> I'm not sure if it's known, but I haven't found anything about it. > No matter, there's something strange in net/ipv4/ip_fragment.h (it's > probably Alan's fault): Not sure whose, but yes its a bug. Putting NETDEBUG around it is correct. Its impact on my box was pretty minimal - slow down a bit and entries of the form Message repeated 500000 times in the syslog. Both of these are fixed in 2.0.34pre10 which should become 2.0.34 very soon I've also attached relevant release notes items. Not all of these will be known to bugtraq and I will not be answering queries about them until a while after 2.0.34 is out. If I've missed any others please let me know so I can have them nailed before 2.0.34. Thanks go out to all the folks bugtraq & otherwise who've contributed bug reports and fixes. Less thanks to the guys who didnt bother telling people first 8) If people can report bugs to the authors of software first before bugtraq it does help as with all vendors. Do put a time limit on your period of early notification it speeds every vendor up 8). I'm quite happy to organise having something fixed on the quiet so as not spoil your thunder of being first on bugtraq with the bug. Bug Fixes Fragment handling bug [Remote DoS] BUGTRAQ A bug in fragment handling that could cause a kernel crash has been fixed. MM Corruption [theoretical remote DoS] A bug in which 2.0.33 could suffer memory corruption and possible crashes under very high load has been fixed. LDT Leak [local DoS] A situation which DOSemu and Wine could leak memory used for LDT tables has been fixed. Floppy Driver [local DoS, needs root/setuid] A bug in which the floppy driver could crash when its interrupt or DMA resources were not available has been fixed. This was an extremely abnormal situation but a real bug. Inode count overrun [local giving root access] BUGTRAQ A bug in which a specifically malicious program could cause an inode count overrun has been fixed. Obscure serial race [local DoS needs setuid app] An obscure race in the serial driver has been removed. Quota crash [requires misconfigurations of setuid apps] BUGTRAQ A very obscure situation in which the quota subsystem performed an invalid seek on the quota database has been fixed. Memory corruption on clone [local DoS] A bug causing memory corruption when mmaping memory during a clone in specific situations has been fixed. Possible overflow on Alpha [local DoS] A possible integer overflow on group handling for the Alpha platform has been fixed. Socket crashes [local DoS] A possible socket layer crash with AX.25/NetROM/ROSE/X.25 has been fixed in 2.0.34 RAW socket handling [Crash only if root does something at the time] A small bug in raw socket handling which could cause a crash in very obscure situations has been fixed. Loading bogus modules [Crash, DoS] BUGTRAQ A situation existed in earlier kernels where a user process could cause a module to be loaded. It was possible to exploit this to load modules that the administrator had installed but did not wish loaded. Fixed in 2.0.34. Note that this means only superuser processes can load network interfaces. TCP listened to ICMP source quench [limited impairment of connections] This is no longer 'good practice' and we also backed off twice once from the error and once from the drop. This was primarily needed to handle 3COM office connect routers which appear to send source quench (its been obsolete for years so they should not) and without rate limiting (also not allowed). Window searching [possible connection attacks] An obscure quirk allowing a third party to discover the current window for a TCP connection has been fixed. Unsafe temporary file [local root breach requires timing with the make] BUGTRAQ The 'make config' script used an unsafe temporary file. It now uses a file in its working directory. Alan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:49:56 PDT