Gentoo Archives: gentoo-announce

From: Tim Yamin <plasmaroo@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200407-02 ] Linux Kernel: Multiple vulnerabilities
Date: Sat, 03 Jul 2004 22:55:01
Message-Id: 40E738DE.6040105@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200407-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Linux Kernel: Multiple vulnerabilities
9 Date: July 03, 2004
10 Bugs: #47881, #49637, #53804, #54976, #55698
11 ID: 200407-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in the Linux kernel used by
19 GNU/Linux systems. Patched, or updated versions of these kernels have
20 been released and details are included in this advisory.
21
22 Background
23 ==========
24
25 The Linux kernel is responsible for managing the core aspects of a
26 GNU/Linux system, providing an interface for core system applications
27 as well as providing the essential structure and capability to access
28 hardware that is needed for a running system.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Kernel / Unaffected / Remerge
35 -------------------------------------------------------------------
36 1 aa-sources ............... == 2.4.23-r2 ..................... YES
37 2 alpha-sources ............ >= 2.4.21-r8 .........................
38 3 ck-sources ............... == 2.4.26-r1 ..................... YES
39 ........................... >= 2.6.7-r1 ..................... YES
40 4 compaq-sources ......... >= 2.4.9.32.7-r7 .......................
41 5 development-sources ........ >= 2.6.7 ...........................
42 6 gaming-sources ........... >= 2.4.20-r14 ........................
43 7 gentoo-dev-sources ......... >= 2.6.7 ...........................
44 8 gentoo-sources .......... *>= 2.4.19-r17 ........................
45 ......................... *>= 2.4.20-r20 ........................
46 ......................... *>= 2.4.22-r12 ........................
47 .......................... *>= 2.4.25-r5 ........................
48 .......................... >= 2.4.26-r3 .........................
49 9 grsec-sources .......... >= 2.4.26.2.0-r5 .......................
50 10 gs-sources ............. >= 2.4.25_pre7-r7 ......................
51 11 hardened-dev-sources ....... >= 2.6.7 ...........................
52 12 hardened-sources ......... >= 2.4.26-r2 .........................
53 13 hppa-dev-sources ........... >= 2.6.7 ...........................
54 14 hppa-sources ............. >= 2.4.26_p6 .........................
55 15 ia64-sources ............. >= 2.4.24-r5 .........................
56 16 mips-sources ............. >= 2.4.26-r3 .........................
57 17 mm-sources ................ >= 2.6.7-r1 .........................
58 18 openmosix-sources ........ >= 2.4.22-r10 ........................
59 19 pac-sources .............. >= 2.4.23-r8 .........................
60 20 pegasos-dev-sources ........ >= 2.6.7 ...........................
61 21 pegasos-sources .......... >= 2.4.26-r2 .........................
62 22 planet-ccrma-sources ..... >= 2.4.21-r10 ........................
63 23 ppc-sources .............. >= 2.4.26-r2 .........................
64 24 ppc64-sources .............. >= 2.6.7 ...........................
65 25 rsbac-sources ............ >= 2.4.26-r2 .........................
66 26 rsbac-dev-sources ......... >= 2.6.7-r1 .........................
67 27 selinux-sources .......... >= 2.4.26-r2 .........................
68 28 sparc-sources ............ >= 2.4.26-r2 .........................
69 29 uclinux-sources ......... >= 2.4.26_p0-r2 .......................
70 30 usermode-sources ......... *>= 2.4.24-r5 ........................
71 .......................... >= 2.4.26-r2 .........................
72 31 vanilla-sources ........... Vulnerable! .........................
73 32 vserver-sources ....... >= 2.4.26.1.3.9-r2 ......................
74 33 win4lin-sources .......... >= 2.4.26-r2 .........................
75 34 wolk-sources .............. *>= 4.9-r9 ..........................
76 ........................... *>= 4.11-r6 .........................
77 ........................... >= 4.14-r3 ..........................
78 35 xbox-sources ............... >= 2.6.7 ...........................
79 36 xfs-sources .............. >= 2.4.24-r8 .........................
80 -------------------------------------------------------------------
81 NOTE: Some kernels are still vulnerable. Users should migrate to
82 another kernel if one is available or seek another
83 solution such as patching their existing kernel.
84 -------------------------------------------------------------------
85 NOTE: Packages marked with "Remerge" as "YES" require a re-merge
86 even though Portage does not indicate a newer version!
87 -------------------------------------------------------------------
88 36 affected packages on all of their supported architectures.
89 -------------------------------------------------------------------
90
91 Description
92 ===========
93
94 Multiple flaws have been discovered in the Linux kernel. This advisory
95 corrects the following issues:
96
97 * CAN-2004-0109: This vulnerability allows privilege escalation using
98 ISO9660 file systems through a buffer overflow via a malformed file
99 system containing a long symbolic link entry. This can allow
100 arbitrary code execution at kernel level.
101
102 * CAN-2004-0133: The XFS file system in 2.4 series kernels has an
103 information leak by which data in the memory can be written to the
104 device hosting the file system, allowing users to obtain portions of
105 kernel memory by reading the raw block device.
106
107 * CAN-2004-0177: The ext3 file system in 2.4 series kernels does not
108 properly initialize journal descriptor blocks, causing an information
109 leak by which data in the memory can be written to the device hosting
110 the file system, allowing users to obtain portions of kernel memory
111 by reading the raw device.
112
113 * CAN-2004-0181: The JFS file system in 2.4 series kernels has an
114 information leak by which data in the memory can be written to the
115 device hosting the file system, allowing users to obtain portions of
116 kernel memory by reading the raw device.
117
118 * CAN-2004-0178: The OSS Sound Blaster [R] Driver has a Denial of
119 Service vulnerability since it does not handle certain sample sizes
120 properly. This allows local users to hang the kernel.
121
122 * CAN-2004-0228: Due to an integer signedness error in the CPUFreq
123 /proc handler code in 2.6 series Linux kernels, local users can
124 escalate their privileges.
125
126 * CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers
127 does not use the fb_copy_cmap method of copying structures. The
128 impact of this issue is unknown, however.
129
130 * CAN-2004-0394: A buffer overflow in the panic() function of 2.4
131 series Linux kernels exists, but it may not be exploitable under
132 normal circumstances due to its functionality.
133
134 * CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series
135 Linux kernels does not properly decrement the mm_count counter when
136 an error occurs, triggering a memory leak that allows local users to
137 cause a Denial of Service by exhausting other applications of memory;
138 causing the kernel to panic or to kill services.
139
140 * CAN-2004-0495: Multiple vulnerabilities found by the Sparse source
141 checker in the kernel allow local users to escalate their privileges
142 or gain access to kernel memory.
143
144 * CAN-2004-0535: The e1000 NIC driver does not properly initialize
145 memory structures before using them, allowing users to read kernel
146 memory.
147
148 * CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an
149 AMD64 architecture allow local users to cause a Denial of Service by
150 a total system hang, due to an infinite loop that triggers a signal
151 handler with a certain sequence of fsave and frstor instructions.
152
153 * Local DoS in PaX: If ASLR is enabled as a GRSecurity PaX feature, a
154 Denial of Service can be achieved by putting the kernel into an
155 infinite loop. Only 2.6 series GRSecurity kernels are affected by
156 this issue.
157
158 * RSBAC 1.2.3 JAIL issues: A flaw in the RSBAC JAIL implementation
159 allows suid/sgid files to be created inside the jail since the
160 relevant module does not check the corresponding mode values. This
161 can allow privilege escalation inside the jail. Only
162 rsbac-(dev-)sources are affected by this issue.
163
164 Impact
165 ======
166
167 Arbitrary code with normal non-super-user privileges may be able to
168 exploit any of these vulnerabilities; gaining kernel level access to
169 memory structures and hardware devices. This may be used for further
170 exploitation of the system, to leak sensitive data or to cause a Denial
171 of Service on the affected kernel.
172
173 Workaround
174 ==========
175
176 Although users may not be affected by certain vulnerabilities, all
177 kernels are affected by the CAN-2004-0394, CAN-2004-0427 and
178 CAN-2004-0554 issues which have no workaround. As a result, all users
179 are urged to upgrade their kernels to patched versions.
180
181 Resolution
182 ==========
183
184 Users are encouraged to upgrade to the latest available sources for
185 their system:
186
187 # emerge sync
188 # emerge -pv your-favorite-sources
189 # emerge your-favorite-sources
190
191 # # Follow usual procedure for compiling and installing a kernel.
192 # # If you use genkernel, run genkernel as you would do normally.
193
194 Availability
195 ============
196
197 This GLSA and any updates to it are available for viewing at
198 the Gentoo Security Website:
199
200 http://security.gentoo.org/glsa/glsa-200407-02.xml
201
202 Concerns?
203 =========
204
205 Security is a primary focus of Gentoo Linux and ensuring the
206 confidentiality and security of our users machines is of utmost
207 importance to us. Any security concerns should be addressed to
208 security@g.o or alternatively, you may file a bug at
209 http://bugs.gentoo.org.
210
211 License
212 =======
213
214 Copyright 2004 Gentoo Technologies, Inc; referenced text
215 belongs to its owner(s).
216
217 The contents of this document are licensed under the
218 Creative Commons - Attribution / Share Alike license.
219
220 http://creativecommons.org/licenses/by-sa/1.0

Attachments

File name MIME type
signature.asc application/pgp-signature