lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 18 Sep 2010 16:11:03 +0200
From:	Thomas Dreibholz <dreibh@....uni-due.de>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Vlad Yasevich <vladislav.yasevich@...com>,
	bugzilla-daemon@...zilla.kernel.org, netdev@...r.kernel.org,
	Sridhar Samudrala <sri@...ibm.com>, linux-sctp@...r.kernel.org,
	stable@...nel.org, David Miller <davem@...emloft.net>,
	Martin Becke <martin.becke@...-due.de>
Subject: Re: [Bugme-new] [Bug 18592] New: Remote/local Denial of Service vulnerability in SCTP packet/chunk handling

On Donnerstag 16 September 2010, Vlad Yasevich wrote:
> On 09/15/2010 03:43 PM, Andrew Morton wrote:
> > Thanks, but please send patches via email, not via bugzilla.
> > Documentation/SubmittingPatches has some tips.  Suitable recipients for
> > this patch are, from the MAINTAINERS file:
> > 
> > M:      Vlad Yasevich <vladislav.yasevich@...com>
> > M:      Sridhar Samudrala <sri@...ibm.com>
> > L:      linux-sctp@...r.kernel.org
> > 
> > but please just send it as a reply-to-all to this email so that everyone
> > knows wht's happening.
> > 
> > I'd suggest that you also add the line
> > 
> > Cc: <stable@...nel.org>
> > 
> > to the end of the changelog so that we don't forget to consider the
> > patch for backporting.
> 
> Hi Andrew
> 
> There is a much simpler solution to this problem that I posted to netdev
> today.

Dear all,

Vlad's patch solves the problem. I hope this patch can go into the mailine 
kernel soon, in order to get distribution kernels fixed as soon as possible. It 
is relatively easy to trigger the denial of service problem, making all 
systems providing SCTP-based services vulnerable to a remote DoS attack.

I have also been able to reproduce the problem with kernel 2.6.32, i.e. at 
least all kernels from 2.6.32 to 2.6.36 are affected.


Best regards
-- 
=======================================================================
 Dr. Thomas Dreibholz

 University of Duisburg-Essen,                   Room ES210
 Inst. for Experimental Mathematics              Ellernstraße 29
 Computer Networking Technology Group            D-45326 Essen/Germany
-----------------------------------------------------------------------
 E-Mail:     dreibh@....uni-due.de
 Homepage:   http://www.iem.uni-due.de/~dreibh
=======================================================================
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ