CVE-2008-1673

Publication date 10 June 2008

Last updated 24 July 2024

Ubuntu priority

The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding.

From the Ubuntu Security Team

Wei Wang discovered that the ASN.1 decoding routines in CIFS and SNMP NAT did not correctly handle certain length values. Remote attackers could exploit this to execute arbitrary code or crash the system.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
linux	8.04 LTS hardy	Fixed 2.6.24-19.36
	7.10 gutsy	Not in release
	7.04 feisty	Not in release
	6.06 LTS dapper	Not in release
linux-source-2.6.15	8.04 LTS hardy	Not in release
	7.10 gutsy	Not in release
	7.04 feisty	Not in release
	6.06 LTS dapper	Fixed 2.6.15-52.69
linux-source-2.6.20	8.04 LTS hardy	Not in release
	7.10 gutsy	Not in release
	7.04 feisty	Fixed 2.6.20-17.37
	6.06 LTS dapper	Not in release
linux-source-2.6.22	8.04 LTS hardy	Not in release
	7.10 gutsy	Fixed 2.6.22-15.56
	7.04 feisty	Not in release
	6.06 LTS dapper	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
linux	Other: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c Other: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ddb2c43594f22843e9f3153da151deaba1a834c5

CVE-2008-1673

From the Ubuntu Security Team

Status

Patch details

References

Related Ubuntu Security Notices (USN)

Other references