Bug 522503

Summary: Turn off AppleTalk protocol module in realtime kernel
Product: Red Hat Enterprise MRG Reporter: Clark Williams <williams>
Component: realtime-kernelAssignee: Luis Claudio R. Goncalves <lgoncalv>
Status: CLOSED ERRATA QA Contact: David Sommerseth <davids>
Severity: medium Docs Contact:
Priority: high    
Version: DevelopmentCC: bhu, eteo, lgoncalv, ovasik
Target Milestone: 1.1.9   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-03 18:22:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Clark Williams 2009-09-10 14:45:17 UTC
Description of problem:

The realtime kernel has no need to support the AppleTalk protocol stack. Turn off CONFIG_DEV_APPLETALK in all rt kernel variants.

Comment 1 Luis Claudio R. Goncalves 2009-09-11 02:53:47 UTC
disabled CONFIG_DEV_APPLETALK and CONFIG_ATALK on kernel v1 (-134)

Comment 2 Eugene Teo (Security Response) 2009-09-14 01:26:47 UTC
How about the ipddp module? Since we are turning off AppleTalk in -rt, we might as well turn off AppleTalk-IP too. Related to CVE-2009-2903.

Comment 3 Luis Claudio R. Goncalves 2009-10-14 22:01:12 UTC
I understand that disabling the module we also disabled the use of the code in net/appletalk/ddp.c. Please, let me know if I'm wrong.

Comment 4 Eugene Teo (Security Response) 2009-10-15 01:11:51 UTC
(In reply to comment #3)
> I understand that disabling the module we also disabled the use of the code in
> net/appletalk/ddp.c. Please, let me know if I'm wrong.  

I believe so too.

Comment 5 David Sommerseth 2009-10-27 15:46:44 UTC
Verified against kernel-rt-2.6.24.7-136

** 2.6.24.7-132
[root@ibm-e326m ~]# grep TALK /boot/config-2.6.24.7-132.el5rt 
CONFIG_ATALK=m
CONFIG_DEV_APPLETALK=m
[root@ibm-e326m ~]# modprobe -v appletalk
insmod /lib/modules/2.6.24.7-132.el5rt/kernel/net/appletalk/appletalk.ko 
[root@ibm-e326m ~]# lsmod | grep appletalk
appletalk              41872  0 
[root@ibm-e326m ~]# modprobe -rv appletalk
rmmod /lib/modules/2.6.24.7-132.el5rt/kernel/net/appletalk/appletalk.ko
[root@ibm-e326m ~]# 


** 2.6.24.7-136
[root@hp-dl585g2-01 ~]# grep TALK /boot/config-2.6.24.7-136.el5rt 
# CONFIG_ATALK is not set
[root@hp-dl585g2-01 ~]# modprobe -v appletalk
FATAL: Module appletalk not found.
[root@hp-dl585g2-01 ~]#

Comment 7 errata-xmlrpc 2009-11-03 18:22:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1540.html