[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] query on a pppol2tp_recvmsg() fix - security
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2008-06-23 19:22:38
Message-ID: Pine.GSO.4.51.0806231522310.1760 () faron ! mitre ! org
[Download RAW message or body]


======================================================
Name: CVE-2008-2750
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2750
Reference: CONFIRM:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b6707a50c7598a83820077393f8823ab791abf8
                
Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.26-rc6
Reference: BID:29747
Reference: URL:http://www.securityfocus.com/bid/29747
Reference: FRSIRT:ADV-2008-1854
Reference: URL:http://www.frsirt.com/english/advisories/2008/1854
Reference: SECTRACK:1020297
Reference: URL:http://securitytracker.com/id?1020297
Reference: SECUNIA:30719
Reference: URL:http://secunia.com/advisories/30719
Reference: XF:linux-kernel-pppol2tprecvmsg-dos(43111)
Reference: URL:http://xforce.iss.net/xforce/xfdb/43111

The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux
kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial
of service (kernel heap memory corruption and system crash) and
possibly have unspecified other impact via a crafted PPPOL2TP packet
that results in a large value for a certain length variable.


[prev in list] [next in list] [prev in thread] [next in thread]