1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200407-02 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: High |
8 |
Title: Linux Kernel: Multiple vulnerabilities |
9 |
Date: July 03, 2004 |
10 |
Bugs: #47881, #49637, #53804, #54976, #55698 |
11 |
ID: 200407-02 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Multiple vulnerabilities have been found in the Linux kernel used by |
19 |
GNU/Linux systems. Patched, or updated versions of these kernels have |
20 |
been released and details are included in this advisory. |
21 |
|
22 |
Background |
23 |
========== |
24 |
|
25 |
The Linux kernel is responsible for managing the core aspects of a |
26 |
GNU/Linux system, providing an interface for core system applications |
27 |
as well as providing the essential structure and capability to access |
28 |
hardware that is needed for a running system. |
29 |
|
30 |
Affected packages |
31 |
================= |
32 |
|
33 |
------------------------------------------------------------------- |
34 |
Kernel / Unaffected / Remerge |
35 |
------------------------------------------------------------------- |
36 |
1 aa-sources ............... == 2.4.23-r2 ..................... YES |
37 |
2 alpha-sources ............ >= 2.4.21-r8 ......................... |
38 |
3 ck-sources ............... == 2.4.26-r1 ..................... YES |
39 |
........................... >= 2.6.7-r1 ..................... YES |
40 |
4 compaq-sources ......... >= 2.4.9.32.7-r7 ....................... |
41 |
5 development-sources ........ >= 2.6.7 ........................... |
42 |
6 gaming-sources ........... >= 2.4.20-r14 ........................ |
43 |
7 gentoo-dev-sources ......... >= 2.6.7 ........................... |
44 |
8 gentoo-sources .......... *>= 2.4.19-r17 ........................ |
45 |
......................... *>= 2.4.20-r20 ........................ |
46 |
......................... *>= 2.4.22-r12 ........................ |
47 |
.......................... *>= 2.4.25-r5 ........................ |
48 |
.......................... >= 2.4.26-r3 ......................... |
49 |
9 grsec-sources .......... >= 2.4.26.2.0-r5 ....................... |
50 |
10 gs-sources ............. >= 2.4.25_pre7-r7 ...................... |
51 |
11 hardened-dev-sources ....... >= 2.6.7 ........................... |
52 |
12 hardened-sources ......... >= 2.4.26-r2 ......................... |
53 |
13 hppa-dev-sources ........... >= 2.6.7 ........................... |
54 |
14 hppa-sources ............. >= 2.4.26_p6 ......................... |
55 |
15 ia64-sources ............. >= 2.4.24-r5 ......................... |
56 |
16 mips-sources ............. >= 2.4.26-r3 ......................... |
57 |
17 mm-sources ................ >= 2.6.7-r1 ......................... |
58 |
18 openmosix-sources ........ >= 2.4.22-r10 ........................ |
59 |
19 pac-sources .............. >= 2.4.23-r8 ......................... |
60 |
20 pegasos-dev-sources ........ >= 2.6.7 ........................... |
61 |
21 pegasos-sources .......... >= 2.4.26-r2 ......................... |
62 |
22 planet-ccrma-sources ..... >= 2.4.21-r10 ........................ |
63 |
23 ppc-sources .............. >= 2.4.26-r2 ......................... |
64 |
24 ppc64-sources .............. >= 2.6.7 ........................... |
65 |
25 rsbac-sources ............ >= 2.4.26-r2 ......................... |
66 |
26 rsbac-dev-sources ......... >= 2.6.7-r1 ......................... |
67 |
27 selinux-sources .......... >= 2.4.26-r2 ......................... |
68 |
28 sparc-sources ............ >= 2.4.26-r2 ......................... |
69 |
29 uclinux-sources ......... >= 2.4.26_p0-r2 ....................... |
70 |
30 usermode-sources ......... *>= 2.4.24-r5 ........................ |
71 |
.......................... >= 2.4.26-r2 ......................... |
72 |
31 vanilla-sources ........... Vulnerable! ......................... |
73 |
32 vserver-sources ....... >= 2.4.26.1.3.9-r2 ...................... |
74 |
33 win4lin-sources .......... >= 2.4.26-r2 ......................... |
75 |
34 wolk-sources .............. *>= 4.9-r9 .......................... |
76 |
........................... *>= 4.11-r6 ......................... |
77 |
........................... >= 4.14-r3 .......................... |
78 |
35 xbox-sources ............... >= 2.6.7 ........................... |
79 |
36 xfs-sources .............. >= 2.4.24-r8 ......................... |
80 |
------------------------------------------------------------------- |
81 |
NOTE: Some kernels are still vulnerable. Users should migrate to |
82 |
another kernel if one is available or seek another |
83 |
solution such as patching their existing kernel. |
84 |
------------------------------------------------------------------- |
85 |
NOTE: Packages marked with "Remerge" as "YES" require a re-merge |
86 |
even though Portage does not indicate a newer version! |
87 |
------------------------------------------------------------------- |
88 |
36 affected packages on all of their supported architectures. |
89 |
------------------------------------------------------------------- |
90 |
|
91 |
Description |
92 |
=========== |
93 |
|
94 |
Multiple flaws have been discovered in the Linux kernel. This advisory |
95 |
corrects the following issues: |
96 |
|
97 |
* CAN-2004-0109: This vulnerability allows privilege escalation using |
98 |
ISO9660 file systems through a buffer overflow via a malformed file |
99 |
system containing a long symbolic link entry. This can allow |
100 |
arbitrary code execution at kernel level. |
101 |
|
102 |
* CAN-2004-0133: The XFS file system in 2.4 series kernels has an |
103 |
information leak by which data in the memory can be written to the |
104 |
device hosting the file system, allowing users to obtain portions of |
105 |
kernel memory by reading the raw block device. |
106 |
|
107 |
* CAN-2004-0177: The ext3 file system in 2.4 series kernels does not |
108 |
properly initialize journal descriptor blocks, causing an information |
109 |
leak by which data in the memory can be written to the device hosting |
110 |
the file system, allowing users to obtain portions of kernel memory |
111 |
by reading the raw device. |
112 |
|
113 |
* CAN-2004-0181: The JFS file system in 2.4 series kernels has an |
114 |
information leak by which data in the memory can be written to the |
115 |
device hosting the file system, allowing users to obtain portions of |
116 |
kernel memory by reading the raw device. |
117 |
|
118 |
* CAN-2004-0178: The OSS Sound Blaster [R] Driver has a Denial of |
119 |
Service vulnerability since it does not handle certain sample sizes |
120 |
properly. This allows local users to hang the kernel. |
121 |
|
122 |
* CAN-2004-0228: Due to an integer signedness error in the CPUFreq |
123 |
/proc handler code in 2.6 series Linux kernels, local users can |
124 |
escalate their privileges. |
125 |
|
126 |
* CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers |
127 |
does not use the fb_copy_cmap method of copying structures. The |
128 |
impact of this issue is unknown, however. |
129 |
|
130 |
* CAN-2004-0394: A buffer overflow in the panic() function of 2.4 |
131 |
series Linux kernels exists, but it may not be exploitable under |
132 |
normal circumstances due to its functionality. |
133 |
|
134 |
* CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series |
135 |
Linux kernels does not properly decrement the mm_count counter when |
136 |
an error occurs, triggering a memory leak that allows local users to |
137 |
cause a Denial of Service by exhausting other applications of memory; |
138 |
causing the kernel to panic or to kill services. |
139 |
|
140 |
* CAN-2004-0495: Multiple vulnerabilities found by the Sparse source |
141 |
checker in the kernel allow local users to escalate their privileges |
142 |
or gain access to kernel memory. |
143 |
|
144 |
* CAN-2004-0535: The e1000 NIC driver does not properly initialize |
145 |
memory structures before using them, allowing users to read kernel |
146 |
memory. |
147 |
|
148 |
* CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an |
149 |
AMD64 architecture allow local users to cause a Denial of Service by |
150 |
a total system hang, due to an infinite loop that triggers a signal |
151 |
handler with a certain sequence of fsave and frstor instructions. |
152 |
|
153 |
* Local DoS in PaX: If ASLR is enabled as a GRSecurity PaX feature, a |
154 |
Denial of Service can be achieved by putting the kernel into an |
155 |
infinite loop. Only 2.6 series GRSecurity kernels are affected by |
156 |
this issue. |
157 |
|
158 |
* RSBAC 1.2.3 JAIL issues: A flaw in the RSBAC JAIL implementation |
159 |
allows suid/sgid files to be created inside the jail since the |
160 |
relevant module does not check the corresponding mode values. This |
161 |
can allow privilege escalation inside the jail. Only |
162 |
rsbac-(dev-)sources are affected by this issue. |
163 |
|
164 |
Impact |
165 |
====== |
166 |
|
167 |
Arbitrary code with normal non-super-user privileges may be able to |
168 |
exploit any of these vulnerabilities; gaining kernel level access to |
169 |
memory structures and hardware devices. This may be used for further |
170 |
exploitation of the system, to leak sensitive data or to cause a Denial |
171 |
of Service on the affected kernel. |
172 |
|
173 |
Workaround |
174 |
========== |
175 |
|
176 |
Although users may not be affected by certain vulnerabilities, all |
177 |
kernels are affected by the CAN-2004-0394, CAN-2004-0427 and |
178 |
CAN-2004-0554 issues which have no workaround. As a result, all users |
179 |
are urged to upgrade their kernels to patched versions. |
180 |
|
181 |
Resolution |
182 |
========== |
183 |
|
184 |
Users are encouraged to upgrade to the latest available sources for |
185 |
their system: |
186 |
|
187 |
# emerge sync |
188 |
# emerge -pv your-favorite-sources |
189 |
# emerge your-favorite-sources |
190 |
|
191 |
# # Follow usual procedure for compiling and installing a kernel. |
192 |
# # If you use genkernel, run genkernel as you would do normally. |
193 |
|
194 |
Availability |
195 |
============ |
196 |
|
197 |
This GLSA and any updates to it are available for viewing at |
198 |
the Gentoo Security Website: |
199 |
|
200 |
http://security.gentoo.org/glsa/glsa-200407-02.xml |
201 |
|
202 |
Concerns? |
203 |
========= |
204 |
|
205 |
Security is a primary focus of Gentoo Linux and ensuring the |
206 |
confidentiality and security of our users machines is of utmost |
207 |
importance to us. Any security concerns should be addressed to |
208 |
security@g.o or alternatively, you may file a bug at |
209 |
http://bugs.gentoo.org. |
210 |
|
211 |
License |
212 |
======= |
213 |
|
214 |
Copyright 2004 Gentoo Technologies, Inc; referenced text |
215 |
belongs to its owner(s). |
216 |
|
217 |
The contents of this document are licensed under the |
218 |
Creative Commons - Attribution / Share Alike license. |
219 |
|
220 |
http://creativecommons.org/licenses/by-sa/1.0 |