Ubuntu
linux-source-2.6.20 package

IPv6 RH0 Vulnerability

Bug #114530 reported by Bernhard Schmidt
258
Affects Status Importance Assigned to Milestone
linux-source-2.6.20 (Ubuntu)
Fix Released
High
Ubuntu Kernel Team

Bug Description

Most IPv6 stacks (including the Linux kernel with forwarding enabled) accept IPv6 Routing Header Type 0 packets. Those packets work like IPv4 source routing and are an attack vector for DoS attacks and circumventing firewalls.

http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

This bug is considered a security vulnerability and has been fixed in every other affected OS and also Linux upstream in Kernel 2.6.20.9
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=010831ab8436dfd9304b203467566fb6b135c24f

Please apply that patch to the Ubuntu kernel packages.

CVE References

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report. Note that this fix is also needed:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=9d08f139275450f9366d85ba09b9a2e09bb33766

Revision history for this message
Chuck Short (zulcss) wrote :

Raising severity level

Changed in linux-meta:
assignee: nobody → ubuntu-kernel-team
importance: Medium → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Fixed in Feisty:
$ git show 2b302aefcbb63c95a47bdd17118214eddddedc6c
commit 2b302aefcbb63c95a47bdd17118214eddddedc6c
Author: YOSHIFUJI Hideaki <email address hidden>
Date: Fri Apr 27 02:13:02 2007 -0700

    (Bug fix to ipv6 security fix, from stable kernel 2.6.20.10)

    IPV6: Fix for RT0 header ipv6 change.

    [IPV6]: Fix thinko in ipv6_rthdr_rcv() changes.

    Signed-off-by: YOSHIFUJI Hideaki <email address hidden>
    Signed-off-by: David S. Miller <email address hidden>
    Signed-off-by: Greg Kroah-Hartman <email address hidden>

    (cherry picked from commit 9d08f139275450f9366d85ba09b9a2e09bb33766)
...

Changed in linux-source-2.6.20:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.