<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200407-12">
  <title>Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling</title>
  <synopsis>
    A flaw has been discovered in 2.6 series Linux kernels that allows an
    attacker to send a malformed TCP packet, causing the affected kernel to
    possibly enter an infinite loop and hang the vulnerable machine.
  </synopsis>
  <product type="ebuild">Kernel</product>
  <announced>2004-07-14</announced>
  <revised count="02">2004-10-10</revised>
  <bug>55694</bug>
  <access>remote</access>
  <affected>
    <package name="sys-kernel/aa-sources" auto="no" arch="*">
      <unaffected range="ge">2.6.5-r5</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.5-r5</vulnerable>
    </package>
    <package name="sys-kernel/ck-sources" auto="no" arch="*">
      <unaffected range="ge">2.6.7-r2</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.7-r2</vulnerable>
    </package>
    <package name="sys-kernel/development-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.8</unaffected>
      <vulnerable range="lt">2.6.8</vulnerable>
    </package>
    <package name="sys-kernel/gentoo-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r7</unaffected>
      <vulnerable range="lt">2.6.7-r7</vulnerable>
    </package>
    <package name="sys-kernel/hardened-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r1</unaffected>
      <vulnerable range="lt">2.6.7-r1</vulnerable>
    </package>
    <package name="sys-kernel/hppa-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7_p1-r1</unaffected>
      <vulnerable range="lt">2.6.7_p1-r1</vulnerable>
    </package>
    <package name="sys-kernel/mips-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.4-r4</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.4-r4</vulnerable>
    </package>
    <package name="sys-kernel/mm-sources" auto="no" arch="*">
      <unaffected range="ge">2.6.7-r4</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.7-r4</vulnerable>
    </package>
    <package name="sys-kernel/pegasos-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r1</unaffected>
      <vulnerable range="lt">2.6.7-r1</vulnerable>
    </package>
    <package name="sys-kernel/rsbac-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r1</unaffected>
      <vulnerable range="lt">2.6.7-r1</vulnerable>
    </package>
    <package name="sys-kernel/uclinux-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7_p0-r1</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.7_p0</vulnerable>
    </package>
    <package name="sys-kernel/usermode-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.6-r2</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.6-r2</vulnerable>
    </package>
    <package name="sys-kernel/win4lin-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r1</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.7-r1</vulnerable>
    </package>
    <package name="sys-kernel/xbox-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r1</unaffected>
      <unaffected range="lt">2.6</unaffected>
      <vulnerable range="lt">2.6.7-r1</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    The Linux kernel is responsible for managing the core aspects of a
    GNU/Linux system, providing an interface for core system applications as
    well as providing the essential structure and capability to access hardware
    that is needed for a running system.
    </p>
  </background>
  <description>
    <p>
    An attacker can utilize an erroneous data type in the IPTables TCP option
    handling code, which lies in an iterator. By making a TCP packet with a
    header length larger than 127 bytes, a negative integer would be implied in
    the iterator.
    </p>
  </description>
  <impact type="high">
    <p>
    By sending one malformed packet, the kernel could get stuck in a loop,
    consuming all of the CPU resources and rendering the machine useless,
    causing a Denial of Service. This vulnerability requires no local access.
    </p>
  </impact>
  <workaround>
    <p>
    If users do not use the netfilter functionality or do not use any
    ``--tcp-option'' rules they are not vulnerable to this exploit. Users that
    are may remove netfilter support from their kernel or may remove any
    ``--tcp-option'' rules they might be using. However, all users are urged to
    upgrade their kernels to patched versions.
    </p>
  </workaround>
  <resolution>
    <p>
    Users are encouraged to upgrade to the latest available sources for their
    system:
    </p>
    <code>
    # emerge sync
    # emerge -pv your-favorite-sources
    # emerge your-favorite-sources

    # # Follow usual procedure for compiling and installing a kernel.
    # # If you use genkernel, run genkernel as you would do normally.</code>
  </resolution>
  <references>
    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0626">CAN-2004-0626</uri>
  </references>
  <metadata tag="submitter">
    plasmaroo
  </metadata>
</glsa>