Comment 30 for bug 413656

Revision history for this message
In , Eugene (eugene-redhat-bugs) wrote :

(In reply to comment #32)
> I think that the point of #24 and probably #27 is that the suggested workround
> for RHEL4/5 does _not_ close all the possible ways to exploit this exploit, ie
> adding just:
>
> install pppox /bin/true
> install bluetooth /bin/true
>
> will (for example) still allow code using PF_INET6, SOCK_STREAM, IPPROTO_SCTP
> to exploit the hole if ipv6 and sctp are available.

As I mentioned in comment #10, this is not an exhaustive list of modules to blacklist. On my test Red Hat Enterprise Linux 5 machine, the sctp module does not load automatically when the reproducer is executed. But yes, I will include your suggestion to the existing mitigation steps.

> BTW I'm puzzled that this bz is still marked as 'new' - surely it ought to have
> been confirmed and the proposed patches passed to engineering by now... Maybe
> that the bug is only regarded as 'important' (well in #10 it is), means that we
> will have to wait for the next regular kernel update for this to be fixed.

For every security bug, we have a top-level bug (this one) and several tracking bugs. The top-level bug is only used for tracking purposes, so the status for the top-level bug should not be taken as an indication for anything. Only the status of the tracking bugs matter.

Thanks, Eugene