Ubuntu

Please update USN-752-1's description

Bug #376039 reported by Fumihito YOSHIDA on 2009-05-13

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu	Won't Fix	Undecided	Unassigned

Bug Description

Hi,

http://www.ubuntu.com/usn/usn-752-1
please update USN description, because CVE-2009-0065 has published
remote exploit that can get root priviledges.

in USN-752-1 's description said:
> The SCTP stack did not correctly validate FORWARD-TSN packets.
> A remote attacker could send specially crafted SCTP traffic causing
> a system crash, leading to a denial of service. (CVE-2009-0065)

This is old info. Today, CVE-2009-0065 has remote root exploit.

But, this vuln must need loading sctp.ko(=running SCTP application),
in general cases, this exploit does not work for Desktop envs.

see also:
http://kernelbof.blogspot.com/2009/04/kernel-memory-corruptions-are-not-just.html
http://www.securityfocus.com/bid/33113
http://downloads.securityfocus.com/vulnerabilities/exploits/33113.c

Regards,

CVE References

2009-0065

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-05-13:

Thank you for using Ubuntu and taking the time to report a bug. While you are correct that this issue is more than a DoS, we normally do not update USN text based on new exploit information (it is way too time-consuming and would remain hopelessly out of date). Additionally, while incomplete, the USN currently describes a high impact vulnerability for users of SCTP (a remotely triggerable DoS) which would compel SCTP users to upgrade their kernels anyway.

Changed in ubuntu:
status:	New → Won't Fix
visibility:	private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.