Bug 232045 - CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
Summary: CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.1
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Thomas Graf
QA Contact: Martin Jenner
Whiteboard: impact=important,source=redhat,report...
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-13 18:24 UTC by Marcel Holtmann
Modified: 2014-06-18 08:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-06-04 14:24:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Marcel Holtmann 2007-03-13 18:24:56 UTC
A user can supply len < 0 in ipv6_getsockopt_sticky and cause a leak of kernel

Comment 1 Marcel Holtmann 2007-03-13 18:27:00 UTC
Created attachment 149966 [details]
Upstream patch from Chris Wright

Comment 2 Don Howard 2007-04-13 00:17:36 UTC
Hi Marcel -

This patch doesn't appear to be needed - len is ignored when copying header info
to the user's buffer in ipv6_getsockopt_sticky() -- the length to hand back to
userspace is taken direclty from the header.  

I don't see this patch upstream.  Let me know if I've missed the vulnerablity

Comment 4 RHEL Program Management 2007-04-25 20:44:02 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 5 RHEL Program Management 2007-05-03 12:22:07 UTC
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.

Note You need to log in before you can comment on or make changes to this bug.