Bug 460093 – CVE-2008-3526 Linux kernel sctp_setsockopt_auth_key() integer overflow

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 460093 - (CVE-2008-3526) CVE-2008-3526 Linux kernel sctp_setsockopt_auth_key() integer overflow

Summary:	CVE-2008-3526 Linux kernel sctp_setsockopt_auth_key() integer overflow

Status:	CLOSED ERRATA

Aliases:	CVE-2008-3526

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,source=redhat,report...
Keywords:	Security

Depends On:	460094
Blocks:
	Show dependency tree / graph

Reported:	2008-08-26 01:57 EDT by Eugene Teo (Security Response)
Modified:	2016-03-04 07:28 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-12-21 12:23:12 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Upstream patch for this issue (1.53 KB, patch) 2008-08-26 11:15 EDT, Eugene Teo (Security Response)	no flags	Details \| Diff
Proposed backported patch for MRG kernel (1.16 KB, patch) 2008-08-29 03:42 EDT, Eugene Teo (Security Response)	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0857	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2008-10-07 15:18:59 EDT

Groups: None (edit)

Description Eugene Teo (Security Response) 2008-08-26 01:57:12 EDT

Description of problem:
Eugene Teo reported that an integer overflow flaw was found in the Linux kernel sctp_setsockopt_auth_key() function. The structure used for SCTP_AUTH_KEY option contains a length that needs to be verified to prevent integer overflow conditions.

Comment 1 Eugene Teo (Security Response) 2008-08-26 01:59:14 EDT

Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246

Comment 2 Eugene Teo (Security Response) 2008-08-26 02:04:23 EDT

(In reply to comment #1)
> Proposed upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246

There are discussions to use UINT_MAX instead of INT_MAX in the if comparison, and to limit the upper bound to a smaller number. So don't backport the patch yet.

Comment 3 Eugene Teo (Security Response) 2008-08-26 02:08:53 EDT

SCTP-AUTH API was introduced in upstream commit 65b07e5d (20070916). This extension is disabled by default since upstream commit 5e739d17 (20080821).

Comment 5 Eugene Teo (Security Response) 2008-08-26 11:07:58 EDT

(In reply to comment #2)
> (In reply to comment #1)
> > Proposed upstream patch:
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246
> 
> There are discussions to use UINT_MAX instead of INT_MAX in the if comparison,
> and to limit the upper bound to a smaller number. So don't backport the patch
> yet.

Vlad wrote that using INT_MAX is sufficient to catch possible overflows, and that restricting the size further is pointless and could end up being too restrictive. So, please backport the patch based on commit 30c2235cb. Thanks.

Comment 6 Eugene Teo (Security Response) 2008-08-26 11:15:47 EDT

Created attachment 315008 [details]
Upstream patch for this issue

Comment 7 Eugene Teo (Security Response) 2008-08-27 20:49:02 EDT

(In reply to comment #5)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > Proposed upstream patch:
> > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30c2235cbc477d4629983d440cdc4f496fec9246
> > 
> > There are discussions to use UINT_MAX instead of INT_MAX in the if comparison,
> > and to limit the upper bound to a smaller number. So don't backport the patch
> > yet.
> 
> Vlad wrote that using INT_MAX is sufficient to catch possible overflows, and
> that restricting the size further is pointless and could end up being too
> restrictive. So, please backport the patch based on commit 30c2235cb. Thanks.

Turns out that the upper bound needs to be fixed :) Will update the bug with the commit hash as soon as it is committed upstream.

Comment 8 Eugene Teo (Security Response) 2008-08-28 21:36:15 EDT

The backport patch needs this as well:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=328fc47ea0bcc27d9afa69c3ad6e52431cadd76c

Comment 9 Eugene Teo (Security Response) 2008-08-29 03:42:04 EDT

Created attachment 315341 [details]
Proposed backported patch for MRG kernel

Comment 10 Luis Claudio R. Goncalves 2008-09-05 08:36:58 EDT

Queued for -79

Comment 11 Vincent Danen 2010-12-21 12:23:12 EST

This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0857)

Note You need to log in before you can comment on or make changes to this bug.