Fabian Yamaguchi made a presentation at 26C3
<http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html> which
included a bug in r8169 reintroduced by:
commit fdd7b4c3302c93f6833e338903ea77245eb510b4
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue Jun 9 04:01:02 2009 -0700
r8169: fix crash when large packets are received
On some older r8169 controllers this will enable scattering on receive,
and the first word of the second and subsequent RX buffers for a frame
will wrongly be treated as a status word. This can be used for denial
of service at the very least.
There is ongoing discussion on netdev about how to fix this. In the
mean time we should get a CVE number for this.
Ben.
Julien Cristau pointed out the thread <http://thread.gmane.org/gmane.comp.security.oss.general/2457> where it appears that Red Hat has allocated CVE-2009-4537 for this. Ben.
do you follow kernel-sec [0]? i entered these CVEs when they were first disclosed over a week ago. mike [0] http://svn.debian.org/wsvn/kernel-sec
# Automatically generated email from bts, devscripts version 2.10.35lenny7 # Also applies to these versions and should not block testing migration found 564110 2.6.30-8 found 564110 2.6.30-8squeeze1
issue got fixed in 2.6.32.9. is stable affected? Ben wanted to review it before stable upload as rh/fedora fix went throug several iterations. although they seem to have settled now.
It's not properly fixed - if you ever change MTU the vulnerability will be reopened. And the fix introduces a severe performance regression even for hardware that doesn't have the issue. Unfortunately there seems to be no intersection between the groups of people with affected hardware and people who have a clue how to write drivers. Ben.
can we downgrade the severity of this issue since there is a fix included (even though it isn't ideal)? it's currently RC. best wishes, mike
Let's clone it, close this one and downgrade the clone. That way we will have proper version-tracking of the original big hole and the remaining smaller hole. Ben.