Description of the problem: Some occurences in the netfilter tree use skb_header_pointer() in the following way ... struct dccp_hdr _dh, *dh; ... skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); ... where dh itself is a pointer that is being passed as the copy buffer. Instead, we need to use &_dh as the forth argument so that we're copying the data into an actual buffer that sits on the stack. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. References: http://www.openwall.com/lists/oss-security/2014/03/17/3 Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2bc780499aa3 Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b22f5126a24b
Statement: This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1077350]
kernel-3.13.7-200.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.13.7-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Question on alternatives: Are there any workarounds/config changes that can be implemented to mitigate the risk such as the ones listeed in the followin link: https://odesk.by/archives/2107#more-2107 My concern is with RHEL 6 where no patch exists yet.
(In reply to Ed Brand from comment #8) > Are there any workarounds/config changes that can be implemented to mitigate > the risk such as the ones listeed in the followin link: > > https://odesk.by/archives/2107#more-2107 > > My concern is with RHEL 6 where no patch exists yet. The link pretty much sums up the mitigation options. I'd recommend to prevent nf_conntrack_proto_dccp module from being loaded by adding "install nf_conntrack_proto_dccp /bin/true" to file "/etc/modprobe.d/blacklist.conf". Hope that helps. -- Petr Matousek / Red Hat Security Response Team
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2014:0439 https://rhn.redhat.com/errata/RHSA-2014-0439.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0475 https://rhn.redhat.com/errata/RHSA-2014-0475.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 AUS Via RHSA-2014:0520 https://rhn.redhat.com/errata/RHSA-2014-0520.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only Via RHSA-2014:0593 https://rhn.redhat.com/errata/RHSA-2014-0593.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:0634 https://rhn.redhat.com/errata/RHSA-2014-0634.html