Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [coley@mitre.org: CAN-2005-2802 split into separate CANs]

0 views
Skip to first unread message

Juergen Kreileder

unread,
Sep 12, 2005, 5:10:46 PM9/12/05
to
ho...@verge.net.au writes:

> On Sat, Sep 10, 2005 at 01:14:49AM +0200, Moritz Muehlenhoff wrote:
>> Hi Horms,
>> can you please
>> a) correct the changelog in SVN
>
> Done.
>
>> b) check whether CAN-2005-2873 is fixed as well
>
> That bug does seem to be present in 2.4.27, 2.6.8, 2.6.12, 2.6.13
> and Linus' current git tree. The comment at
> http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
> seems to imply that the fix has been held off until post 2.6.14, but
> I do not know why. I have CCed Juergen, hopefully he can comment.

Dave Miller didn't like the usage of xtime.tv_sec (via get_seconds()),
as it can be changed from the outside which may cause problems. So,
in short, I have to find a better fix (although I'm perfectly happy
with the old fix for my systems).


Juergen

Quoting the rest for the sake of clarity:

> Also, is the a reason this correspondence can't go to debian-kernel?
>
>>
>> Cheers,
>> Moritz
>>
>> ----- Forwarded message from "Steven M. Christey" <co...@mitre.org>
>> -----
>>
>> Date: Fri, 9 Sep 2005 14:21:46 -0400 (EDT)
>> From: "Steven M. Christey" <co...@mitre.org>
>> Subject: CAN-2005-2802 split into separate CANs
>>
>>
>> Hello,
>>
>> Based on some clarifying information from Juergen Kreileder, it
>> became clear that CAN-2005-2802, as I wrote it, actually combined
>> two distinct issues, only one of which was initially fixed. As a
>> result, it needs to be REJECTed and split into two other separate
>> candidates, namely CAN-2005-2872 and CAN-2005-2873. See details
>> below.
>>
>> - Steve
>>
>>
>> ======================================================
>> Candidate: CAN-2005-2802
>> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2802
>>
>> ** REJECT **
>>
>> DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CAN-2005-2872,
>> CAN-2005-2873. Reason: this candidate's description originally
>> combined two separate issues. Notyes: All CVE users should consult
>> CAN-2005-2872 and CAN-2005-2873 to determine the appropriate
>> identifier for the issue.
>>
>>
>> ====================================================== Candidate:
>> CAN-2005-2872 URL:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2872
>> Reference:
>> CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322237
>> Reference:
>> CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2
>>
>> The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
>> 2.6.12, when running on 64-bit processors such as AMD64, allows
>> remote attackers to cause a denial of service (kernel panic) via
>> certain attacks such as SSH brute force, which leads to memset
>> calls using a length based on the u_int32_t type, acting on an
>> array of unsigned long elements, a different vulnerability than
>> CAN-2005-2873.
>>
>>
>> ====================================================== Candidate:
>> CAN-2005-2873 URL:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2873
>> Reference:
>> MISC:http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
>>
>> The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12
>> and earlier does not properly perform certain time tests when the
>> jiffies value is greater than LONG_MAX, which can cause ipt_recent
>> netfilter rules to block too early, a different vulnerability than
>> CAN-2005-2872.
>>
>>
>>
>>
>> ----- End forwarded message -----

--
Juergen Kreileder, Blackdown Java-Linux Team
http://blog.blackdown.de/


--
To UNSUBSCRIBE, email to debian-ker...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

David S. Miller

unread,
Sep 12, 2005, 5:30:17 PM9/12/05
to
From: Juergen Kreileder <j...@blackdown.de>
Date: Mon, 12 Sep 2005 22:43:28 +0200

> Dave Miller didn't like the usage of xtime.tv_sec (via get_seconds()),
> as it can be changed from the outside which may cause problems. So,
> in short, I have to find a better fix (although I'm perfectly happy
> with the old fix for my systems).

ipt_recent needs to be rewritten from scratch, and this is
long overdue

Horms

unread,
Sep 12, 2005, 11:40:05 PM9/12/05
to
On Mon, Sep 12, 2005 at 02:07:51PM -0700, David S. Miller wrote:
> From: Juergen Kreileder <j...@blackdown.de>
> Date: Mon, 12 Sep 2005 22:43:28 +0200
>
> > Dave Miller didn't like the usage of xtime.tv_sec (via get_seconds()),
> > as it can be changed from the outside which may cause problems. So,
> > in short, I have to find a better fix (although I'm perfectly happy
> > with the old fix for my systems).
>
> ipt_recent needs to be rewritten from scratch, and this is
> long overdue

Hi Dave,

Is there any discussion of how that should be done floating around,
and how much work do you think would be involved?

--
Horms

David S. Miller

unread,
Sep 13, 2005, 12:40:07 AM9/13/05
to
From: Horms <ho...@debian.org>
Date: Tue, 13 Sep 2005 11:41:28 +0900

> Is there any discussion of how that should be done floating around,
> and how much work do you think would be involved?

Not really, Patrick McHardy and myself simply decided that
is what is needed last time this got discussed.

Someone just needs to get in there and rewrite the whole
thing.

0 new messages