Bug 166329
| Summary: | CVE-2005-2490 sendmsg compat stack overflow | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark J. Cox <mjc> | ||||||
| Component: | kernel | Assignee: | David Miller <davem> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 3.0 | CC: | aviro, davem, jbaron, lwang, mjenner, peterm, petrides, security-response-team, tburke | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | impact=important,reported=20050817,source=redhat,public=20050908 | ||||||||
| Fixed In Version: | RHSA-2005-663 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2005-09-28 15:35:24 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 156320 | ||||||||
| Attachments: |
|
||||||||
|
Description
Mark J. Cox
2005-08-19 09:26:09 UTC
arch/ppc64/kernel/sys_ppc32.c arch/x86_64/ia32/socket32.c arch/s390x/kernel/linux32.c not ia64 from what I can see in 2.4.21 Therefore this may affect RHEL3 for ppc64, x86_64 and s390x Notified security, vendor-sec. Embargo set for one week, 20050907:12 A fix for this problem has just been committed to the RHEL3 U6 patch pool this afternoon (in kernel version 2.4.21-36.EL). We need very strongly to test this change. As per bugzilla #166248 the RHEL4 version of the fix, which I merely backported into the RHEL3 U6 tree, breaks portmap on ppc64. This fix is now known to cause a regression with unaligned CMSG data areas, and thus will need to be revised. Changing bug state to FAILS_QA. Created attachment 118446 [details]
Test case for sendmsg() CMSG usage.
This is a test program which specifically tests the code path
being modified by this bug fix. Since this code path is used only
for 32-bit applications running under a 64-bit kernel, make sure
that the test program is compiled into a 32-bit binary for proper
testing.
Created attachment 118447 [details]
Fix for the fix, from David Woodhouse
Relative patch, against RHEL3 U6, which fixes the bug fix properly.
A fix for the regression has just been committed to the RHEL3 U6 patch pool this afternoon (in kernel version 2.4.21-37.EL). Mark, the embargo has now been lifted, right? Yes, the embargo is lifted, however this issue isn't yet public, and I won't open up the bugs until such time as it gets commited upstream or public by another vendor. Public today by commit to stable-queue.git, removing embargo An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-663.html |