[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] Several vulnerabilities in Linux kernel
- To: linux-security@sfu.ca
- Subject: [linux-security] Several vulnerabilities in Linux kernel
- From: Martin Siegert <siegert@sfu.ca>
- Date: Sat, 12 Feb 2005 18:46:44 -0800
- User-Agent: Mutt/1.4.1i
Topic
=====
local root exploits in Linux kernel
Problem Description
===================
There exist several vulnerabilities in the Linux kernel, some of
which can be exploited by users to obtain root priviledges.
In detail:
CAN-2004-0814: Multiple race conditions in the terminal layer in Linux 2.4.x,
and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel
data, or (2) remote attackers to cause a denial of service (panic).
CAN-2004-1056: Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does
not properly check the DMA lock, which could allow remote attackers or local
users to cause a denial of service (X Server crash) and possibly modify the
video output.
CAN-2004-0883 and CAN-2004-0949: Multiple vulnerabilities in the samba
filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to
cause a denial of service (crash) or gain sensitive information from kernel
memory via a samba server. Furthermore, The smb_recv_trans2 function call in
the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly
handle the re-assembly of fragmented packets correctly, which could allow
remote samba servers to (1) read arbitrary kernel information or (2) raise
a counter value to an arbitrary number by sending the first part of the
fragmented packet multiple times.
CAN-2004-1070, 1071, 1072, 1073: The binfmt_elf loader (binfmt_elf.c) in
Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8 , does not properly
check return values from calls to the kernel_read function, which may allow
local users to modify sensitive memory in a setuid program. Furthermore,
the loader does not properly handle a failed call to the mmap function,
which causes an incorrect mapped image. It may also create an interpreter
name string that is not NULL terminated, which could cause strings longer
than PATH_MAX to be used, leading to buffer overflows. Finally, the open_exec
function in the execve functionality allows local users to read non-readable
ELF binaries by using the interpreter (PT_INTERP) functionality. Any of these
vulnerabilities can allow the execution of arbitrary code.
CAN-2004-1074: The binfmt functionality in the Linux kernel, when "memory
overcommit" is enabled, allows local users to cause a denial of service
(kernel oops) via a malformed a.out binary.
CAN-2004-1016: The scm_send function in the scm layer for Linux kernel 2.4.x
up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of
service (system hang) via crafted auxiliary messages that are passed to the
sendmsg function, which causes a deadlock condition.
CAN-2004-1068: A "missing serialization" error in the unix_dgram_recvmsg
function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local
users to gain privileges via a race condition.
CAN-2004-1234: load_elf_binary in Linux before 2.4.26 allows local users to
cause a denial of service (system crash) via an ELF binary in which the
interpreter is NULL.
CAN-2004-1235: Race condition in the (1) load_elf_library and (2) binfmt_aout
function calls for uselib in Linux kernel 2.4 through 2.4.29-rc2 and 2.6
through 2.6.10 allows local users to execute arbitrary code by manipulating
the VMA descriptor.
CAN-2005-0001: Race condition in the page fault handler (fault.c) for Linux
kernel 2.2.x to 2.2.7, 2.4 to 2.4.29-rc1, and 2.6 to 2.6.10, when running on
multiprocessor machines, allows local users to execute arbitrary code via
concurrent threads that share the same virtual memory space and simultaneously
request stack expansion.
Affected Systems
================
All Linux kernel versions 2.4.x, x <= 28 and 2.6.y, y <= 10.
Solution
========
upgrade to linux-2.4.29 or linux-2.6.11 or patched version for your
distribution.
SuSE-8.1
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.
rpm -Fvh kernel-source-2.4.21-273.i586.rpm
SuSE-8.2
--------
rpm -ivh k_<type>-2.4.20.SuSE-129.i586.rpm
where <type> is one of deflt, smp, athlon, psmp.
rpm -Fvh kernel-source-2.4.20.SuSE-129.i586.rpm
SuSE-9.0
--------
rpm -ivh k_<type>-2.4.21-273.i586.rpm
where <type> is one of deflt, smp, athlon.
rpm -Uvh kernel-source-2.4.21-273.i586.rpm
SuSE-9.1
--------
rpm -ivh kernel-<type>-2.6.5-7.145.i586.rpm
where <type> is one of default, smp, bigsmp.
rpm -Fvh kernel-source-2.6.5-7.145.i586.rpm
SuSE-9.2
--------
rpm -ivh kernel-<type>-2.6.8-24.11.i586.rpm
where <type> is one of default, smp, bigsmp, um.
rpm -Fvh kernel-source-2.6.8-24.11.i586.rpm
Fedora 2
--------
rpm -ivh kernel<type>-2.6.10-1.9_FC2.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.
rpm -Fvh kernel-sourcecode-2.6.10-1.9_FC2.noarch.rpm \
kernel-doc-2.6.10-1.9_FC2.noarch.rpm
Fedora 3
--------
rpm -ivh kernel<type>-2.6.10-1.741_FC3.<arch>.rpm
where <type> is either empty or smp and <arch> is either i586 or i686.
rpm -Fvh kernel-doc-2.6.10-1.741_FC3.noarch.rpm
RedHat 7.3
----------
(updates available from ftp.sfu.ca/pub/linux/7.3/RPMS)
rpm -ivh kernel<type>-2.4.20-43.7.<arch>.rpm
where <type> is either empty or one of smp, bigmem and <arch> is one
of i386, i586, i686, or athlon.
rpm -Fvh kernel-source-2.4.20-43.7.i386.rpm \
kernel-doc-2.4.20-43.7.i386.rpm
Mandrake 9.2
------------
rpm -ivh kernel<type>-2.4.22.41mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.
rpm -Fvh kernel-source-2.4.22-41mdk.i586.rpm
Mandrake 10.0
-------------
there are 2.4 kernels or 2.6 kernels available.
2.4 kernel:
rpm -ivh kernel<type>-2.4.25.13mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
or smp.
rpm -Fvh kernel-source-2.4.25-13mdk.i586.rpm
2.6 kernel:
rpm -ivh kernel<type>-2.6.3.25mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i686-up-4GB, p3-smp-64GB,
secure or smp.
rpm -Fvh module-init-tools-3.0-1.2.1.100mdk.i586.rpm \
kernel-source-2.4.25-13mdk.i586.rpm \
kernel-source-stripped-2.6.3-25mdk.i586.rpm
Mandrake 10.1
-------------
there are 2.4 kernels or 2.6 kernels available.
2.4 kernel:
rpm -ivh kernel<type>-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB or smp.
rpm -Fvh kernel-source-2.4-2.4.28-0.rc1.5mdk.i586.rpm
2.6 kernel:
rpm -ivh kernel<type>-2.6.8.1.24mdk-1-1mdk.i586.rpm
where <type> is either empty or one of enterprise, i586-up-1GB, i686-up-64GB,
secure or smp.
rpm -Fvh kernel-source-2.6-2.6.8.1-24mdk.i586.rpm \
kernel-source-stripped-2.6-2.6.8.1-24mdk.i586.rpm
Debian
------
Updated kernel packages do not seem to be available yet.