Horms
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: Bug#309308: kernel-image-2.6.8-2-686-smp: VLAN Oops fix for 2.6.8
On Fri, Aug 12, 2005 at 09:26:49AM +0200, Moritz Muehlenhoff wrote:> Horms wrote: > > > > There is no public CVE assignment for this issue. If''s it easily reproducable > > > > for non-root, it might account as a local DoS vulnerability. > > > > > > mii-tool''s IOCTL is only allowed by root. > > > > > > The remote DoS comes from the fact that snmpd will call this IOCTL when it > > > gets a request for the interface statistics. > > > > > > So it''s exploitable via SNMP if the exploiter has access to the SNMP tree > > > in question. (Which is not the default, if I recall correctly?) > > > > > > However, this means that cricket will bone the machine during the boot process, > > > or soon after. > > > > I think thats a strong enough reason to tag it as a security fix, > > and thus include it in a kernel security update. > > Hi Horms, > this is now CAN-2005-2548. Can you please add it to the changelog?Of course. Its in now. -- Horms
Moritz Muehlenhoff
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: Bug#309308: kernel-image-2.6.8-2-686-smp: VLAN Oops fix for 2.6.8
Horms wrote:> > below patch has been slurped into the Debian patches for 2.6.8, but the > > error posted looks like the same error I suffered when hitting this bug. > > > > Patch from http://lists.osdl.org/pipermail/bridge/2004-September/000638.html > > > > Cut and paste from the web archive, so spacing etc. may be boned. > > But it''s a typo-only fix anyway, so easy enough to recreate. > > Thanks I have added this to SVN. > > Is this considered a security bug and if so does it have a CAN number?There is no public CVE assignment for this issue. If''s it easily reproducable for non-root, it might account as a local DoS vulnerability. Cheers, Moritz
Horms
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: Bug#309308: kernel-image-2.6.8-2-686-smp: VLAN Oops fix for 2.6.8
tags +pending 309308 tags +patch 309308 thanks On Thu, Aug 11, 2005 at 11:42:54AM +1000, Paul TBBle Hampson wrote:> Package: kernel-image-2.6.8-2-686-smp > Followup-For: Bug #309308 > > Just noticed this bug in the testing-security list. I don''t know if the > below patch has been slurped into the Debian patches for 2.6.8, but the > error posted looks like the same error I suffered when hitting this bug. > > Patch from http://lists.osdl.org/pipermail/bridge/2004-September/000638.html > > The patch was taken into 2.6.9-rc2, and the bug was in code introduced > very late in the 2.6.8 cycle. (August 2004 I believe) > > diff -Nru a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c > --- a/net/8021q/vlan_dev.c 2004-09-10 06:12:16 -07:00 > +++ b/net/8021q/vlan_dev.c 2004-09-10 06:12:16 -07:00 > @@ -772,7 +772,7 @@ > case SIOCGMIIREG: > case SIOCSMIIREG: > if (real_dev->do_ioctl && netif_device_present(real_dev)) > - err = real_dev->do_ioctl(dev, &ifrr, cmd); > + err = real_dev->do_ioctl(real_dev, &ifrr, cmd); > break; > > case SIOCETHTOOL: > > Cut and paste from the web archive, so spacing etc. may be boned. > But it''s a typo-only fix anyway, so easy enough to recreate.Thanks I have added this to SVN. Is this considered a security bug and if so does it have a CAN number? -- Horms
Moritz Muehlenhoff
2006-Mar-13 12:28 UTC
[Secure-testing-team] Re: Bug#309308: kernel-image-2.6.8-2-686-smp: VLAN Oops fix for 2.6.8
Horms wrote:> > > There is no public CVE assignment for this issue. If''s it easily reproducable > > > for non-root, it might account as a local DoS vulnerability. > > > > mii-tool''s IOCTL is only allowed by root. > > > > The remote DoS comes from the fact that snmpd will call this IOCTL when it > > gets a request for the interface statistics. > > > > So it''s exploitable via SNMP if the exploiter has access to the SNMP tree > > in question. (Which is not the default, if I recall correctly?) > > > > However, this means that cricket will bone the machine during the boot process, > > or soon after. > > I think thats a strong enough reason to tag it as a security fix, > and thus include it in a kernel security update.Hi Horms, this is now CAN-2005-2548. Can you please add it to the changelog? Cheers, Moritz