vendor-sec made us aware of a security relevant problem yesterday (remote opps/firewall bypass) in the netdev code. http://linux.bkbits.net:8080/linux-2.5/cset@41f8843a8ZMCNuP3meYAYnnXd3CO_g This is the relevant thread: http://oss.sgi.com/archives/netdev/2005-01/msg01036.html Passed to PeterM for investigation, the patch breaks kABI.
Making public, has gained vendor fixes and CVE name.
Note that this issue is only exploitable on SMP
There are two issues, which got confused into one in another vendors advisory hence why there is currently one RH bug which references the discussion for one with the fix for the other. The first allows you to crash a host remotely using bad fragments but that only affects certain NICs. This requires a separate bug (opening soon) not a kabi breaker: http://linux.bkbits.net:8080/linux-2.6/cset@41f59581p1swNaow4K1aBglV-q2jf But we're also tracking as a second issue a possible bypass/crash of firewall rules on SMP. If a new head fragment arrives on another CPU through PREROUTING, it can overwrite the original head fragment and take over its place, CAN-2005-0449 http://linux.bkbits.net:8080/linux-2.6/cset@41f8843a8ZMCNuP3meYAYnnXd3CO_g
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-366.html