Date: Thu, 08 Jul 2010 12:52:27 +0200 From: arno@...isbad.org (Arnaud Ebalard) To: oss-security@...ts.openwall.com Subject: Re: patch for remote buffer overflows and local message spoofing in mipv6 daemon Hi Sebastian, Sebastian Krahmer <krahmer@...e.de> writes: >> > I tried this 2 years ago on vendor-sec and with the maintainers at that >> > time w/o success. Romain Kuntz and I had the same problem for our bugfixes and additional features against UMIP. We ended up maintaining a parallel git tree on umip.org: it provides bug fixes, code simplifications, addditional features ... We also maintain Debian packages and additional trees. USAGI people have been warned but - just like you - we got no feedback. >> > I polished the patch to fit in the current commit. The >> > bugs were not fixed during the two years. Can someone assign CVE(s)? FWIW, the two bugs you report have been fixed (along with others if you are interested) in our tree (http://www.umip.org/git/umip.git) for a while: commit 3fd3941434a0ee567f874e56c53a5d0855c945e3 Author: Romain Kuntz <kuntz@...it.u-strasbg.fr> Date: Sun Oct 25 01:34:32 2009 +0200 Additional sanity checks for ND options length commit 0e67a61ffd37cc4e3dfa8add137a5d6cd8963a8e Author: Arnaud Ebalard <arno@...isbad.org> Date: Sat Oct 24 12:11:58 2009 +0200 Security fix: Check origin of netlink messages in netlink helpers. Sending multicast Netlink messages requires some privileges. Sending unicast ones can be done by common users. Then, this is up to the receiver to filter incoming messages to verify the origin and prevent security issues. See http://lwn.net/Articles/329266/ for more information. As UMIP expects only kernel messages, this patch adds additional checks where needed to verify the kernel is the emiiter of the message. Note that this check needs to be done early (before checking if recvmsg() return value is not 0) to prevent someone sending us an empty message and returning. This patch is based on an initial version by Romain. If you find additional bugs on UMIP, don't hesitate to drop a mail on the Mailing List: http://ml.nautilus6.org/mailman/listinfo/support. It is also available via Gmane (gmane.network.ipv6.nautilus6.general). Cheers, a+
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.