [bridge-get_fdb_entries-overflow.dpatch] 2.4.27-sarge-security: N/A 2.6.12-breezy-security: released (2.6.12-10.41) 2.6.15-dapper-security: released (2.6.15-27.49) 2.6.17-edgy-security: released (2.6.17.1-10.34)