Public Date:
512284: CVE-2009-1897 kernel: tun/tap: Fix crashes if open() /dev/net/tun and then poll() it

The MITRE CVE dictionary describes this issue as:

The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894.

Find out more about CVE-2009-1897 from the MITRE CVE dictionary dictionary and NIST NVD.


Red Hat is aware of this issue and is tracking it via the following bug: The flaw only affects the Red Hat Enterprise Linux 5.4 beta kernel, which includes a backport of the upstream bug fix introducing this flaw (git commit 33dccbb0). This issue did not affect the final released Red Hat Enterprise Linux 5.4 kernel. It is also possible to mitigate this flaw by ensuring that the permissions for /dev/net/tun is restricted to root only. This issue does not affect any other released kernel in any Red Hat product.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 6.9
Base Metrics AV:L/AC:M/Au:N/C:C/I:C/A:C
Access Vector Local
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).