Bug 167703 - CAN-2005-2872 ipt_recent crash
Summary: CAN-2005-2872 ipt_recent crash
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: James Morris
QA Contact: Brian Brock
Keywords: Security
Depends On:
Blocks: 156322
TreeView+ depends on / blocked
Reported: 2005-09-07 12:50 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2005-10-05 13:56:32 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:514 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2 2005-10-05 04:00:00 UTC

Description Mark J. Cox 2005-09-07 12:50:44 UTC
A flaw has been reported in the ipt_recent module along with a patch
A subset of this patch was commited to 2.6 kernel prior to 2.6.12:

It was originally reported that this flaw can cause a remote crash but in other
messages mentioned that this was just on 64-bit systems.  The security team
haven't yet analysed this flaw to determine the exact consequences or likelyhood
of exploitation.

The CVE entry states:
         The ipt_recent kernel module (ipt_recent.c) in Linux kernel
         before 2.6.12, when running on 64-bit processors such as
         AMD64, does not properly perform certain time tests when the
         jiffies value is greater than LONG_MAX, which can allow
         remote attackers to cause a denial of service (kernel panic)
         via certain attacks such as SSH brute force.

Comment 1 James Morris 2005-09-09 15:59:04 UTC
Dave, you looked at the original patch for this and I seem to recall you found
bugs in it.  Can you confirm that the subset patch committed via bk into
mainline appropriate for us to use?

Comment 2 David Miller 2005-09-09 19:24:10 UTC
Yes, the BK patch is fine.
The bogus version never made it into Linus's tree.

ipt_recent needs to be rewritten from scratch to try and address
the problems the blog.blackdown.de patch is trying to solve.

Comment 4 Mark J. Cox 2005-09-15 07:50:13 UTC
Note this has been renamed to CAN-2005-2872 by Mitre

Comment 5 Red Hat Bugzilla 2005-10-05 13:56:32 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 6 Milan Kerslager 2006-01-17 15:22:39 UTC
This seems to fix only 64bit remote DoS but not jiffies problem when >25 days
uptime. The bug #169279 is tracking this issue. So this is only FYI entry for
this (closed) bug.

Note You need to log in before you can comment on or make changes to this bug.