blob: 0bfc2472f7f18fdc019ce4c62cff4d6ceada152d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Candidate: CVE-2006-5749
References:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dab6df63086762629936e8b89a5984bae39724f6
Description:
The isdn_ppp_ccp_reset_alloc_state function in
drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4
does not call the init_timer function for the ISDN PPP CCP reset
state timer, which has unknown attack vectors and results in a system
crash.
Ubuntu-Description:
Al Viro reported that the ISDN PPP module did not initialize the
reset state timer. By sending specially crafted ISDN packets, a
remote attacker could exploit this to crash the kernel.
Notes:
dannf> According to Marcel Holtmann, 2.4 and 2.6 < 2.6.13 are not vulnerable.
dannf> Indeed, in 2.4.27 & 2.6.8, init_timer() just sets timer->base to NULL,
dannf> so the memset() is sufficient to avoid this crash.
dannf> However, in 2.6.8 init_timer() also sets a magic number. add_timer()
dannf> will call __mod_timer(), which calls check_timer(), which will cause
dannf> the kernel to whine if this magic number is not set. I don't think this
dannf> will cause a crash, so I'm considering a non-security issue
Bugs:
upstream: released (2.6.20-rc5)
linux-2.6: released (2.6.20-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-10)
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.12-breezy-security: released (2.6.12-10.43)
2.6.15-dapper-security: released (2.6.15-28.51)
2.6.17-edgy-security: released (2.6.17.1-11.35)
|