Bug 202412

Summary: CVE-2005-2873 ipt_recent crash (second part)
Product: Red Hat Enterprise Linux 4 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0304 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-08 03:18:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to update ipt_recent module to latest upstream code none

Description Marcel Holtmann 2006-08-14 09:55:27 UTC 
The proposed patch for CVE-2005-2872 was rejected by upstream. The Linux kernel
2.6.18-rc1 now contains a fully rewritten version of ipt_recent.c from Patrick
McHardy. Is this acceptable for a backport?
Comment 8 Neil Horman 2006-09-01 17:30:46 UTC 
Created attachment 135397 [details]
patch to update ipt_recent module to latest upstream code

I spent some time last night to generate the patch that updates our current
ipt_recent code to the latest upstream version.  Its ABI compatibile as far as
I've been able to see, and it builds without warnings for me.  Can you please
give it a test and confirm its functionality for me?  Thanks
Comment 10 Jay Turner 2006-10-03 13:26:02 UTC 
QE is concerned about testing this fix.  We need some guidance on testing before
we can ack this request.
Comment 11 Neil Horman 2006-10-03 14:10:36 UTC 
I built a custom kernel to start jiffies > LONG_MAX, but I think on 32 bit
systems it should roll over anyway within the first 5 minutes after boot. 
Basically, all you need to do is set up an iptable rule to do an ipt_recent
module --check operation of a source ip on a given port and drop the packet if
its found, along with a --seconds 30 to narrow the search to the last 30
seconds. then a second subsequent rule to add the source ip to the table.  the
effect here should be that one can contact the specified port on the system (I
used the telnet daemon to test) once every 30 seconds.  Addition connect
attempts will be dropped.  When the bug is in place, once an entry is added to
the table it will (incorrectly) always be found, and the matching packets will
always be dropped.  with the fix, packets will be allowed through once every 30
seconds
Comment 12 RHEL Program Management 2006-10-10 18:16:39 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 13 Jay Turner 2006-10-17 15:35:07 UTC 
QE ack for RHEL4.5.
Comment 14 Jason Baron 2006-10-23 19:19:26 UTC 
committed in stream U5 build 42.20. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 16 Mike Gahagan 2007-04-04 17:40:43 UTC 
I'm not able to reproduce the original problem but I did test the ipt_recent
functionality and it appears to be working as expected. I have also verified
that the patch to update ipt_recent is in the -52 kernel.
Comment 18 Red Hat Bugzilla 2007-05-08 03:18:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0304.html