Bug 167703 - CAN-2005-2872 ipt_recent crash
CAN-2005-2872 ipt_recent crash
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Morris
Brian Brock
: Security
Depends On:
Blocks: 156322
  Show dependency treegraph
 
Reported: 2005-09-07 08:50 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-05 09:56:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-09-07 08:50:44 EDT
A flaw has been reported in the ipt_recent module along with a patch
http://blog.blackdown.de/static/kernel/ipt_recent-fix.patch
A subset of this patch was commited to 2.6 kernel prior to 2.6.12:
http://linux.bkbits.net:8080/linux-2.6/cset@42b0f732P_VGfvCBAVpq1Grl7HtA_Q

It was originally reported that this flaw can cause a remote crash but in other
messages mentioned that this was just on 64-bit systems.  The security team
haven't yet analysed this flaw to determine the exact consequences or likelyhood
of exploitation.

The CVE entry states:
         The ipt_recent kernel module (ipt_recent.c) in Linux kernel
         before 2.6.12, when running on 64-bit processors such as
         AMD64, does not properly perform certain time tests when the
         jiffies value is greater than LONG_MAX, which can allow
         remote attackers to cause a denial of service (kernel panic)
         via certain attacks such as SSH brute force.
Comment 1 James Morris 2005-09-09 11:59:04 EDT
Dave, you looked at the original patch for this and I seem to recall you found
bugs in it.  Can you confirm that the subset patch committed via bk into
mainline appropriate for us to use?
Comment 2 David Miller 2005-09-09 15:24:10 EDT
Yes, the BK patch is fine.
The bogus version never made it into Linus's tree.

ipt_recent needs to be rewritten from scratch to try and address
the problems the blog.blackdown.de patch is trying to solve.
Comment 4 Mark J. Cox (Product Security) 2005-09-15 03:50:13 EDT
Note this has been renamed to CAN-2005-2872 by Mitre
Comment 5 Red Hat Bugzilla 2005-10-05 09:56:32 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html
Comment 6 Milan Kerslager 2006-01-17 10:22:39 EST
This seems to fix only 64bit remote DoS but not jiffies problem when >25 days
uptime. The bug #169279 is tracking this issue. So this is only FYI entry for
this (closed) bug.

Note You need to log in before you can comment on or make changes to this bug.