CVE-2014-2523 nf_conntrack_proto_dccp.ko Kernal Security Fix - severe I think


Perhaps I am being paranoid, but I noticed that CVE-2014-2523 (severity rating 10.0) has been fixed in the linux kernel patch 3.10.36 / 2014.04.03 but not in the openSuse 12.3 kernel upgrade. I would like to fix this myself asap - is there any way that I could apply this patch myself? How do I do this? Do I download the kernel source, build it then apply the patch? Or simply fix this bit in the source and create a patch and install it?

I have developed two commercial windows packages but the linux stuff throws me for a loop at times. However, I really need to install this patch. Please point me in the right direction if possible. Last resort I can install 13.1 I guess but it is pretty new and I don’t think this fix has been applied to it either.

Thanks for your help.

Dean Makowecky

Already fixed last month (Comment #9), guess it’s not pushed yet…

Hi. Thanks for the quick response.

My file listing is: 15188 Feb 3 17:21 nf_conntrack_proto_dccp.ko in directory /lib/modules/3.7.10-1.28-desktop/kernel/net/netfilter.

Note my file date is Feb. 3, and I noticed the bugzilla date was March, so I guess not pushed through yet - How do I tell? I searched for CVE-2014-2523 on openSUSE site and forums (I thought) and didn’t find anything. But I did NOT search bugzilla. I didn’t know it existed - now I do. Thanks.

I have noticed that updates are sometimes not being applied properly on my system. Can I just compile that file and replace the existing one to fix the problem? Where do I find the dependencies? (As you can tell, I am not so familiar with linux. Is there any info on this or building particular modules?)

Thanks for any help.


This is the fixed kernel here;

From the changes file;

Mon Mar 24 14:14:23 CET 2014 -

- netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
  (bnc#868653 CVE-2014-2523).
- commit 956ad17


I use the desktop kernel configuration - I’ll switch back to the default configuration for greater security and submit a bug report to bugzilla.

Thanks for your help.



That repo malcomlewis pointed to contains kernel-desktop as well with the same fixes (they are built from the exact same sources including the same patches anyway).

And this is the 12.3 kernel repo, AIUI thos is used for preparing official updates for 12.3, so the fixes in there will be released as update sooner or later I think.

I applied the fixed kernel pointed to by Malcolm - THANKS!

I also downloaded, compiled and installed the latest openssl and gnuTLS packages. Now MUCH safer I hope. I really have to find out why the patches didn’t show up in my apper/zypper repositories and others weren’t installed properly when I applied them.

Thanks very much for your help.

Dean Makowecky

On openSUSE such fixes are normally backported to the shipped version, there are no version updates released as official online updates.
Maybe that just confused you and you actually DID have the patches installed?

F.e. openssl is still at version 1.0.1e, but the openSUSE package does contain the fix for the heartbleed bug and is not vulnerable any more.

You can see that in the package’s changelog:

# rpm -q openssl
# rpm -q --changelog openssl
* Tue Apr 08 2014
- Fixed bug bnc#872299] CVE-2014-0160: openssl: missing bounds checks for heartbeat messages
  Add file: CVE-2014-0160.patch

In this specific case (openssl), a version update to 1.0.1g will be released as well though, to avoid misunderstandings.

Yep. Oops.

At least I erred on the safe side (salvage some dignity anyhow).