Bugzilla – Bug 827565
VUL-1: CVE-2013-2224: kernel: 2.6.32+ IP_RETOPTS Buffer Poisoning DoS
Last modified: 2014-03-27 17:14:22 UTC
Via OSS-sec: Date: Sun, 30 Jun 2013 00:33:47 -0700 From: Steven Ciaburri To: oss-security There is a local DOS exploit in centos 6, openvz 6, cloudlinux 6 and others. https://www.rack911.com/poc/hemlock.c
CVE-2013-2224
According to sources, the RH bz ID seems to be 979788
bugbot adjusting priority
Also via OSS-sec: Just to make sure -- this triggers Red Hat specific bug introduced via CVE-2012-3552 fix [1, 2]. This issue does not affect upstream. [1] https://bugzilla.redhat.com/show_bug.cgi?id=979936#c2 [2] https://bugzilla.redhat.com/show_bug.cgi?id=979936#c3 Spender suggest there is a integer problem in the code [3], but there is not. The problem spender is trying to fix is avoided by the CMSG_OK check in ip_cmsg_send() function and msg_controllen check in __sys_sendmsg(). There is some slight room for error though since CMSG_OK checks for "(cmsg)->cmsg_len >= sizeof(struct cmsghdr)" and the expression is "err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr));" but with the current alignment and cmsghdr struct size we should be fine on both 32 and 64bit. [3] https://twitter.com/grsecurity/status/351664130031222784 -- Petr Matousek / Red Hat Security Response Team
So, can be closed then I guess?
We might get this backport for/via bug 778460 too, but that one is not fixed yet either, so I would say also assign to Jiri.
jiri?
ping?
Yes, this is indeed RH specific. I still don't have a fix for bnc#778460 (SLE10 only) but I'll work on it ASAP. I won't be reusing the RH patch (I don't even have access to it, they don't have it in their bugzilla), so there is no chance to introduce this bug.