blob: f8c7d5bedc02f1fa4f77becc8c576aaa51dec146 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Candidate: CVE-2007-3642
References:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25845b5155b55cd77e42655ec24161ba3feffa47
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=499
Description:
The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c
in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and
before 2.6.22 allows remote attackers to cause a denial of service
(crash) via an encoded, out-of-range index value for a choice field,
which triggers a NULL pointer dereference.
Ubuntu-Description:
Zhongling Wen discovered that the h323 conntrack handler did not correctly
handle certain bitfields. A remote attacker could send a specially crafted
packet and cause a denial of service.
Notes:
pkl> [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
dannf> file got renamed between 2.6.18 & 2.6.21
Bugs:
upstream:
linux-2.6: released (2.6.21-6) [bugfix/all/stable/2.6.21.6.patch]
2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/nf_conntrack_h323-bounds-checking.patch]
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.15-dapper-security: N/A - code doesn't seem to exist
2.6.17-edgy-security: N/A - code doesn't seem to exist
2.6.20-feisty-security: released (2.6.20-16.31) [c411287f75b34e8cbeba8e7832c4cf1c235e8568]
|