522503 – Turn off AppleTalk protocol module in realtime kernel

Bug 522503 - Turn off AppleTalk protocol module in realtime kernel

Summary: Turn off AppleTalk protocol module in realtime kernel

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	realtime-kernel
Sub Component:
Version:	Development
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	1.1.9
Target Release:	---
Assignee:	Luis Claudio R. Goncalves
QA Contact:	David Sommerseth
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-10 14:45 UTC by Clark Williams
Modified:	2016-05-22 23:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-03 18:22:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1540	0	normal	SHIPPED_LIVE	Important: kernel-rt security, bug fix, and enhancement update	2009-11-03 18:21:07 UTC

Description Clark Williams 2009-09-10 14:45:17 UTC

Description of problem:

The realtime kernel has no need to support the AppleTalk protocol stack. Turn off CONFIG_DEV_APPLETALK in all rt kernel variants.

Comment 1 Luis Claudio R. Goncalves 2009-09-11 02:53:47 UTC

disabled CONFIG_DEV_APPLETALK and CONFIG_ATALK on kernel v1 (-134)

Comment 2 Eugene Teo (Security Response) 2009-09-14 01:26:47 UTC

How about the ipddp module? Since we are turning off AppleTalk in -rt, we might as well turn off AppleTalk-IP too. Related to CVE-2009-2903.

Comment 3 Luis Claudio R. Goncalves 2009-10-14 22:01:12 UTC

I understand that disabling the module we also disabled the use of the code in net/appletalk/ddp.c. Please, let me know if I'm wrong.

Comment 4 Eugene Teo (Security Response) 2009-10-15 01:11:51 UTC

(In reply to comment #3)
> I understand that disabling the module we also disabled the use of the code in
> net/appletalk/ddp.c. Please, let me know if I'm wrong.  

I believe so too.

Comment 5 David Sommerseth 2009-10-27 15:46:44 UTC

Verified against kernel-rt-2.6.24.7-136

** 2.6.24.7-132
[root@ibm-e326m ~]# grep TALK /boot/config-2.6.24.7-132.el5rt 
CONFIG_ATALK=m
CONFIG_DEV_APPLETALK=m
[root@ibm-e326m ~]# modprobe -v appletalk
insmod /lib/modules/2.6.24.7-132.el5rt/kernel/net/appletalk/appletalk.ko 
[root@ibm-e326m ~]# lsmod | grep appletalk
appletalk              41872  0 
[root@ibm-e326m ~]# modprobe -rv appletalk
rmmod /lib/modules/2.6.24.7-132.el5rt/kernel/net/appletalk/appletalk.ko
[root@ibm-e326m ~]# 


** 2.6.24.7-136
[root@hp-dl585g2-01 ~]# grep TALK /boot/config-2.6.24.7-136.el5rt 
# CONFIG_ATALK is not set
[root@hp-dl585g2-01 ~]# modprobe -v appletalk
FATAL: Module appletalk not found.
[root@hp-dl585g2-01 ~]#

Comment 7 errata-xmlrpc 2009-11-03 18:22:02 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1540.html

Note You need to log in before you can comment on or make changes to this bug.