On Mon, 22 Nov 1999 Notedite Nada wrote:

Hi-

I heard about a bug in ipchains, could you please tell me what to do? Thanks

Hi, on the bugtraq archives (bugtraq id: 543) one can find: # BEGIN BUGTRAQ Linux IPChains Fragment Overlap Vulnerability: This patch was provided with the DataProtect advisory posted to BugTraq on July 27, 1999. The solution was incorporated into the 2.2.11 kernel, released in August 1999. *** linux.old/net/ipv4/ip_fw.c Wed Jun 9 05:33:07 1999 --- linux/net/ipv4/ip_fw.c Fri Jul 23 19:20:45 1999 *************** *** 37,42 **** --- 37,45 ---- * 19-May-1999: Star Wars: The Phantom Menace opened. Rule num * printed in log (modified from Michael Hasenstein's patch). * Added SYN in log message. --RR + * 23-Jul-1999: Fixed small fragment security exposure opened on 15-May-1998. + * John McDonald <jm@dataprotect.com> + * Thomas Lopatic <tl@dataprotect.com> */ /* *************** *** 644,650 **** default: size_req = 0; } ! offset = (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req); } src = ip->saddr; --- 647,666 ---- default: size_req = 0; } ! ! /* If it is a truncated first fragment then it can be ! * used to rewrite port information, and thus should ! * be blocked. ! */ ! ! if (ntohs(ip->tot_len) < (ip->ihl<<2)+size_req) ! { ! if (!testing && net_ratelimit()) { ! printk("Suspect short first fragment.\n"); ! dump_packet(ip,rif,NULL,NULL,0,0,0,0); ! } ! return FW_BLOCK; ! } } src = ip->saddr; # END BUGTRAQ So, if you have a kernel >= 2.2.11 you are not vulnerable to the "Linux IPChains Fragment Overlap Vulnerability". If your kernel is <2.2.11, update or patch your sources and build a new one. I hope that helps. Regards, Martin -- ---------------------------------------------------- Martin Peikert EN 636 Fachgebiet Theoretische Elektrotechnik TU Berlin Sekretariat EN 2 fon 314-23881 fax 314-22284 http://www-tet.ee.tu-berlin.de/peikert/index.html ----------------------------------------------------