Bug 1424751 (CVE-2017-2634)

Summary: CVE-2017-2634 kernel: dccp: crash while sending ipv6 reset packet
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acme, cperry, fwestpha, grocha, jiji, pmatouse, rkhan, rvrbovsk, security-response-team, vdronov, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP connections, which could result in memory corruptions. A remote attacker could use this flaw to crash the system.
 Story Points: ---
Clone Of:
: 1426298 1426307 (view as bug list) Environment:
Last Closed: 2019-06-08 03:07:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1425177, 1426298, 1426307, 1426309, 1426311, 1426507    
Bug Blocks: 1426501    

Description Wade Mealing 2017-02-19 07:27:01 UTC 
A flaw was found in the linux kernels implementation of DCCP protocol in which a an application making a DCCP connection over IPV6 could crash a remote (or local) system.  When attempting to send a DCCP reset packet, the system will incorrectly create the packet header and while updating the SNMP counters for this condition crash the kernel. The remote system would need to have both an application running as a DCCP server and have an IPV6 address routable.

This can result in the system crash or denial of service.

Upstream fix:

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=f53dc67c5e7babafe239b93a11678b0e05bead51
Comment 13 Wade Mealing 2017-02-24 04:21:55 UTC 
*** Bug 1424753 has been marked as a duplicate of this bug. ***
Comment 14 Wade Mealing 2017-02-24 04:44:32 UTC 
Statement:

This issue affects Red Hat Enterprise Linux 5 kernel.  This issue was fixed in a versions 6 and 7 prior to this issue being raised.

Future Linux kernel updates for Red Hat Enterprise Linux 5 may address this issue.
Comment 15 Wade Mealing 2017-02-24 04:45:54 UTC 
Acknowledgment:

Name: Wade Mealing (Red Hat Product Security)
Comment 18 errata-xmlrpc 2017-02-24 15:58:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2017:0323 https://rhn.redhat.com/errata/RHSA-2017-0323.html
Comment 20 errata-xmlrpc 2017-02-28 15:04:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life

Via RHSA-2017:0347 https://rhn.redhat.com/errata/RHSA-2017-0347.html
Comment 21 errata-xmlrpc 2017-02-28 15:07:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:0346 https://rhn.redhat.com/errata/RHSA-2017-0346.html