Bug 202412 - CVE-2005-2873 ipt_recent crash (second part)
CVE-2005-2873 ipt_recent crash (second part)
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Neil Horman
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-08-14 05:55 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0304
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-07 23:18:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to update ipt_recent module to latest upstream code (45.49 KB, patch)
2006-09-01 13:30 EDT, Neil Horman
no flags Details | Diff

  None (edit)
Description Marcel Holtmann 2006-08-14 05:55:27 EDT
The proposed patch for CVE-2005-2872 was rejected by upstream. The Linux kernel
2.6.18-rc1 now contains a fully rewritten version of ipt_recent.c from Patrick
McHardy. Is this acceptable for a backport?
Comment 8 Neil Horman 2006-09-01 13:30:46 EDT
Created attachment 135397 [details]
patch to update ipt_recent module to latest upstream code

I spent some time last night to generate the patch that updates our current
ipt_recent code to the latest upstream version.  Its ABI compatibile as far as
I've been able to see, and it builds without warnings for me.  Can you please
give it a test and confirm its functionality for me?  Thanks
Comment 10 Jay Turner 2006-10-03 09:26:02 EDT
QE is concerned about testing this fix.  We need some guidance on testing before
we can ack this request.
Comment 11 Neil Horman 2006-10-03 10:10:36 EDT
I built a custom kernel to start jiffies > LONG_MAX, but I think on 32 bit
systems it should roll over anyway within the first 5 minutes after boot. 
Basically, all you need to do is set up an iptable rule to do an ipt_recent
module --check operation of a source ip on a given port and drop the packet if
its found, along with a --seconds 30 to narrow the search to the last 30
seconds. then a second subsequent rule to add the source ip to the table.  the
effect here should be that one can contact the specified port on the system (I
used the telnet daemon to test) once every 30 seconds.  Addition connect
attempts will be dropped.  When the bug is in place, once an entry is added to
the table it will (incorrectly) always be found, and the matching packets will
always be dropped.  with the fix, packets will be allowed through once every 30
Comment 12 RHEL Product and Program Management 2006-10-10 14:16:39 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 13 Jay Turner 2006-10-17 11:35:07 EDT
QE ack for RHEL4.5.
Comment 14 Jason Baron 2006-10-23 15:19:26 EDT
committed in stream U5 build 42.20. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 16 Mike Gahagan 2007-04-04 13:40:43 EDT
I'm not able to reproduce the original problem but I did test the ipt_recent
functionality and it appears to be working as expected. I have also verified
that the patch to update ipt_recent is in the -52 kernel.

Comment 18 Red Hat Bugzilla 2007-05-07 23:18:49 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.