Description: 1) CVE-2011-1767 gre: fix netns vs proto registration ordering GRE protocol receive hook can be called right after protocol addition is done. If netns stuff is not yet initialized, we're going to oops in net_generic(). This is remotely oopsable if ip_gre is compiled as module and packet comes at unfortunate moment of module loading. Upstream commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c2892f02 References: http://www.openwall.com/lists/oss-security/2010/02/18/3 http://patchwork.ozlabs.org/patch/45553/ 2) CVE-2011-1768 tunnels: fix netns vs proto registration ordering Same stuff as in ip_gre patch: receive hook can be called before netns setup is done, oopsing in net_generic(). Upstream commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d5aa407f References: http://www.openwall.com/lists/oss-security/2010/02/18/3 http://patchwork.ozlabs.org/patch/45554/
Statement: The Linux kernel as shipped with Red Hat Enterprise Linux 4, and 5 did not provide support for Network Namespace, and therefore are not affected by this issue. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0928.html, and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Note that for this issue to occur, packets have to come when the module is loading, the window for this to happen is small.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0928 https://rhn.redhat.com/errata/RHSA-2011-0928.html
> 2) CVE-2011-1768 > tunnels: fix netns vs proto registration ordering > > Same stuff as in ip_gre patch: receive hook can be called before netns > setup is done, oopsing in net_generic(). A regression was found that can result in a NULL pointer dereference when the ip6_tunnel module is loaded, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633738. Filed bugs: Bug 733985 - kernel: regression in CVE-2011-1768 fix [rhel-6.2] Bug 733986 - kernel: regression in CVE-2011-1768 fix [mrg-2.0]
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html