Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#41346 - [linux] CVE-2014-507: Kernel built with CONFIG_IP_SCTP is vulnerable to null pointer dereference

Attached to Project: Arch Linux
Opened by Mark E. Lee (bluerider) - Saturday, 26 July 2014, 03:01 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 26 July 2014, 04:13 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



I looked at the configuration file for Arch Linux kernel build and ip_sctp is built as a module. See message below from OSS-security mailing list for details:


Linux kernel built with the support for Stream Control Transmission Protocol (CONFIG_IP_SCTP) is vulnerable to a NULL pointer dereference flaw. It could occur when simultaneous new connections are initiated between a same pair of hosts.

A remote user/program could use this flaw to crash the system kernel resulting
in DoS.

Upstream fix:
- -------------

Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
This task depends upon

Closed by  Doug Newgard (Scimmia)
Saturday, 26 July 2014, 04:13 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#41329 
Comment by Doug Newgard (Scimmia) - Saturday, 26 July 2014, 03:13 GMT
I don't get it, you filed this report yesterday ( FS#41329 ).