Bug 232045

Summary: CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
Product: Red Hat Enterprise Linux 5 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Thomas Graf <tgraf>
Status: CLOSED WONTFIX QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: medium    
Version: 5.1CC: dzickus, rkhan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=redhat,reported=20070313,public=20070309
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-04 14:24:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marcel Holtmann 2007-03-13 18:24:56 UTC
A user can supply len < 0 in ipv6_getsockopt_sticky and cause a leak of kernel

Comment 1 Marcel Holtmann 2007-03-13 18:27:00 UTC
Created attachment 149966 [details]
Upstream patch from Chris Wright

Comment 2 Don Howard 2007-04-13 00:17:36 UTC
Hi Marcel -

This patch doesn't appear to be needed - len is ignored when copying header info
to the user's buffer in ipv6_getsockopt_sticky() -- the length to hand back to
userspace is taken direclty from the header.  

I don't see this patch upstream.  Let me know if I've missed the vulnerablity

Comment 4 RHEL Program Management 2007-04-25 20:44:02 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 5 RHEL Program Management 2007-05-03 12:22:07 UTC
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.