oss-sec mailing list archives
Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic
From: Greg KH <greg () kroah com>
Date: Tue, 12 Jan 2021 09:04:49 +0100
On Tue, Jan 12, 2021 at 04:58:07PM +1000, Wade Mealing wrote:
Gday, A flaw was found in the Linux kernels implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN ) when inserting iptables rules could insert a rule which can panic the system. Likely a user with these permissions could do worse, however it crashes the system (DOS) and the user is going to have a bad day especially if the rule is inserted and restored on every boot. At this time it doesn't affect RHEL releases, and there are fixes already in multiple upstream trees. Thanks, Wade Mealing Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca58fbe06c54 Upstream bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209823 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1914719
I still do not understand why you report issues that are fixed over a year ago (October 2019) and assign them a CVE like this. Who does this help out? And what about the thousands of other issues that are fixed in the kernel and not assigned a CVE like this, are they somehow not as important to your group? What determines what you want to give a CVE to and what you do not? thanks, greg k-h
Current thread:
- CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Wade Mealing (Jan 11)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Greg KH (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic John Haxby (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic David A. Wheeler (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Sasha Levin (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Philip Pettersson (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Greg KH (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic John Haxby (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Solar Designer (Jan 12)
- Re: CVE-2021-20177 kernel: iptables string match rule could result in kernel panic Greg KH (Jan 12)