Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 19 Jun 2008 16:58:43 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: query on a pppol2tp_recvmsg() fix - security
	relevant?

Hello guys,

  the fix as mentioned at:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6b6707a50c7598a83820077393f8823ab791abf8;hp=2e761e0532a784816e7e822dbaaece8c5d4be14d


is reasonable. Have investigated this issue in a little deep
detail. Seems it could be a problem in case when the targeted
host would run / have created the L2TP tunnel, would support
the Point to Point protocol with the L2TP plugin enabled
and then local, unprivileged user could potentially
issue an PPP command / request with too long L2TP packet
to force kernel heap corruption (DoS). But as there 
is no testcase / exploit available till now I am aware
of, this all is only a presumption. If this would
be a real problem, than hopefully only with low severity
(due the special conditions / requirements that need
to be satisfied to trigger this issue).

Kind regards
Jan iankko Lieskovsky
RH kernel Security Response Team


On Wed, 2008-06-18 at 19:41 +0300, Eren Türkay wrote:
> On 18 Jun 2008 Wed 19:18:40 Marcus Meissner wrote:
> > A customer asks us if the following is a security problem:
> 
> Secunia issued an advisory for that issue. It seems that it's a security 
> problem, but I'm not sure :)
> 
> http://secunia.com/advisories/30719/

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux