Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1426542 - (CVE-2017-6214) CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170207,repor...
: Security
Depends On: 1430577 1430578 1430579 1430580 1430581 1430582 1430583 1430584 1430585
Blocks: 1426543
  Show dependency treegraph
 
Reported: 2017-02-24 04:00 EST by Andrej Nemec
Modified: 2018-08-28 18:13 EDT (History)
36 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1372 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2017-05-30 17:02:29 EDT
Red Hat Product Errata RHSA-2017:1615 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-06-29 12:41:56 EDT
Red Hat Product Errata RHSA-2017:1616 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-06-28 16:57:58 EDT
Red Hat Product Errata RHSA-2017:1647 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-06-28 16:34:27 EDT

  None (edit)
Description Andrej Nemec 2017-02-24 04:00:20 EST
A flaw was found in the Linux kernels handling of packets with the URG flag.  Applications using the splice() and tcp_splice_read() functionality can allow a remote attacker to force the kernel to enter a condition in which it can loop indefinitely.


Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82

References:

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
http://seclists.org/oss-sec/2017/q1/491
Comment 10 Wade Mealing 2017-03-08 20:41:38 EST
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1430585]
Comment 11 Wade Mealing 2017-03-08 21:29:19 EST
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code with the flaw is not present in the products listed.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Comment 12 Justin M. Forbes 2017-03-09 14:52:46 EST
As mentioned in the original comment, this was fixed in upstream 4.9.11.  This update was shipped to all stable Fedora updates on February 24, 2017
Comment 14 errata-xmlrpc 2017-05-30 13:06:43 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1372 https://access.redhat.com/errata/RHSA-2017:1372
Comment 15 errata-xmlrpc 2017-06-28 12:36:03 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:1647 https://access.redhat.com/errata/RHSA-2017:1647
Comment 16 errata-xmlrpc 2017-06-28 13:04:52 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1615 https://access.redhat.com/errata/RHSA-2017:1615
Comment 17 errata-xmlrpc 2017-06-28 13:08:15 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1616 https://access.redhat.com/errata/RHSA-2017:1616

Note You need to log in before you can comment on or make changes to this bug.