Debian Bug report logs - #564110
r8169: Fix for CVE-2009-1389 introduces denial of service issue

version graph

Package: linux-2.6; Maintainer for linux-2.6 is Debian Kernel Team <debian-kernel@lists.debian.org>;

Reported by: Ben Hutchings <ben@decadent.org.uk>

Date: Thu, 7 Jan 2010 19:06:01 UTC

Severity: serious

Tags: security

Found in versions 2.6.32-4, 2.6.26-19, 2.6.30-8, 2.6.30-8squeeze1, 2.6.26-21

Fixed in versions 2.6.26-22lenny1, 2.6.32-9

Done: Michael Gilbert <michael.s.gilbert@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Thu, 07 Jan 2010 19:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Thu, 07 Jan 2010 19:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: submit@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>
Subject: r8169: Fix for CVE-2009-1389 introduces denial of service issue
Date: Thu, 07 Jan 2010 19:02:24 +0000
[Message part 1 (text/plain, inline)]
Package: linux-2.6
Version: 2.6.32-4
Severity: serious
Tags: security

Fabian Yamaguchi made a presentation at 26C3
<http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html> which
included a bug in r8169 reintroduced by:

commit fdd7b4c3302c93f6833e338903ea77245eb510b4
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Tue Jun 9 04:01:02 2009 -0700

    r8169: fix crash when large packets are received

On some older r8169 controllers this will enable scattering on receive,
and the first word of the second and subsequent RX buffers for a frame
will wrongly be treated as a status word.  This can be used for denial
of service at the very least.

There is ongoing discussion on netdev about how to fix this.  In the
mean time we should get a CVE number for this.

Ben.

-- System Information:
Debian Release: squeeze/sid
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500,
'stable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Ben Hutchings
To err is human; to really foul things up requires a computer.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Thu, 07 Jan 2010 19:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Thu, 07 Jan 2010 19:30:03 GMT) Full text and rfc822 format available.

Message #10 received at 564110@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 564110@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>
Subject: Re: r8169: Fix for CVE-2009-1389 introduces denial of service issue
Date: Thu, 07 Jan 2010 19:27:56 +0000
[Message part 1 (text/plain, inline)]
Julien Cristau pointed out the thread
<http://thread.gmane.org/gmane.comp.security.oss.general/2457> where it
appears that Red Hat has allocated CVE-2009-4537 for this.

Ben.

-- 
Ben Hutchings
To err is human; to really foul things up requires a computer.
[signature.asc (application/pgp-signature, inline)]

Bug Marked as found in versions 2.6.26-19. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Thu, 07 Jan 2010 19:57:03 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 2.6.26-21. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Thu, 07 Jan 2010 19:57:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Fri, 08 Jan 2010 03:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Fri, 08 Jan 2010 03:12:08 GMT) Full text and rfc822 format available.

Message #19 received at 564110@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 564114@bugs.debian.org, 564110@bugs.debian.org
Subject: Re: [Secure-testing-team] e1000: Potential packet filtering bypass
Date: Thu, 7 Jan 2010 22:11:35 -0500
On Thu, 07 Jan 2010 19:27:02 +0000 Ben Hutchings wrote:

> Julien Cristau pointed out the thread
> <http://thread.gmane.org/gmane.comp.security.oss.general/2457>.  It
> appears that Red Hat allocated CVE-2009-4536 for this and CVE-2009-4538
> for a similar bug in e1000e.

do you follow kernel-sec [0]?  i entered these CVEs when they were
first disclosed over a week ago.

mike

[0] http://svn.debian.org/wsvn/kernel-sec




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Wed, 13 Jan 2010 19:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Wed, 13 Jan 2010 19:09:03 GMT) Full text and rfc822 format available.

Message #24 received at 564110@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: control@bugs.debian.org
Cc: 564110@bugs.debian.org
Subject: found 564110 in 2.6.30-8, found 564110 in 2.6.30-8squeeze1
Date: Wed, 13 Jan 2010 19:08:19 +0000
# Automatically generated email from bts, devscripts version 2.10.35lenny7
# Also applies to these versions and should not block testing migration
found 564110 2.6.30-8
found 564110 2.6.30-8squeeze1





Bug Marked as found in versions 2.6.30-8. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 13 Jan 2010 19:09:05 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 2.6.30-8squeeze1. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 13 Jan 2010 19:09:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Wed, 17 Mar 2010 17:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to maximilian attems <max@stro.at>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Wed, 17 Mar 2010 17:12:03 GMT) Full text and rfc822 format available.

Message #33 received at 564110@bugs.debian.org (full text, mbox):

From: maximilian attems <max@stro.at>
To: 564110@bugs.debian.org
Cc: dannf@debian.org, Ben Hutchings <ben@decadent.org.uk>
Subject: Re: r8169: Fix for CVE-2009-1389 introduces denial of service issue
Date: Wed, 17 Mar 2010 18:01:43 +0100
issue got fixed in 2.6.32.9.
is stable affected?

Ben wanted to review it before stable upload as rh/fedora fix went
throug several iterations. although they seem to have settled now.





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Wed, 17 Mar 2010 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Wed, 17 Mar 2010 17:36:03 GMT) Full text and rfc822 format available.

Message #38 received at 564110@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: maximilian attems <max@stro.at>
Cc: 564110@bugs.debian.org, dannf@debian.org
Subject: Re: r8169: Fix for CVE-2009-1389 introduces denial of service issue
Date: Wed, 17 Mar 2010 17:34:49 +0000
On Wed, Mar 17, 2010 at 06:01:43PM +0100, maximilian attems wrote:
> issue got fixed in 2.6.32.9.
> is stable affected?
 
It's not properly fixed - if you ever change MTU the vulnerability will
be reopened.  And the fix introduces a severe performance regression even
for hardware that doesn't have the issue.

Unfortunately there seems to be no intersection between the groups of
people with affected hardware and people who have a clue how to write
drivers.

Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Sun, 01 Aug 2010 21:54:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Sun, 01 Aug 2010 21:54:09 GMT) Full text and rfc822 format available.

Message #43 received at 564110@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 564110@bugs.debian.org
Subject: Re: r8169: Fix for CVE-2009-1389 introduces denial of service issue
Date: Sun, 1 Aug 2010 17:53:31 -0400
can we downgrade the severity of this issue since there is a fix
included (even though it isn't ideal)?  it's currently RC.

best wishes,
mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#564110; Package linux-2.6. (Sun, 01 Aug 2010 23:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. (Sun, 01 Aug 2010 23:48:07 GMT) Full text and rfc822 format available.

Message #48 received at 564110@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 564110@bugs.debian.org
Subject: Re: Bug#564110: r8169: Fix for CVE-2009-1389 introduces denial of service issue
Date: Mon, 02 Aug 2010 00:44:50 +0100
[Message part 1 (text/plain, inline)]
On Sun, 2010-08-01 at 17:53 -0400, Michael Gilbert wrote:
> can we downgrade the severity of this issue since there is a fix
> included (even though it isn't ideal)?  it's currently RC.

Let's clone it, close this one and downgrade the clone.  That way we
will have proper version-tracking of the original big hole and the
remaining smaller hole.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[signature.asc (application/pgp-signature, inline)]

Bug 564110 cloned as bug 591581. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 04 Aug 2010 02:15:05 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 2.6.32-9, send any further explanations to Ben Hutchings <ben@decadent.org.uk> Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 04 Aug 2010 02:15:07 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 2.6.26-22lenny1. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Wed, 04 Aug 2010 02:15:08 GMT) Full text and rfc822 format available.

Bug 564110 cloned as bug 592184. Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 08 Aug 2010 01:21:03 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 2.6.32-9, send any further explanations to Ben Hutchings <ben@decadent.org.uk> Request was from Michael Gilbert <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 08 Aug 2010 01:21:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Oct 2010 07:32:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:29:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.