Bug 147468 - CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker
CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
: Security
Depends On:
Blocks: 139847
  Show dependency treegraph
 
Reported: 2005-02-08 06:38 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-19 14:52:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-02-08 06:38:11 EST
vendor-sec made us aware of a security relevant problem yesterday (remote
opps/firewall bypass) in the netdev code. 

  http://linux.bkbits.net:8080/linux-2.5/cset@41f8843a8ZMCNuP3meYAYnnXd3CO_g

This is the relevant thread:

  http://oss.sgi.com/archives/netdev/2005-01/msg01036.html

Passed to PeterM for investigation, the patch breaks kABI.
Comment 1 Mark J. Cox (Product Security) 2005-02-17 04:19:19 EST
Making public, has gained vendor fixes and CVE name.
Comment 2 Mark J. Cox (Product Security) 2005-02-23 04:50:15 EST
Note that this issue is only exploitable on SMP
Comment 3 Mark J. Cox (Product Security) 2005-02-24 05:39:07 EST
There are two issues, which got confused into one in another vendors
advisory hence why there is currently one RH bug which references the
discussion for one with the fix for the other.

The first allows you to crash a host remotely using bad fragments but
that only affects certain NICs.  This requires a separate bug (opening
soon) not a kabi breaker:
http://linux.bkbits.net:8080/linux-2.6/cset@41f59581p1swNaow4K1aBglV-q2jf

But we're also tracking as a second issue a possible bypass/crash of
firewall rules on SMP.  If a new head fragment arrives on another CPU
through PREROUTING, it can overwrite the original head fragment and
take over its place, CAN-2005-0449
http://linux.bkbits.net:8080/linux-2.6/cset@41f8843a8ZMCNuP3meYAYnnXd3CO_g
Comment 6 Josh Bressers 2005-04-19 14:52:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-366.html

Note You need to log in before you can comment on or make changes to this bug.