Bug 232045 - CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.1
All Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Graf
Martin Jenner
impact=important,source=redhat,report...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-13 14:24 EDT by Marcel Holtmann
Modified: 2014-06-18 04:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-04 10:24:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2007-03-13 14:24:56 EDT
A user can supply len < 0 in ipv6_getsockopt_sticky and cause a leak of kernel
memory.
Comment 1 Marcel Holtmann 2007-03-13 14:27:00 EDT
Created attachment 149966 [details]
Upstream patch from Chris Wright
Comment 2 Don Howard 2007-04-12 20:17:36 EDT
Hi Marcel -

This patch doesn't appear to be needed - len is ignored when copying header info
to the user's buffer in ipv6_getsockopt_sticky() -- the length to hand back to
userspace is taken direclty from the header.  

I don't see this patch upstream.  Let me know if I've missed the vulnerablity
here.  
Comment 4 RHEL Product and Program Management 2007-04-25 16:44:02 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 RHEL Product and Program Management 2007-05-03 08:22:07 EDT
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.

Note You need to log in before you can comment on or make changes to this bug.