blob: 6868c99761a4b5ac95fab75be3e77fcff5feef12 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Candidate: CVE-2007-1497
References:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=868f0120e0f93d070ea7f3e969c09dbab8ad7bc7
Description:
The individual fragments of a packet reassembled by conntrack have
the conntrack reference from the reassembled packet attached, but
nfctinfo is not copied. This leaves it initialized to 0, which
unfortunately is the value of IP_CT_ESTABLISHED.
The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.
Ubuntu-Description:
The connection tracking module for IPv6 did not properly handle some
the status field when reassembling fragmented packets, so that the
final packet always had the 'established' state. A remote attacker
could exploit this to bypass intended firewall rules.
Notes:
dannf> code didn't exist in 2.4
jmm> code didn't exist in 2.6.8
Bugs:
upstream: released (2.6.20.3, 2.6.21)
linux-2.6: released (2.6.20-1)
2.6.18-etch-security: released (2.6.18.dfsg.1-12etch2) [bugfix/nf_conntrack-set-nfctinfo.patch]
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.15-dapper-security: released (2.6.15-28.54)
2.6.17-edgy-security: released (2.6.17.1-11.38)
2.6.20-feisty-security: N/A
|