[gentoo-announce] GLSA: kernel (200312-02) - gentoo-announce

From:	Rajiv Aaron Manglani <rajiv@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] GLSA: kernel (200312-02)
Date:	Thu, 04 Dec 2003 14:24:23
Message-Id:	`a05210606bbf5464f25aa@[10.96.0.12]`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

5

- --------------------------------------------------------------------------

6

GENTOO LINUX SECURITY ANNOUNCEMENT 200312-02

7

- --------------------------------------------------------------------------

8

9

GLSA:        200312-02

10

package:     kernel

11

summary:     A flaw in the do_brk() function of Linux kernel 2.4.22

12

                and earlier can be exploited by local users or malicious

13

                services to gain root privileges.

14

severity:    high

15

Gentoo bug:  34844

16

date:        2003-12-04

17

CVE:         CAN-2003-0961

18

exploit:     local

19

affected:    <2.4.22

20

fixed:       >=2.4.23

21

fixed:       >=2.4.22+patches

22

23

24

DESCRIPTION:

25

26

Lack of proper bounds checking exists in the do_brk() kernel function in

27

Linux kernels prior to 2.4.23. This bug can be used to give a userland

28

program or malicious service access to the full kernel address space and

29

gain root privileges. This issue is known to be exploitable.

30

31

All kernel ebuilds in Portage have been bumped or patched and do not contain

32

this vulnerability. The following is a list of recommended kernels.

33

34

        aa-sources-2.4.23_pre6-r3

35

        ck-sources-2.4.22-r3

36

        gentoo-sources-2.4.20-r9

37

        gentoo-sources-2.4.22-r1

38

        grsec-sources-2.4.22.1.9.12-r1

39

        grsec-sources-2.4.22.2.0_rc3-r1

40

        gs-sources-2.4.23_pre8-r1

41

        hardened-sources-2.4.22-r1

42

        hardened-sources-2.4.22-r1

43

        ia64-sources-2.4.22-r1

44

        mips-sources-2.4.22-r4

45

        mips-sources-2.4.22-r5

46

        openmosix-sources-2.4.22-r1

47

        ppc-sources-2.4.22-r3

48

        ppc-sources-benh-2.4.20-r9

49

        ppc-sources-benh-2.4.21-r2

50

        ppc-sources-benh-2.4.22-r3

51

        ppc-sources-crypto-2.4.20-r1

52

        selinux-sources-2.4.21-r5

53

        sparc-sources-2.4.23

54

        usermode-sources-2.4.22-r1

55

        wolk-sources-4.10_pre7-r1

56

        wolk-sources-4.9-r2

57

        xfs-sources-2.4.20-r4

58

59

60

SOLUTION:

61

62

It is recommended that all Gentoo Linux users upgrade their machines to use

63

a kernel from the list above.

64

65

        emerge sync

66

        emerge -pv [your preferred kernel sources]

67

        emerge [your preferred kernel sources]

68

        [update the /usr/src/linux symlink]

69

        [compile and install your new kernel]

70

        [emerge any necessary kernel module ebuilds]

71

        [reboot]

72

73

74

// end

75

76

-----BEGIN PGP SIGNATURE-----

77

Version: GnuPG v1.2.3 (Darwin)

78

79

iD8DBQE/z5Wynt0v0zAqOHYRAujmAKCsOXthCcWiGvTWThjozzsjlW4q3gCdGqLI

80

FWseBXkoN6qBg6u30yPVCLw=

81

=V/8J

82

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4
5	- --------------------------------------------------------------------------
6	GENTOO LINUX SECURITY ANNOUNCEMENT 200312-02
7	- --------------------------------------------------------------------------
8
9	GLSA: 200312-02
10	package: kernel
11	summary: A flaw in the do_brk() function of Linux kernel 2.4.22
12	and earlier can be exploited by local users or malicious
13	services to gain root privileges.
14	severity: high
15	Gentoo bug: 34844
16	date: 2003-12-04
17	CVE: CAN-2003-0961
18	exploit: local
19	affected: <2.4.22
20	fixed: >=2.4.23
21	fixed: >=2.4.22+patches
22
23
24	DESCRIPTION:
25
26	Lack of proper bounds checking exists in the do_brk() kernel function in
27	Linux kernels prior to 2.4.23. This bug can be used to give a userland
28	program or malicious service access to the full kernel address space and
29	gain root privileges. This issue is known to be exploitable.
30
31	All kernel ebuilds in Portage have been bumped or patched and do not contain
32	this vulnerability. The following is a list of recommended kernels.
33
34	aa-sources-2.4.23_pre6-r3
35	ck-sources-2.4.22-r3
36	gentoo-sources-2.4.20-r9
37	gentoo-sources-2.4.22-r1
38	grsec-sources-2.4.22.1.9.12-r1
39	grsec-sources-2.4.22.2.0_rc3-r1
40	gs-sources-2.4.23_pre8-r1
41	hardened-sources-2.4.22-r1
42	hardened-sources-2.4.22-r1
43	ia64-sources-2.4.22-r1
44	mips-sources-2.4.22-r4
45	mips-sources-2.4.22-r5
46	openmosix-sources-2.4.22-r1
47	ppc-sources-2.4.22-r3
48	ppc-sources-benh-2.4.20-r9
49	ppc-sources-benh-2.4.21-r2
50	ppc-sources-benh-2.4.22-r3
51	ppc-sources-crypto-2.4.20-r1
52	selinux-sources-2.4.21-r5
53	sparc-sources-2.4.23
54	usermode-sources-2.4.22-r1
55	wolk-sources-4.10_pre7-r1
56	wolk-sources-4.9-r2
57	xfs-sources-2.4.20-r4
58
59
60	SOLUTION:
61
62	It is recommended that all Gentoo Linux users upgrade their machines to use
63	a kernel from the list above.
64
65	emerge sync
66	emerge -pv [your preferred kernel sources]
67	emerge [your preferred kernel sources]
68	[update the /usr/src/linux symlink]
69	[compile and install your new kernel]
70	[emerge any necessary kernel module ebuilds]
71	[reboot]
72
73
74	// end
75
76	-----BEGIN PGP SIGNATURE-----
77	Version: GnuPG v1.2.3 (Darwin)
78
79	iD8DBQE/z5Wynt0v0zAqOHYRAujmAKCsOXthCcWiGvTWThjozzsjlW4q3gCdGqLI
80	FWseBXkoN6qBg6u30yPVCLw=
81	=V/8J
82	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce