Red Hat Bugzilla – Bug 202412
CVE-2005-2873 ipt_recent crash (second part)
Last modified: 2007-11-30 17:07:27 EST
The proposed patch for CVE-2005-2872 was rejected by upstream. The Linux kernel
2.6.18-rc1 now contains a fully rewritten version of ipt_recent.c from Patrick
McHardy. Is this acceptable for a backport?
Created attachment 135397 [details]
patch to update ipt_recent module to latest upstream code
I spent some time last night to generate the patch that updates our current
ipt_recent code to the latest upstream version. Its ABI compatibile as far as
I've been able to see, and it builds without warnings for me. Can you please
give it a test and confirm its functionality for me? Thanks
QE is concerned about testing this fix. We need some guidance on testing before
we can ack this request.
I built a custom kernel to start jiffies > LONG_MAX, but I think on 32 bit
systems it should roll over anyway within the first 5 minutes after boot.
Basically, all you need to do is set up an iptable rule to do an ipt_recent
module --check operation of a source ip on a given port and drop the packet if
its found, along with a --seconds 30 to narrow the search to the last 30
seconds. then a second subsequent rule to add the source ip to the table. the
effect here should be that one can contact the specified port on the system (I
used the telnet daemon to test) once every 30 seconds. Addition connect
attempts will be dropped. When the bug is in place, once an entry is added to
the table it will (incorrectly) always be found, and the matching packets will
always be dropped. with the fix, packets will be allowed through once every 30
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
QE ack for RHEL4.5.
committed in stream U5 build 42.20. A test kernel with this patch is available
I'm not able to reproduce the original problem but I did test the ipt_recent
functionality and it appears to be working as expected. I have also verified
that the patch to update ipt_recent is in the -52 kernel.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.