1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200408-24 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Linux Kernel: Multiple information leaks |
9 |
Date: August 25, 2004 |
10 |
Bugs: #59378, #59905, #59769 |
11 |
ID: 200408-24 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Multiple information leaks have been found in the Linux kernel, |
19 |
allowing an attacker to obtain sensitive data which may be used for |
20 |
further exploitation of the system. |
21 |
|
22 |
Background |
23 |
========== |
24 |
|
25 |
The Linux kernel is responsible for managing the core aspects of a |
26 |
GNU/Linux system, providing an interface for core system applications |
27 |
as well as providing the essential structure and capability to access |
28 |
hardware that is needed for a running system. |
29 |
|
30 |
Affected packages |
31 |
================= |
32 |
|
33 |
------------------------------------------------------------------- |
34 |
Kernel / Unaffected / Remerge |
35 |
------------------------------------------------------------------- |
36 |
1 aa-sources ................. *>= 2.4.23-r2 .................. YES |
37 |
............................. >= 2.6.5-r5 ................... YES |
38 |
2 alpha-sources .............. >= 2.4.21-r12 ...................... |
39 |
3 ck-sources ................. *>= 2.4.26-r1 .................. YES |
40 |
............................. >= 2.6.7-r5 ................... YES |
41 |
4 development-sources .......... >= 2.6.8 ......................... |
42 |
5 gentoo-dev-sources ......... >= 2.6.7-r12 ....................... |
43 |
6 gentoo-sources ............ *>= 2.4.19-r22 ...................... |
44 |
........................... *>= 2.4.20-r25 ...................... |
45 |
........................... *>= 2.4.22-r16 ...................... |
46 |
............................ *>= 2.4.25-r9 ...................... |
47 |
............................ >= 2.4.26-r9 ....................... |
48 |
7 grsec-sources ........... >= 2.4.27.2.0.1-r1 .................... |
49 |
8 gs-sources .............. >= 2.4.25_pre7-r11 .................... |
50 |
9 hardened-dev-sources ........ >= 2.6.7-r7 ....................... |
51 |
10 hardened-sources ........... >= 2.4.27-r1 ....................... |
52 |
11 hppa-dev-sources .......... >= 2.6.7_p14-r1 ..................... |
53 |
12 hppa-sources .............. >= 2.4.26_p7-r1 ................. YES |
54 |
13 ia64-sources ............... >= 2.4.24-r10 ...................... |
55 |
14 mips-sources ............... *>= 2.4.25-r8 ...................... |
56 |
............................ *>= 2.4.26-r8 ...................... |
57 |
............................ *>= 2.6.4-r8 ....................... |
58 |
............................ *>= 2.6.6-r8 ....................... |
59 |
............................. >= 2.6.7-r5 ....................... |
60 |
15 mm-sources ................ >= 2.6.8_rc4-r1 ..................... |
61 |
16 openmosix-sources .......... >= 2.4.24-r4 ....................... |
62 |
17 pac-sources ................ >= 2.4.23-r12 ...................... |
63 |
18 pegasos-dev-sources .......... >= 2.6.8 ......................... |
64 |
19 rsbac-sources .............. >= 2.4.26-r5 ....................... |
65 |
20 rsbac-dev-sources ........... >= 2.6.7-r5 ....................... |
66 |
21 selinux-sources ............ >= 2.4.26-r3 ....................... |
67 |
22 sparc-sources .............. >= 2.4.27-r1 ....................... |
68 |
23 uclinux-sources .......... *>= 2.4.26_p0-r6 ..................... |
69 |
........................... >= 2.6.7_p0-r5 ...................... |
70 |
24 usermode-sources ........... *>= 2.4.24-r9 ...................... |
71 |
............................ *>= 2.4.26-r6 ...................... |
72 |
............................. >= 2.6.6-r6 ....................... |
73 |
25 vanilla-sources .............. >= 2.4.27 ........................ |
74 |
26 vserver-sources .......... >= 2.4.26.1.28-r4 .................... |
75 |
27 win4lin-sources ............ *>= 2.4.26-r6 ...................... |
76 |
............................. >= 2.6.7-r2 ....................... |
77 |
28 wolk-sources ................ *>= 4.9-r14 ....................... |
78 |
............................ *>= 4.11-r10 ....................... |
79 |
............................. >= 4.14-r7 ........................ |
80 |
29 xbox-sources ............... *>= 2.4.27-r1 ...................... |
81 |
............................. >= 2.6.7-r5 ....................... |
82 |
------------------------------------------------------------------- |
83 |
NOTE: Packages marked with "Remerge" as "YES" require a re-merge |
84 |
even though Portage does not indicate a newer version! |
85 |
------------------------------------------------------------------- |
86 |
29 affected packages on all of their supported architectures. |
87 |
------------------------------------------------------------------- |
88 |
|
89 |
Description |
90 |
=========== |
91 |
|
92 |
The Linux kernel allows a local attacker to obtain sensitive kernel |
93 |
information by gaining access to kernel memory via several leaks in the |
94 |
/proc interfaces. These vulnerabilities exist in various drivers which |
95 |
make up a working Linux kernel, some of which are present across all |
96 |
architectures and configurations. |
97 |
|
98 |
CAN-2004-0415 deals with addressing invalid 32 to 64 bit conversions in |
99 |
the kernel, as well as insecure direct access to file offset pointers |
100 |
in kernel code which can be modified by the open(...), lseek(...) and |
101 |
other core system I/O functions by an attacker. |
102 |
|
103 |
CAN-2004-0685 deals with certain USB drivers using uninitialized |
104 |
structures and then using the copy_to_user(...) kernel call to copy |
105 |
these structures. This may leak uninitialized kernel memory, which can |
106 |
contain sensitive information from user applications. |
107 |
|
108 |
Finally, a race condition with the /proc/.../cmdline node was found, |
109 |
allowing environment variables to be read while the process was still |
110 |
spawning. If the race is won, environment variables of the process, |
111 |
which might not be owned by the attacker, can be read. |
112 |
|
113 |
Impact |
114 |
====== |
115 |
|
116 |
These vulnerabilities allow a local unprivileged attacker to access |
117 |
segments of kernel memory or environment variables which may contain |
118 |
sensitive information. Kernel memory may contain passwords, data |
119 |
transferred between processes, any memory which applications did not |
120 |
clear upon exiting as well as the kernel cache and kernel buffers. |
121 |
|
122 |
This information may be used to read sensitive data, open other attack |
123 |
vectors for further exploitation or cause a Denial of Service if the |
124 |
attacker can gain superuser access via the leaked information. |
125 |
|
126 |
Workaround |
127 |
========== |
128 |
|
129 |
There is no temporary workaround for any of these information leaks |
130 |
other than totally disabling /proc support - otherwise, a kernel |
131 |
upgrade is required. A list of unaffected kernels is provided along |
132 |
with this announcement. |
133 |
|
134 |
Resolution |
135 |
========== |
136 |
|
137 |
Users are encouraged to upgrade to the latest available sources for |
138 |
their system: |
139 |
|
140 |
# emerge sync |
141 |
# emerge -pv your-favorite-sources |
142 |
# emerge your-favorite-sources |
143 |
|
144 |
# # Follow usual procedure for compiling and installing a kernel. |
145 |
# # If you use genkernel, run genkernel as you would normally. |
146 |
|
147 |
References |
148 |
========== |
149 |
|
150 |
[ 1 ] CAN-2004-0415 |
151 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415 |
152 |
[ 2 ] CAN-2004-0685 |
153 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0685 |
154 |
|
155 |
Availability |
156 |
============ |
157 |
|
158 |
This GLSA and any updates to it are available for viewing at |
159 |
the Gentoo Security Website: |
160 |
|
161 |
http://security.gentoo.org/glsa/glsa-200408-24.xml |
162 |
|
163 |
Concerns? |
164 |
========= |
165 |
|
166 |
Security is a primary focus of Gentoo Linux and ensuring the |
167 |
confidentiality and security of our users machines is of utmost |
168 |
importance to us. Any security concerns should be addressed to |
169 |
security@g.o or alternatively, you may file a bug at |
170 |
http://bugs.gentoo.org. |
171 |
|
172 |
License |
173 |
======= |
174 |
|
175 |
Copyright 2004 Gentoo Foundation, Inc; referenced text |
176 |
belongs to its owner(s). |
177 |
|
178 |
The contents of this document are licensed under the |
179 |
Creative Commons - Attribution / Share Alike license. |
180 |
|
181 |
http://creativecommons.org/licenses/by-sa/1.0 |