Bug 127258 - CAN-2004-0619 Broadcom 5820 integer overflow
CAN-2004-0619 Broadcom 5820 integer overflow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: John W. Linville
Brian Brock
http://marc.theaimsgroup.com/?l=bugtr...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-05 07:12 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-02 06:35:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
bcm5820-security-fix.patch (2.08 KB, patch)
2004-07-16 14:18 EDT, John W. Linville
no flags Details | Diff
bcm5820-fixes.patch (51.43 KB, patch)
2004-07-28 09:38 EDT, John W. Linville
no flags Details | Diff
bcm5820-better-fixes.patch (52.04 KB, patch)
2004-07-28 15:41 EDT, John W. Linville
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2004-07-05 07:12:12 EDT
Reported to Bugtraq on Jun23.  

An integer overflow in the ubsec_keysetup function for Linux Broadcom
5820 cryptonet driver allows local users to cause a denial of service
(crash) and possibly execute arbitrary code via a negative
add_dsa_buf_bytes variable, which leads to a buffer overflow.

See also http://secunia.com/advisories/11936/

(Only -unsupported in hugemem)
Comment 2 John W. Linville 2004-07-15 15:07:18 EDT
Changing platform to "All" as I don't see anything CPU-specific about
this...
Comment 5 John W. Linville 2004-07-16 14:18:59 EDT
Created attachment 101977 [details]
bcm5820-security-fix.patch

I think this patch is "obviously correct" for fixing this problem...needs
testing, of course...
Comment 6 John W. Linville 2004-07-16 14:21:20 EDT
No luck so far at tracking-down a card for testing...would be eager to
hear of any test results, from anyone so equipped...
Comment 9 John W. Linville 2004-07-28 09:38:38 EDT
Created attachment 102247 [details]
bcm5820-fixes.patch

This patch includes previous security patch plus some other "cleanup" fixes...
Comment 10 John W. Linville 2004-07-28 15:41:12 EDT
Created attachment 102263 [details]
bcm5820-better-fixes.patch

Slightly enhance version of previous patch...
Comment 12 Ernie Petrides 2004-09-03 20:39:35 EDT
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-20.3.EL).
Comment 13 Ernie Petrides 2004-11-24 20:23:21 EST
The fix for this problem has also been committed to the RHEL3 E4
patch pool this evening (in kernel version 2.4.21-20.0.1.EL).
Comment 14 Mark J. Cox (Product Security) 2004-12-02 06:35:30 EST
http://rhn.redhat.com/errata/RHSA-2004-549.html

Note You need to log in before you can comment on or make changes to this bug.