[kernel-sec-discuss] r777 - active ignored

Moritz Muehlenhoff jmm at alioth.debian.org
Mon Apr 30 17:18:40 UTC 2007 

Author: jmm
Date: 2007-04-30 17:18:40 +0000 (Mon, 30 Apr 2007)
New Revision: 777

Added:
   ignored/CVE-2005-4440
   ignored/CVE-2005-4441
Removed:
   active/CVE-2005-4440
   active/CVE-2005-4441
Log:
move VLAN protocol bug entries to ignored/


Deleted: active/CVE-2005-4440
===================================================================
--- active/CVE-2005-4440	2007-04-30 17:17:18 UTC (rev 776)
+++ active/CVE-2005-4440	2007-04-30 17:18:40 UTC (rev 777)
@@ -1,40 +0,0 @@
-Candidate: CVE-2005-4440
-References: 
- http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
- http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
- http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
-Description: 
- The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic
- via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream
- switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN
- jumping attack."
-Notes:
- Quoting Horms:
- I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
- Linux because of the following line near the bottom of vlan_skb_recv().
- .
- skb->protocol = __constant_htons(ETH_P_802_2);
- .
- I'm looking at Linus' Git tree as of this morning,
- but I don't think there have been any relevnant changes
- since Git began at 2.6.12-rc2.
- .
- This seems to imply that further processing will treat the packet
- as an ethernet frame. Though I need to double check that it
- can't be passed back into the vlan code. I'm doing that now,
- but in about 15 minutes I have to leave, and I'll be on
- leave for 6 days. At home, and possibly looking into this problem,
- but not at my desk working sensible hours.
- .
- As for 2 (PVLAN jumping). I haven't looked into that yet but
- it seems quite plausible.
- .
- dannf> Horms believes these to be protocol bugs - they are legal
- dannf> things to do.  Therefore, we're gonna ignore them for the sarge2
- dannf> series of kernels & follow what upstream does.
-Bugs: 
-upstream: 
-linux-2.6:
-2.6.8-sarge-security: ignored (2.6.8-16sarge5)
-2.4.27-sarge-security: ignored (2.4.27-10sarge4)
-2.6.18-etch-security: 

Deleted: active/CVE-2005-4441
===================================================================
--- active/CVE-2005-4441	2007-04-30 17:17:18 UTC (rev 776)
+++ active/CVE-2005-4441	2007-04-30 17:18:40 UTC (rev 777)
@@ -1,44 +0,0 @@
-Candidate: CVE-2005-4441
-References: 
- BUGTRAQ:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional
- URL:http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
- BUGTRAQ:20051219 Re: Making unidirectional VLAN and PVLAN jumping bidirectional
- URL:http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
- FULLDISC:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional
- URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
-Description: 
- The PVLAN protocol allows remote attackers to bypass network segmentation and
- spoof PVLAN traffic via a PVLAN message with a target MAC address that is set
- to a gateway router, which causes the packet to be sent to the router, where
- the source MAC is modified, aka "Modification of the MAC spoofing PVLAN
- jumping attack," as demonstrated by pvlan.c.
-Notes: 
- Quoting Horms:
- I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
- Linux because of the following line near the bottom of vlan_skb_recv().
- .
- skb->protocol = __constant_htons(ETH_P_802_2);
- .
- I'm looking at Linus' Git tree as of this morning,
- but I don't think there have been any relevnant changes
- since Git began at 2.6.12-rc2.
- .
- This seems to imply that further processing will treat the packet
- as an ethernet frame. Though I need to double check that it
- can't be passed back into the vlan code. I'm doing that now,
- but in about 15 minutes I have to leave, and I'll be on
- leave for 6 days. At home, and possibly looking into this problem,
- but not at my desk working sensible hours.
- .
- As for 2 (PVLAN jumping). I haven't looked into that yet but
- it seems quite plausible.
- .
- dannf> Horms believes these to be protocol bugs - they are legal
- dannf> things to do.  Therefore, we're gonna ignore them for the sarge2
- dannf> series of kernels & follow what upstream does.
-Bugs: 
-upstream: 
-linux-2.6:
-2.6.8-sarge-security: ignored (2.6.8-16sarge5)
-2.4.27-sarge-security: ignored (2.4.27-10sarge4)
-2.6.18-etch-security: 

Copied: ignored/CVE-2005-4440 (from rev 765, active/CVE-2005-4440)

Copied: ignored/CVE-2005-4441 (from rev 765, active/CVE-2005-4441)

More information about the kernel-sec-discuss mailing list