Bug#354532: CAN-2005-2500: NFS ACL Protocol XDR remote DoS

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#354532: CAN-2005-2500: NFS ACL Protocol XDR remote DoS
From: Geoff Crompton <geoff.crompton@strategicdata.com.au>
Date: Mon, 27 Feb 2006 15:59:36 +1100
Message-id: <[🔎] 20060227045936.7D9814C4088@carthanach.mel.strategicdata.com.au>
Reply-to: Geoff Crompton <geoff.crompton@strategicdata.com.au>, 354532@bugs.debian.org

Package: kernel-image-2.6.8-i386
Severity: normal

Seen at http://www.securityfocus.com/bid/14470, where they say "Linux Kernel
is affected by a remote denial of service vulnerability when handling XDR data
for the nfsacl protocol."

I've tried to work out if sarge is vulnerable. They say that it was fixed in
2.6.13, and I _think_ a relevant commit is:

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=23ec6965c20db96bc8ea7af0ec178f074dd31c40

I had a look at fs/nfs/nfs4xdr.c, and it certainly looks to my naive eye that
the 2.6.8 kernel has the same code, without the patch. So I think sarge is
affected. However I don't really know how severe the vulnerability is, or what
mitigating factors there might be.

Anyway, I didn't see CAN-2005-2500 listed at
http://svn.debian.org/wsvn/kernel/patch-tracking/, so I thought I'd add this
bug report.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Reply to:

Prev by Date: Re: ncr5380/mac
Next by Date: Bug#354378: nforce2 ide controller doesn't work properly
Previous by thread: Bug#354493: kernel-source-2.6.8: can't install grub on cciss device
Next by thread: Bug#354378: nforce2 ide controller doesn't work properly
Index(es):
- Date
- Thread