Bug 1426542 (CVE-2017-6214) - CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
Summary: CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
Status: NEW
Alias: CVE-2017-6214
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170207,repor...
Keywords: Security
Depends On: 1430577 1430578 1430579 1430580 1430581 1430582 1430583 1430584 1430585
Blocks: 1426543
TreeView+ depends on / blocked
 
Reported: 2017-02-24 09:00 UTC by Andrej Nemec
Modified: 2018-08-28 22:13 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1372 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2017-05-30 21:02:29 UTC
Red Hat Product Errata RHSA-2017:1615 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-06-29 16:41:56 UTC
Red Hat Product Errata RHSA-2017:1616 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-06-28 20:57:58 UTC
Red Hat Product Errata RHSA-2017:1647 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-06-28 20:34:27 UTC

Description Andrej Nemec 2017-02-24 09:00:20 UTC
A flaw was found in the Linux kernels handling of packets with the URG flag.  Applications using the splice() and tcp_splice_read() functionality can allow a remote attacker to force the kernel to enter a condition in which it can loop indefinitely.


Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82

References:

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
http://seclists.org/oss-sec/2017/q1/491

Comment 10 Wade Mealing 2017-03-09 01:41:38 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1430585]

Comment 11 Wade Mealing 2017-03-09 02:29:19 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.

Comment 12 Justin M. Forbes 2017-03-09 19:52:46 UTC
As mentioned in the original comment, this was fixed in upstream 4.9.11.  This update was shipped to all stable Fedora updates on February 24, 2017

Comment 14 errata-xmlrpc 2017-05-30 17:06:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1372 https://access.redhat.com/errata/RHSA-2017:1372

Comment 15 errata-xmlrpc 2017-06-28 16:36:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:1647 https://access.redhat.com/errata/RHSA-2017:1647

Comment 16 errata-xmlrpc 2017-06-28 17:04:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1615 https://access.redhat.com/errata/RHSA-2017:1615

Comment 17 errata-xmlrpc 2017-06-28 17:08:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1616 https://access.redhat.com/errata/RHSA-2017:1616


Note You need to log in before you can comment on or make changes to this bug.