When a user specified IPSEC rule to compile is given, we don't check the bounds of the direction, leading to overflows of the in-socket IPSEC rule array. This could allow a local unprivileged user to cause memory corruption. Fixed upstream here on 20050726 http://linux.bkbits.net:8080/linux-2.6/cset@42e6bc85npULs5heBLcOs_2M2zCpQ See the following threads for a test program and more desciprtion http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html http://www.mail-archive.com/netdev@vger.kernel.org/msg00523.html Note that a fix for this is already committed for U2 in linux-2.6.12-network.patch
*** Bug 165138 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-514.html