Ubuntu
linux package

[CVE-2008-1673, CVE-2008-2358] Linux heap overflows potentially leading to remote arbitrary code execution

Bug #238524 reported by Till Ulen on 2008-06-09

254

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Unassigned
linux-source-2.6.15 (Ubuntu)	Fix Released	Undecided	Unassigned
linux-source-2.6.20 (Ubuntu)	Fix Released	Undecided	Unassigned
linux-source-2.6.22 (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

CVE-2008-1673 description:

"Wei Wang from McAfee reported a potential heap overflow in the
ASN.1 decode code that is used by the SNMP NAT and CIFS
subsystem. Exploitation of this issue may lead to arbitrary code
execution."

CVE-2008-2358 description:

"Brandon Edwards of McAfee Avert labs discovered an issue in the
DCCP subsystem. Due to missing feature length checks it is possible
to cause an overflow they may result in remote arbitrary code
execution."

http://lists.debian.org/debian-security-announce/2008/msg00172.html
http://www.debian.org/security/2008/dsa-1592 (not yet available)

CVE References

Revision history for this message

Till Ulen (tillulen) wrote on 2008-06-10:

More information is being published:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1673
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2358

Revision history for this message

Leann Ogasawara (leannogasawara) wrote on 2008-07-23:

Hi Alexander,

It looks like these were also resolved: http://www.ubuntu.com/usn/usn-625-1

Thanks.

Changed in linux:
status:	New → Fix Released
Changed in linux-source-2.6.15:
status:	New → Fix Released
Changed in linux-source-2.6.20:
status:	New → Fix Released
Changed in linux-source-2.6.22:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package