oss-sec mailing list archives
Re: query on a pppol2tp_recvmsg() fix - security relevant?
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 19 Jun 2008 16:58:43 +0200
Hello guys, the fix as mentioned at: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6b6707a50c7598a83820077393f8823ab791abf8;hp=2e761e0532a784816e7e822dbaaece8c5d4be14d is reasonable. Have investigated this issue in a little deep detail. Seems it could be a problem in case when the targeted host would run / have created the L2TP tunnel, would support the Point to Point protocol with the L2TP plugin enabled and then local, unprivileged user could potentially issue an PPP command / request with too long L2TP packet to force kernel heap corruption (DoS). But as there is no testcase / exploit available till now I am aware of, this all is only a presumption. If this would be a real problem, than hopefully only with low severity (due the special conditions / requirements that need to be satisfied to trigger this issue). Kind regards Jan iankko Lieskovsky RH kernel Security Response Team On Wed, 2008-06-18 at 19:41 +0300, Eren Türkay wrote:
On 18 Jun 2008 Wed 19:18:40 Marcus Meissner wrote:A customer asks us if the following is a security problem:Secunia issued an advisory for that issue. It seems that it's a security problem, but I'm not sure :) http://secunia.com/advisories/30719/
Current thread:
- query on a pppol2tp_recvmsg() fix - security relevant? Marcus Meissner (Jun 18)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Eren Türkay (Jun 18)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Jan Lieskovsky (Jun 19)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Steven M. Christey (Jun 23)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Jan Lieskovsky (Jun 19)
- Re: query on a pppol2tp_recvmsg() fix - security relevant? Eren Türkay (Jun 18)