Bug 833402 (CVE-2012-2744)

Summary: CVE-2012-2744 kernel: netfilter: null pointer dereference in nf_ct_frag6_reasm()
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, arozansk, dhoward, fhrbata, jbenc, jlieskov, jpirko, kernel-mgr, lwang, rcvalle, security-response-team, sforsber, tgraf
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20120710,reported=20120613,source=researcher,cvss2=7.8/AV:N/AC:L/Au:N/C:N/I:N/A:C,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2.z/kernel=affected,rhel-6.1.z/kernel=affected,rhel-6.0.z/kernel=affected,mrg-2/realtime-kernel=notaffected,fedora-all/kernel=notaffected,cwe=CWE-228->CWE-476
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 08:19:09 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 833410, 833412, 833414, 833415, 833416    
Bug Blocks: 833442    

Description Petr Matousek 2012-06-19 08:29:52 EDT
A flaw was found in the way ipv6 netfilter's connection tracking module handled packets fragmented into a single fragment. A remote attacker could use this flaw to crash the system.

Upstream fix:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9e2dcf72023d1447f09c47d77c99b0c49659e5ce

Acknowledgements:

Red Hat would like to thank Antonios Atlasis working with Beyond Security's SecuriTeam Secure Disclosure program for reporting this issue.
Comment 4 Petr Matousek 2012-07-04 01:51:53 EDT
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 as they did not include support for netfilter's ipv6 connection tracking module. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux MRG as they already contain the upstream commit that fixes this issue.
Comment 6 errata-xmlrpc 2012-07-10 07:43:05 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1064 https://rhn.redhat.com/errata/RHSA-2012-1064.html
Comment 8 errata-xmlrpc 2012-07-24 14:51:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0 EUS - Server Only

Via RHSA-2012:1114 https://rhn.redhat.com/errata/RHSA-2012-1114.html
Comment 9 errata-xmlrpc 2012-07-31 16:07:18 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2012:1129 https://rhn.redhat.com/errata/RHSA-2012-1129.html
Comment 10 errata-xmlrpc 2012-08-07 14:04:19 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.1 EUS - Server Only

Via RHSA-2012:1148 https://rhn.redhat.com/errata/RHSA-2012-1148.html