blob: 592e2d898f76d0006ea2e649afb452eacd12d3c2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Candidate: CVE-2007-1388
References:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=4cabf6ba5496bc4a5a59871693145880b240b07b
http://bugzilla.kernel.org/show_bug.cgi?id=8155
Description:
The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel
2.6.17, and possibly other versions, allows local users to cause a denial of
service (oops) by calling setsockopt with the IPV6_RTHDR option name and
possibly a zero option length or invalid option value, which triggers a NULL
pointer dereference.
Ubuntu-Description:
Gabriel Campana discovered that the do_ipv6_setsockopt() function did
not sufficiently verifiy option values for IPV6_RTHDR. A local
attacker could exploit this to trigger a kernel crash.
Notes:
dannf> Reproducer in the RH bug doesn't work on debian as-is - you need
to use a hardcoded '57' instead of IPV6_RTHDR. That allows you
to trigger an oops on unpatched 2.6.18-era kernels, but it is not
reproducible in 2.4.27/2.6.8
Bugs:
upstream: released (2.6.21-rc4)
linux-2.6: released (2.6.21-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-12) [bugfix/ipv6_getsockopt_sticky-null-opt.patch]
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.15-dapper-security: released (2.6.15-28.54)
2.6.17-edgy-security: released (2.6.17.1-11.38)
2.6.20-feisty-security: released (2.6.20-16.28)
|
