Bug 177311 - CVE-2005-4618 sysctl overflow
CVE-2005-4618 sysctl overflow
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Viro
Brian Brock
reported=20051231,source=lkml,impact=...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-09 10:50 EST by Mark J. Cox (Product Security)
Modified: 2012-06-20 09:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 09:33:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2006-01-09 10:50:50 EST
CVE defines CVE-2005-4618 as:
"Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows local
users to cause a denial of service and possibly execute arbitrary code via a
long string, which causes sysctl to write a zero byte outside the buffer."

This is fixed by
        http://linux.bkbits.net:8080/linux-2.6/cset@43b729ad5Zc6t6URyaHNNtodT1nRpg

I can't see a useful attack vector here, writing a character to one spot after a
userland buffer seems to me likely at the worst to crash your userland program,
and not cause a DoS or privilege escalation.  So we have marked this severity
low but this could equally be severity none (kernel maintainers please let us
know what you think after analysis)
Comment 1 Jason Baron 2006-01-09 17:36:46 EST
agreed. the bug here is that a NULL character can be written 1 byte off the end
of   a user supplied buffer, which is a potential data corruption. I don't see
any DoS issue here, if the extra byte is not mapped, then the kernel will return
cleanly. A single byte corruption of userspace is fairly serious though, imo.
Comment 2 Jiri Pallich 2012-06-20 09:33:10 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.