The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-0427     A local denial of service vulnerability in do_fork() has     been found.

  - CVE-2005-0489     A local denial of service vulnerability in proc memory     handling has been found.

  - CVE-2004-0394     A buffer overflow in the panic handling code has been     found.

  - CVE-2004-0447     A local denial of service vulnerability through a NULL     pointer dereference in the IA64 process handling code     has been found.

  - CVE-2004-0554     A local denial of service vulnerability through an     infinite loop in the signal handler code has been found.

  - CVE-2004-0565     An information leak in the context switch code has been     found on the IA64 architecture.

  - CVE-2004-0685     Unsafe use of copy_to_user in USB drivers may disclose     sensitive information.

  - CVE-2005-0001     A race condition in the i386 page fault handler may     allow privilege escalation.

  - CVE-2004-0883     Multiple vulnerabilities in the SMB filesystem code may     allow denial of service or information disclosure.

  - CVE-2004-0949     An information leak discovered in the SMB filesystem     code.

  - CVE-2004-1016     A local denial of service vulnerability has been found     in the SCM layer.

  - CVE-2004-1333     An integer overflow in the terminal code may allow a     local denial of service vulnerability.

  - CVE-2004-0997     A local privilege escalation in the MIPS assembly code     has been found.

  - CVE-2004-1335     A memory leak in the ip_options_get() function may lead     to denial of service.

  - CVE-2004-1017     Multiple overflows exist in the io_edgeport driver which     might be usable as a denial of service attack vector.

  - CVE-2005-0124     Bryan Fulton reported a bounds checking bug in the     coda_pioctl function which may allow local users to     execute arbitrary code or trigger a denial of service     attack.

  - CVE-2003-0984     Inproper initialization of the RTC may disclose     information.

  - CVE-2004-1070     Insufficient input sanitising in the load_elf_binary()     function may lead to privilege escalation.

  - CVE-2004-1071     Incorrect error handling in the binfmt_elf loader may     lead to privilege escalation.

  - CVE-2004-1072     A buffer overflow in the binfmt_elf loader may lead to     privilege escalation or denial of service.

  - CVE-2004-1073     The open_exec function may disclose information.

  - CVE-2004-1074     The binfmt code is vulnerable to denial of service     through malformed a.out binaries.

  - CVE-2004-0138     A denial of service vulnerability in the ELF loader has     been found.

  - CVE-2004-1068     A programming error in the unix_dgram_recvmsg() function     may lead to privilege escalation.

  - CVE-2004-1234     The ELF loader is vulnerable to denial of service     through malformed binaries.

  - CVE-2005-0003     Crafted ELF binaries may lead to privilege escalation,     due to insufficient checking of overlapping memory     regions.

  - CVE-2004-1235     A race condition in the load_elf_library() and     binfmt_aout() functions may allow privilege escalation.

  - CVE-2005-0504     An integer overflow in the Moxa driver may lead to     privilege escalation.

  - CVE-2005-0384     A remote denial of service vulnerability has been found     in the PPP driver.

  - CVE-2005-0135     An IA64 specific local denial of service vulnerability     has been found in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture fixes the problems mentioned above :

                                Debian 3.1 (sarge)              Source                        2.4.17-1woody4                  HP Precision architecture     32.5                            Intel IA-64 architecture      011226.18                       IBM S/390 architecture/image  2.4.17-2.woody.5                IBM S/390 architecture/patch  0.0.20020816-0.woody.4          PowerPC architecture (apus)   2.4.17-6                        MIPS architecture             2.4.17-0.020226.2.woody7

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-0427     A local denial of service vulnerability in do_fork() has     been found.

  - CVE-2005-0489     A local denial of service vulnerability in proc memory     handling has been found.

  - CVE-2004-0394     A buffer overflow in the panic handling code has been     found.

  - CVE-2004-0447     A local denial of service vulnerability through a NULL     pointer dereference in the IA64 process handling code     has been found.

  - CVE-2004-0554     A local denial of service vulnerability through an     infinite loop in the signal handler code has been found.

  - CVE-2004-0565     An information leak in the context switch code has been     found on the IA64 architecture.

  - CVE-2004-0685     Unsafe use of copy_to_user in USB drivers may disclose     sensitive information.

  - CVE-2005-0001     A race condition in the i386 page fault handler may     allow privilege escalation.

  - CVE-2004-0883     Multiple vulnerabilities in the SMB filesystem code may     allow denial of service or information disclosure.

  - CVE-2004-0949     An information leak discovered in the SMB filesystem     code.

  - CVE-2004-1016     A local denial of service vulnerability has been found     in the SCM layer.

  - CVE-2004-1333     An integer overflow in the terminal code may allow a     local denial of service vulnerability.

  - CVE-2004-0997     A local privilege escalation in the MIPS assembly code     has been found.

  - CVE-2004-1335     A memory leak in the ip_options_get() function may lead     to denial of service.

  - CVE-2004-1017     Multiple overflows exist in the io_edgeport driver which     might be usable as a denial of service attack vector.

  - CVE-2005-0124     Bryan Fulton reported a bounds checking bug in the     coda_pioctl function which may allow local users to     execute arbitrary code or trigger a denial of service     attack.

  - CVE-2003-0984     Inproper initialization of the RTC may disclose     information.

  - CVE-2004-1070     Insufficient input sanitising in the load_elf_binary()     function may lead to privilege escalation.

  - CVE-2004-1071     Incorrect error handling in the binfmt_elf loader may     lead to privilege escalation.

  - CVE-2004-1072     A buffer overflow in the binfmt_elf loader may lead to     privilege escalation or denial of service.

  - CVE-2004-1073     The open_exec function may disclose information.

  - CVE-2004-1074     The binfmt code is vulnerable to denial of service     through malformed a.out binaries.

  - CVE-2004-0138     A denial of service vulnerability in the ELF loader has     been found.

  - CVE-2004-1068     A programming error in the unix_dgram_recvmsg() function     may lead to privilege escalation.

  - CVE-2004-1234     The ELF loader is vulnerable to denial of service     through malformed binaries.

  - CVE-2005-0003     Crafted ELF binaries may lead to privilege escalation,     due to insufficient checking of overlapping memory     regions.

  - CVE-2004-1235     A race condition in the load_elf_library() and     binfmt_aout() functions may allow privilege escalation.

  - CVE-2005-0504     An integer overflow in the Moxa driver may lead to     privilege escalation.

  - CVE-2005-0384     A remote denial of service vulnerability has been found     in the PPP driver.

  - CVE-2005-0135     An IA64 specific local denial of service vulnerability     has been found in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture fixes the problems mentioned above :

                                   Debian 3.0 (woody)                 Source                           2.4.19-4                           Sun Sparc architecture           26woody1                           Little endian MIPS architecture  0.020911.1.woody5

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-0427     A local denial of service vulnerability in do_fork() has     been found.

  - CVE-2005-0489     A local denial of service vulnerability in proc memory     handling has been found.

  - CVE-2004-0394     A buffer overflow in the panic handling code has been     found.

  - CVE-2004-0447     A local denial of service vulnerability through a NULL     pointer dereference in the IA64 process handling code     has been found.

  - CVE-2004-0554     A local denial of service vulnerability through an     infinite loop in the signal handler code has been found.

  - CVE-2004-0565     An information leak in the context switch code has been     found on the IA64 architecture.

  - CVE-2004-0685     Unsafe use of copy_to_user in USB drivers may disclose     sensitive information.

  - CVE-2005-0001     A race condition in the i386 page fault handler may     allow privilege escalation.

  - CVE-2004-0883     Multiple vulnerabilities in the SMB filesystem code may     allow denial of service or information disclosure.

  - CVE-2004-0949     An information leak discovered in the SMB filesystem     code.

  - CVE-2004-1016     A local denial of service vulnerability has been found     in the SCM layer.

  - CVE-2004-1333     An integer overflow in the terminal code may allow a     local denial of service vulnerability.

  - CVE-2004-0997     A local privilege escalation in the MIPS assembly code     has been found.

  - CVE-2004-1335     A memory leak in the ip_options_get() function may lead     to denial of service.

  - CVE-2004-1017     Multiple overflows exist in the io_edgeport driver which     might be usable as a denial of service attack vector.

  - CVE-2005-0124     Bryan Fulton reported a bounds checking bug in the     coda_pioctl function which may allow local users to     execute arbitrary code or trigger a denial of service     attack.

  - CVE-2003-0984     Inproper initialization of the RTC may disclose     information.

  - CVE-2004-1070     Insufficient input sanitising in the load_elf_binary()     function may lead to privilege escalation.

  - CVE-2004-1071     Incorrect error handling in the binfmt_elf loader may     lead to privilege escalation.

  - CVE-2004-1072     A buffer overflow in the binfmt_elf loader may lead to     privilege escalation or denial of service.

  - CVE-2004-1073     The open_exec function may disclose information.

  - CVE-2004-1074     The binfmt code is vulnerable to denial of service     through malformed a.out binaries.

  - CVE-2004-0138     A denial of service vulnerability in the ELF loader has     been found.

  - CVE-2004-1068     A programming error in the unix_dgram_recvmsg() function     may lead to privilege escalation.

  - CVE-2004-1234     The ELF loader is vulnerable to denial of service     through malformed binaries.

  - CVE-2005-0003     Crafted ELF binaries may lead to privilege escalation,     due to insufficient checking of overlapping memory     regions.

  - CVE-2004-1235     A race condition in the load_elf_library() and     binfmt_aout() functions may allow privilege escalation.

  - CVE-2005-0504     An integer overflow in the Moxa driver may lead to     privilege escalation.

  - CVE-2005-0384     A remote denial of service vulnerability has been found     in the PPP driver.

  - CVE-2005-0135     An IA64 specific local denial of service vulnerability     has been found in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture fixes the problems mentioned above :

                                   Debian 3.0 (woody)                 Source                           2.4.18-14.4                        Alpha architecture               2.4.18-15woody1                    Intel IA-32 architecture         2.4.18-13.2                        HP Precision architecture        62.4                               PowerPC architecture             2.4.18-1woody6                     PowerPC architecture/XFS         20020329woody1                     PowerPC architecture/benh        20020304woody1                     Sun Sparc architecture           22woody1

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-0427     A local denial of service vulnerability in do_fork() has     been found.

  - CVE-2005-0489     A local denial of service vulnerability in proc memory     handling has been found.

  - CVE-2004-0394     A buffer overflow in the panic handling code has been     found.

  - CVE-2004-0447     A local denial of service vulnerability through a NULL     pointer dereference in the IA64 process handling code     has been found.

  - CVE-2004-0554     A local denial of service vulnerability through an     infinite loop in the signal handler code has been found.

  - CVE-2004-0565     An information leak in the context switch code has been     found on the IA64 architecture.

  - CVE-2004-0685     Unsafe use of copy_to_user in USB drivers may disclose     sensitive information.

  - CVE-2005-0001     A race condition in the i386 page fault handler may     allow privilege escalation.

  - CVE-2004-0883     Multiple vulnerabilities in the SMB filesystem code may     allow denial of service or information disclosure.

  - CVE-2004-0949     An information leak discovered in the SMB filesystem     code.

  - CVE-2004-1016     A local denial of service vulnerability has been found     in the SCM layer.

  - CVE-2004-1333     An integer overflow in the terminal code may allow a     local denial of service vulnerability.

  - CVE-2004-0997     A local privilege escalation in the MIPS assembly code     has been found.

  - CVE-2004-1335     A memory leak in the ip_options_get() function may lead     to denial of service.

  - CVE-2004-1017     Multiple overflows exist in the io_edgeport driver which     might be usable as a denial of service attack vector.

  - CVE-2005-0124     Bryan Fulton reported a bounds checking bug in the     coda_pioctl function which may allow local users to     execute arbitrary code or trigger a denial of service     attack.

  - CVE-2003-0984     Inproper initialization of the RTC may disclose     information.

  - CVE-2004-1070     Insufficient input sanitising in the load_elf_binary()     function may lead to privilege escalation.

  - CVE-2004-1071     Incorrect error handling in the binfmt_elf loader may     lead to privilege escalation.

  - CVE-2004-1072     A buffer overflow in the binfmt_elf loader may lead to     privilege escalation or denial of service.

  - CVE-2004-1073     The open_exec function may disclose information.

  - CVE-2004-1074     The binfmt code is vulnerable to denial of service     through malformed a.out binaries.

  - CVE-2004-0138     A denial of service vulnerability in the ELF loader has     been found.

  - CVE-2004-1068     A programming error in the unix_dgram_recvmsg() function     may lead to privilege escalation.

  - CVE-2004-1234     The ELF loader is vulnerable to denial of service     through malformed binaries.

  - CVE-2005-0003     Crafted ELF binaries may lead to privilege escalation,     due to insufficient checking of overlapping memory     regions.

  - CVE-2004-1235     A race condition in the load_elf_library() and     binfmt_aout() functions may allow privilege escalation.

  - CVE-2005-0504     An integer overflow in the Moxa driver may lead to     privilege escalation.

  - CVE-2005-0384     A remote denial of service vulnerability has been found     in the PPP driver.

  - CVE-2005-0135     An IA64 specific local denial of service vulnerability     has been found in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture fixes the problems mentioned above :

                               Debian 3.0 (woody)             Source                       2.4.16-1woody2                 arm/lart                     20040419woody1                 arm/netwinder                20040419woody1                 arm/riscpc                   20040419woody1

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

The following security issues were fixed :

The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CVE-2004-0075)

The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory.
(CVE-2004-0177)

The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CVE-2004-0814)

A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CVE-2004-1058)

A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update.

Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0135)

A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0137)

A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CVE-2005-0204)

A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384)

A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CVE-2005-0403)

A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CVE-2005-0449)

Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CVE-2005-0736)

A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CVE-2005-0749)

A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750)

In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()'ed data for file system update. (BZ 147969)

Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed.

Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures/configurations

Please note that the fix for CVE-2005-0449 required changing the external symbol linkages (kernel module ABI) for the ip_defrag() and ip_ct_gather_frags() functions. Any third-party module using either of these would also need to be fixed.

Updated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures)

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below :

  - a flaw in network IGMP processing that a allowed a     remote user on the local network to cause a denial of     service (disabling of multicast reports) if the system     is running multicast applications (CVE-2002-2185,     moderate)

  - a race condition that allowed local users to read the     environment variables of another process (CVE-2004-1058,     low)

  - a flaw in the open_exec function of execve that allowed     a local user to read setuid ELF binaries that should     otherwise be protected by standard permissions.
    (CVE-2004-1073, moderate). Red Hat originally reported     this flaw as being fixed by RHSA-2004:504, but a patch     for this issue was missing from that update.

  - a flaw in the coda module that allowed a local user to     cause a denial of service (crash) or possibly gain     privileges (CVE-2005-0124, moderate)

  - a potential leak of kernel data from ext2 file system     handling (CVE-2005-0400, low)

  - flaws in ISO-9660 file system handling that allowed the     mounting of an invalid image on a CD-ROM to cause a     denial of service (crash) or potentially execute     arbitrary code (CVE-2005-0815, moderate)

  - a flaw in gzip/zlib handling internal to the kernel that     may allow a local user to cause a denial of service     (crash) (CVE-2005-2458, low)

  - a flaw in procfs handling during unloading of modules     that allowed a local user to cause a denial of service     or potentially gain privileges (CVE-2005-2709, moderate)

  - a flaw in IPv6 network UDP port hash table lookups that     allowed a local user to cause a denial of service (hang)     (CVE-2005-2973, important)

  - a network buffer info leak using the orinoco driver that     allowed a remote user to possibly view uninitialized     data (CVE-2005-3180, important)

  - a flaw in IPv4 network TCP and UDP netfilter handling     that allowed a local user to cause a denial of service     (crash) (CVE-2005-3275, important)

  - a flaw in the IPv6 flowlabel code that allowed a local     user to cause a denial of service (crash)     (CVE-2005-3806, important)

The following bugs were also addressed :

  - Handle set_brk() errors in binfmt_elf/aout

  - Correct error handling in shmem_ioctl

  - Correct scsi error return

  - Fix netdump time keeping bug

  - Fix netdump link-down freeze

  - Fix FAT fs deadlock

All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory :

  - Multiple race conditions in the terminal layer of 2.4     and 2.6 kernels (prior to 2.6.9) can allow a local     attacker to obtain portions of kernel data or allow     remote attackers to cause a kernel panic by switching     from console to PPP line discipline, then quickly     sending data that is received during the switch     (CVE-2004-0814)

  - Richard Hart found an integer underflow problem in the     iptables firewall logging rules that can allow a remote     attacker to crash the machine by using a specially     crafted IP packet. This is only possible, however, if     firewalling is enabled. The problem only affects 2.6     kernels and was fixed upstream in 2.6.8 (CVE-2004-0816)

  - Stefan Esser found several remote DoS confitions in the     smbfs file system. This could be exploited by a hostile     SMB server (or an attacker injecting packets into the     network) to crash the client systems (CVE-2004-0883 and     CVE-2004-0949)

  - Paul Starzetz and Georgi Guninski reported,     independently, that bad argument handling and bad     integer arithmetics in the IPv4 sendmsg handling of     control messages could lead to a local attacker crashing     the machine. The fixes were done by Herbert Xu     (CVE-2004-1016)

  - Rob Landley discovered a race condition in the handling     of /proc/.../cmdline where, under rare circumstances, a     user could read the environment variables of another     process that was still spawning leading to the potential     disclosure of sensitive information such as passwords     (CVE-2004-1058)

  - Paul Starzetz reported that the missing serialization in     unix_dgram_recvmsg() which was added to kernel 2.4.28     can be used by a local attacker to gain elevated (root)     privileges (CVE-2004-1068)

  - Ross Kendall Axe discovered a possible kernel panic     (DoS) while sending AF_UNIX network packets if certain     SELinux-related kernel options were enabled. By default     the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX     options are not enabled (CVE-2004-1069)

  - Paul Starzetz of isec.pl discovered several issues with     the error handling of the ELF loader routines in the     kernel. The fixes were provided by Chris Wright     (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,     CVE-2004-1073)

  - It was discovered that hand-crafted a.out binaries could     be used to trigger a local DoS condition in both the 2.4     and 2.6 kernels. The fixes were done by Chris Wright     (CVE-2004-1074)

  - Paul Starzetz found bad handling in the IGMP code which     could lead to a local attacker being able to crash the     machine. The fix was done by Chris Wright     (CVE-2004-1137)

  - Jeremy Fitzhardinge discovered two buffer overflows in     the sys32_ni_syscall() and sys32_vm86_warning()     functions that could be used to overwrite kernel memory     with attacker-supplied code resulting in privilege     escalation (CVE-2004-1151)

  - Paul Starzetz found locally exploitable flaws in the     binary format loader's uselib() function that could be     abused to allow a local user to obtain root privileges     (CVE-2004-1235)

  - Paul Starzetz found an exploitable flaw in the page     fault handler when running on SMP machines     (CVE-2005-0001)

  - A vulnerability in insert_vm_struct could allow a locla     user to trigger BUG() when the user created a large vma     that overlapped with arg pages during exec     (CVE-2005-0003)

  - Paul Starzetz also found a number of vulnerabilities in     the kernel binfmt_elf loader that could lead a local     user to obtain elevated (root) privileges     (isec-0017-binfmt_elf)

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandrakesoft.com/security/kernelupdate

PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the latest module-init-tools package prior to upgrading their kernel.
Likewise, MNF8.2 users will need to upgrade to the latest modutils package prior to upgrading their kernel.

Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 2.1. This is the sixth regular update.

The Linux kernel handles the basic functions of the operating system.

This is the sixth regular kernel update to Red Hat Enterprise Linux version 2.1. It updates a number of device drivers, and adds much improved SATA support.

This update includes fixes for several security issues :

Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use these flaws to gain read access to executable-only binaries or possibly gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, and CVE-2004-1073 to these issues.

A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. (CVE-2004-1068)

Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels before 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges.
In order to exploit these flaws the user would need to have control of a connected smb server. (CVE-2004-0883, CVE-2004-0949)

Conectiva discovered flaws in certain USB drivers affecting kernels before 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow local users to read small amounts of kernel memory. (CVE-2004-0685)

The ext3 code in kernels before 2.4.26 did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CVE-2004-0177)

The following drivers have also been updated :

* tg3 v3.10 * e1000 v5.3.19-k2 * e100 v3.0.27-k2 * megaraid * megaraid2 v2.10.8.2

All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available.

The Linux kernel handles the basic functions of the operating system.

This update includes fixes for several security issues :

A missing serialization flaw in unix_dgram_recvmsg was discovered that affects kernels prior to 2.4.28. A local user could potentially make use of a race condition in order to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1068 to this issue.

Paul Starzetz of iSEC discovered various flaws in the ELF binary loader affecting kernels prior to 2.4.28. A local user could use thse flaws to gain read access to executable-only binaries or possibly gain privileges. (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073)

A flaw when setting up TSS limits was discovered that affects AMD AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local user could use this flaw to cause a denial of service (crash) or possibly gain privileges. (CVE-2004-0812)

An integer overflow flaw was discovered in the ubsec_keysetup function in the Broadcom 5820 cryptonet driver. On systems using this driver, a local user could cause a denial of service (crash) or possibly gain elevated privileges. (CVE-2004-0619)

Stefan Esser discovered various flaws including buffer overflows in the smbfs driver affecting kernels prior to 2.4.28. A local user may be able to cause a denial of service (crash) or possibly gain privileges. In order to exploit these flaws the user would require control of a connected Samba server. (CVE-2004-0883, CVE-2004-0949)

SGI discovered a bug in the elf loader that affects kernels prior to 2.4.25 which could be triggered by a malformed binary. On architectures other than x86, a local user could create a malicious binary which could cause a denial of service (crash). (CVE-2004-0136)

Conectiva discovered flaws in certain USB drivers affecting kernels prior to 2.4.27 which used the copy_to_user function on uninitialized structures. These flaws could allow local users to read small amounts of kernel memory. (CVE-2004-0685)

All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

Updated kernel packages that fix several security issues in the Red
Hat Enterprise Linux 3 kernel are now available.

This security advisory has been rated as having important security
impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

The following security issues were fixed :

The Vicam USB driver did not use the copy_from_user function to access
userspace, crossing security boundaries. (CVE-2004-0075)

The ext3 and jfs code did not properly initialize journal descriptor
blocks. A privileged local user could read portions of kernel memory.
(CVE-2004-0177)

The terminal layer did not properly lock line discipline changes or
pending IO. An unprivileged local user could read portions of kernel
memory, or cause a denial of service (system crash). (CVE-2004-0814)

A race condition was discovered. Local users could use this flaw to
read the environment variables of another process that is still
spawning via /proc/.../cmdline. (CVE-2004-1058)

A flaw in the execve() syscall handling was discovered, allowing a
local user to read setuid ELF binaries that should otherwise be
protected by standard permissions. (CVE-2004-1073). Red Hat originally
reported this as being fixed by RHSA-2004:549, but the associated fix
was missing from that update.

Keith Owens reported a flaw in the Itanium unw_unwind_to_user()
function. A local user could use this flaw to cause a denial of
service (system crash) on the Itanium architecture. (CVE-2005-0135)

A missing Itanium syscall table entry could allow an unprivileged
local user to cause a denial of service (system crash) on the Itanium
architecture. (CVE-2005-0137)

A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T
architectures was discovered. A local user could use this flaw to
access privileged IO ports. (CVE-2005-0204)

A flaw was discovered in the Linux PPP driver. On systems allowing
remote users to connect to a server using ppp, a remote client could
cause a denial of service (system crash). (CVE-2005-0384)

A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3
was discovered that left a pointer to a freed tty structure. A local
user could potentially use this flaw to cause a denial of service
(system crash) or possibly gain read or write access to ttys that
should normally be prevented. (CVE-2005-0403)

A flaw in fragment queuing was discovered affecting the netfilter
subsystem. On systems configured to filter or process network packets
(for example those configured to do firewalling), a remote attacker
could send a carefully crafted set of fragmented packets to a machine
and cause a denial of service (system crash). In order to sucessfully
exploit this flaw, the attacker would need to know (or guess) some
aspects of the firewall ruleset in place on the target system to be
able to craft the right fragmented packets. (CVE-2005-0449)

Missing validation of an epoll_wait() system call parameter could
allow a local user to cause a denial of service (system crash) on the
IBM S/390 and zSeries architectures. (CVE-2005-0736)

A flaw when freeing a pointer in load_elf_library was discovered. A
local user could potentially use this flaw to cause a denial of
service (system crash). (CVE-2005-0749)

A flaw was discovered in the bluetooth driver system. On system where
the bluetooth modules are loaded, a local user could use this flaw to
gain elevated (root) privileges. (CVE-2005-0750)

In addition to the security issues listed above, there was an
important fix made to the handling of the msync() system call for a
particular case in which the call could return without queuing
modified mmap()'ed data for file system update. (BZ 147969)

Note: The kernel-unsupported package contains various drivers and
modules that are unsupported and therefore might contain security
problems that have not been addressed.

Red Hat Enterprise Linux 3 users are advised to upgrade their kernels
to the packages associated with their machine
architectures/configurations

Please note that the fix for CVE-2005-0449 required changing the
external symbol linkages (kernel module ABI) for the ip_defrag() and
ip_ct_gather_frags() functions. Any third-party module using either of
these would also need to be fixed.

Updated kernel packages that fix several security issues in Red Hat
Enterprise Linux 3 are now available.

The Linux kernel handles the basic functions of the operating system.

This update includes fixes for several security issues :

A missing serialization flaw in unix_dgram_recvmsg was discovered that
affects kernels prior to 2.4.28. A local user could potentially make
use of a race condition in order to gain privileges. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2004-1068 to this issue.

Paul Starzetz of iSEC discovered various flaws in the ELF binary
loader affecting kernels prior to 2.4.28. A local user could use thse
flaws to gain read access to executable-only binaries or possibly gain
privileges. (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072,
CVE-2004-1073)

A flaw when setting up TSS limits was discovered that affects AMD
AMD64 and Intel EM64T architecture kernels prior to 2.4.23. A local
user could use this flaw to cause a denial of service (crash) or
possibly gain privileges. (CVE-2004-0812)

An integer overflow flaw was discovered in the ubsec_keysetup function
in the Broadcom 5820 cryptonet driver. On systems using this driver, a
local user could cause a denial of service (crash) or possibly gain
elevated privileges. (CVE-2004-0619)

Stefan Esser discovered various flaws including buffer overflows in
the smbfs driver affecting kernels prior to 2.4.28. A local user may
be able to cause a denial of service (crash) or possibly gain
privileges. In order to exploit these flaws the user would require
control of a connected Samba server. (CVE-2004-0883, CVE-2004-0949)

SGI discovered a bug in the elf loader that affects kernels prior to
2.4.25 which could be triggered by a malformed binary. On
architectures other than x86, a local user could create a malicious
binary which could cause a denial of service (crash). (CVE-2004-0136)

Conectiva discovered flaws in certain USB drivers affecting kernels
prior to 2.4.27 which used the copy_to_user function on uninitialized
structures. These flaws could allow local users to read small amounts
of kernel memory. (CVE-2004-0685)

All Red Hat Enterprise Linux 3 users are advised to upgrade their
kernels to the packages associated with their machine architectures
and configurations as listed in this erratum.

Updated kernel packages are now available as part of ongoing support
and maintenance of Red Hat Enterprise Linux version 2.1. This is the
sixth regular update.

The Linux kernel handles the basic functions of the operating system.

This is the sixth regular kernel update to Red Hat Enterprise Linux
version 2.1. It updates a number of device drivers, and adds much
improved SATA support.

This update includes fixes for several security issues :

Paul Starzetz of iSEC discovered various flaws in the ELF binary
loader affecting kernels prior to 2.4.28. A local user could use these
flaws to gain read access to executable-only binaries or possibly gain
privileges. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CVE-2004-1070, CVE-2004-1071,
CVE-2004-1072, and CVE-2004-1073 to these issues.

A missing serialization flaw in unix_dgram_recvmsg was discovered that
affects kernels prior to 2.4.28. A local user could potentially make
use of a race condition in order to gain privileges. (CVE-2004-1068)

Stefan Esser discovered various flaws including buffer overflows in
the smbfs driver affecting kernels before 2.4.28. A local user may be
able to cause a denial of service (crash) or possibly gain privileges.
In order to exploit these flaws the user would need to have control of
a connected smb server. (CVE-2004-0883, CVE-2004-0949)

Conectiva discovered flaws in certain USB drivers affecting kernels
before 2.4.27 which used the copy_to_user function on uninitialized
structures. These flaws could allow local users to read small amounts
of kernel memory. (CVE-2004-0685)

The ext3 code in kernels before 2.4.26 did not properly initialize
journal descriptor blocks. A privileged local user could read portions
of kernel memory. (CVE-2004-0177)

The following drivers have also been updated :

* tg3 v3.10 * e1000 v5.3.19-k2 * e100 v3.0.27-k2 * megaraid *
megaraid2 v2.10.8.2

All Red Hat Enterprise Linux 2.1 users are advised to upgrade their
kernels to the packages associated with their machine architectures
and configurations as listed in this erratum.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2005-293.

ID	Name	Product	Family	Severity
22624	Debian DSA-1082-1 : kernel-source-2.4.17 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
22612	Debian DSA-1070-1 : kernel-source-2.4.19 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
22611	Debian DSA-1069-1 : kernel-source-2.4.18 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
22609	Debian DSA-1067-1 : kernel-source-2.4.16 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
21923	CentOS 3 : kernel (CESA-2005:293)	Nessus	CentOS Local Security Checks	high
20855	RHEL 2.1 : kernel (RHSA-2006:0191)	Nessus	Red Hat Local Security Checks	medium
18128	RHEL 3 : kernel (RHSA-2005:293)	Nessus	Red Hat Local Security Checks	high
16259	Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)	Nessus	Mandriva Local Security Checks	critical
15958	RHEL 2.1 : kernel (RHSA-2004:505)	Nessus	Red Hat Local Security Checks	high
15944	RHEL 3 : kernel (RHSA-2004:549)	Nessus	Red Hat Local Security Checks	high
801608	Red Hat 2005-293 Security Check	Log Correlation Engine	Generic	high
801601	Red Hat 2004-549 Security Check	Log Correlation Engine	Generic	high
801600	Red Hat 2004-505 Security Check	Log Correlation Engine	Generic	high
801398	CentOS RHSA-2005-293 Security Check	Log Correlation Engine	Generic	high

Detections

Analytics

CVE-2004-1073

medium

Tenable Plugins

critical

critical

critical

critical

high

medium

high

critical

high

high

high

high

high

high