Modify

Opened 5 years ago

Closed 5 years ago

#13139 closed defect (fixed)

CVE-2013-1763 security patch

Reported by: Elgo Owned by: jogo
Priority: highest Milestone: Attitude Adjustment 12.09.1
Component: kernel Version: Attitude Adjustment 12.09
Keywords: Cc:

Description

Hi,

I can't find any reference to this in wiki/tickets so far. As AA is using a 3.3.8 kernel, it is affected by this critical security issue.

Description: An unprivileged user can send a netlink message resulting in an out-of-bounds access of the sock_diag_handlers[] array which, in turn, allows userland to take over control while in kernel mode.
Reference: http://seclists.org/oss-sec/2013/q1/420
Upstream fix: http://thread.gmane.org/gmane.linux.network/260061

Attachments (0)

Change History (5)

comment:1 Changed 5 years ago by jogo

  • Owner changed from developers to jogo
  • Status changed from new to accepted

Ugh, quite nasty. At least letting other users log in and run arbitrary code isn't the standard use case for OpenWrt, so it isn't exploitable for most installations.

I'll add it to trunk and AA.

comment:2 follow-up: Changed 5 years ago by nbd

It's not that urgent - INET_DIAG is disabled by default in OpenWrt in the kernel config.

comment:3 in reply to: ↑ 2 Changed 5 years ago by jogo

Replying to nbd:

It's not that urgent - INET_DIAG is disabled by default in OpenWrt in the kernel config.

sock_diag.c != inet_diag.c - sock_diag.c is always compiled in and available, there is no config symbol for disabling it.

comment:4 Changed 5 years ago by anonymous

Hello,

just a short question: Will this problem be fixed in Attijude Ajustmend or ist the AA release frozen?

comment:5 Changed 5 years ago by jogo

  • Milestone changed from Attitude Adjustment 12.09 to Attitude Adjustment 12.09.1
  • Resolution set to fixed
  • Status changed from accepted to closed
  • Version changed from Trunk to Attitude Adjustment 12.09

Fixed in r36607 and r36608.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.