Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232045 - CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
Summary: CVE-2007-1865 ipv6_getsockopt_sticky copy_to_user leak
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.1
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Thomas Graf
QA Contact: Martin Jenner
URL:
Whiteboard: impact=important,source=redhat,report...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-13 18:24 UTC by Marcel Holtmann
Modified: 2014-06-18 08:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-04 14:24:57 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Marcel Holtmann 2007-03-13 18:24:56 UTC
A user can supply len < 0 in ipv6_getsockopt_sticky and cause a leak of kernel
memory.

Comment 1 Marcel Holtmann 2007-03-13 18:27:00 UTC
Created attachment 149966 [details]
Upstream patch from Chris Wright

Comment 2 Don Howard 2007-04-13 00:17:36 UTC
Hi Marcel -

This patch doesn't appear to be needed - len is ignored when copying header info
to the user's buffer in ipv6_getsockopt_sticky() -- the length to hand back to
userspace is taken direclty from the header.  

I don't see this patch upstream.  Let me know if I've missed the vulnerablity
here.  

Comment 4 RHEL Product and Program Management 2007-04-25 20:44:02 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 RHEL Product and Program Management 2007-05-03 12:22:07 UTC
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.


Note You need to log in before you can comment on or make changes to this bug.