Bug 443962 (CVE-2008-1673)

Summary: CVE-2008-1673 kernel: possible buffer overflow in ASN.1 parsing routines
Product: [Other] Security Response Reporter: Jeff Layton <jlayton>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anton, dhoward, eteo, jlayton, lwang, mitchell, qcai, security-response-team, smfltc, ssorce, steved, tdamato, twoerner, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
This issue did not have a security consequence for the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, and 5, and as such, was treated as a bug fix. This issue could result in arbitrary code execution if the SLOB or SLUB memory allocators were used (introduced in Linux kernel versions 2.6.16 and 2.6.22 respectively). Red Hat Enterprise Linux and Red Hat Enterprise MRG use the SLAB memory allocator, which, in this case, cannot be exploited to allow arbitrary code execution. Red Hat Enterprise Linux 2 and Red Hat Enterprise MRG were not affected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:55:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 444461, 444462, 444463, 444464, 444465, 444470, 444471, 444472    
Bug Blocks:    

Comment 9 Tomas Hoger 2008-06-09 07:09:53 UTC 
Wei Wang of McAfee Avert Labs discovered a security problem in kernel's ASN.1
decoder affecting CIFS and ip_nat_snmp_basic modules:

Due to an error in two linux kernel modules, cifs filesytem and
ip_nat_snmp_basic in the ASN.1 decoder when handling length BER
encodings, This flaw can be remotely exploited by remote attackers to
cause a vulnerable system to hang or even to execute arbitrary code in
kernel mode.

Since cifs and ip_nat_snmp_basic kernel module are using the same ASN1.1
decoder which was derived from the gxsnmp package . So, gxsnmp is also
vulnerable.
Comment 10 Tomas Hoger 2008-06-09 07:13:12 UTC 
Fixed upstream in 2.6.25.5 and 2.4.36.6:

http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5
http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.6

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ddb2c43594f22843e9f3153da151deaba1a834c5
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c

Lifting embargo.
Comment 15 Fedora Update System 2008-06-20 19:04:51 UTC 
kernel-2.6.25.6-27.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Eugene Teo (Security Response) 2009-04-15 07:33:48 UTC 
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2, 3, 4, 5 or Red Hat Enterprise MRG.

The bug existed on Red Hat Enterprise Linux 3, 4, and 5. However, this is only a security issue if the SLOB or SLUB memory allocators were used (introduced in Linux kernel versions 2.6.16 and 2.6.22, respectively). All Red Hat Enterprise Linux and Red Hat Enterprise MRG kernels use the SLAB memory allocator, which in this case, cannot be exploited to allow arbitrary code execution. As a preventive measure, the underlying bug was addressed in Red Hat Enterprise Linux 3, 4, and 5, via the advisories RHSA-2008:0973, RHSA-2008:0508, and RHSA-2008:0519, respectively.

Updated: Sept 8th, 2009.