Your submission was sent successfully! Close

CVE-2008-4618

Published: 21 October 2008

The Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.27 does not properly handle a protocol violation in which a parameter has an invalid length, which allows attackers to cause a denial of service (panic) via unspecified vectors, related to sctp_sf_violation_paramlen, sctp_sf_abort_violation, sctp_make_abort_violation, and incorrect data types in function calls.

From the Ubuntu security team

It was discovered that the SCTP stack did not correctly handle bad packet lengths. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10.

Priority

Low

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
dapper Does not exist

gutsy Does not exist

hardy
Released (2.6.24-22.45)
intrepid Not vulnerable

upstream
Released (2.6.27~rc9)
Patches:
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ba0166708ef4da7eeb61dd92bbba4d5a749d6561
linux-source-2.6.15
Launchpad, Ubuntu, Debian
dapper
Released (2.6.15-53.74)
gutsy Does not exist

hardy Does not exist

intrepid Does not exist

upstream
Released (2.6.27~rc9)
linux-source-2.6.22
Launchpad, Ubuntu, Debian
dapper Does not exist

gutsy
Released (2.6.22-16.60)
hardy Does not exist

intrepid Does not exist

upstream
Released (2.6.27~rc9)