http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=51e31546a2fc46cb978da2ee0330a6a68f07541e

17002

18056

18059

18977

DSA-921

DSA-922

SUSE-SA:2005:044

RHSA-2005:663

14467

USN-187-1

ADV-2005-1878

MDKSA-2006:044

oval:org.mitre.oval:def:11101

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-2302     A race condition in the sysfs filesystem allows local     users to read kernel memory and cause a denial of     service (crash).

  - CVE-2005-0756     Alexander Nyberg discovered that the ptrace() system     call does not properly verify addresses on the amd64     architecture which can be exploited by a local attacker     to crash the kernel.

  - CVE-2005-0757     A problem in the offset handling in the xattr file     system code for ext3 has been discovered that may allow     users on 64-bit systems that have access to an ext3     filesystem with extended attributes to cause the kernel     to crash.

  - CVE-2005-1265     Chris Wright discovered that the mmap() function could     create illegal memory maps that could be exploited by a     local user to crash the kernel or potentially execute     arbitrary code.

  - CVE-2005-1761     A vulnerability on the IA-64 architecture can lead local     attackers to overwrite kernel memory and crash the     kernel.

  - CVE-2005-1762     A vulnerability has been discovered in the ptrace()     system call on the amd64 architecture that allows a     local attacker to cause the kernel to crash.

  - CVE-2005-1763     A buffer overflow in the ptrace system call for 64-bit     architectures allows local users to write bytes into     arbitrary kernel memory.

  - CVE-2005-1765     Zou Nan Hai has discovered that a local user could cause     the kernel to hang on the amd64 architecture after     invoking syscall() with specially crafted arguments.

  - CVE-2005-1767     A vulnerability has been discovered in the stack segment     fault handler that could allow a local attacker to cause     a stack exception that will lead the kernel to crash     under certain circumstances.

  - CVE-2005-2456     Balazs Scheidler discovered that a local attacker could     call setsockopt() with an invalid xfrm_user policy     message which would cause the kernel to write beyond the     boundaries of an array and crash.

  - CVE-2005-2458     Vladimir Volovich discovered a bug in the zlib routines     which are also present in the Linux kernel and allows     remote attackers to crash the kernel.

  - CVE-2005-2459     Another vulnerability has been discovered in the zlib     routines which are also present in the Linux kernel and     allows remote attackers to crash the kernel.

  - CVE-2005-2548     Peter Sandstrom noticed that snmpwalk from a remote host     could cause a denial of service (kernel oops from null     dereference) via certain UDP packets that lead to a     function call with the wrong argument.

  - CVE-2005-2801     Andreas Gruenbacher discovered a bug in the ext2 and     ext3 file systems. When data areas are to be shared     among two inodes not all information were compared for     equality, which could expose wrong ACLs for files.

  - CVE-2005-2872     Chad Walstrom discovered that the ipt_recent kernel     module on 64-bit processors such as AMD64 allows remote     attackers to cause a denial of service (kernel panic)     via certain attacks such as SSH brute force.

  - CVE-2005-3105     The mprotect code on Itanium IA-64 Montecito processors     does not properly maintain cache coherency as required     by the architecture, which allows local users to cause a     denial of service and possibly corrupt data by modifying     PTE protections.

  - CVE-2005-3106     A race condition in the thread management may allow     local users to cause a denial of service (deadlock) when     threads are sharing memory and waiting for a thread that     has just performed an exec.

  - CVE-2005-3107     When one thread is tracing another thread that shares     the same memory map a local user could cause a denial of     service (deadlock) by forcing a core dump when the     traced thread is in the TASK_TRACED state.

  - CVE-2005-3108     A bug in the ioremap() system call has been discovered     on the amd64 architecture that could allow local users     to cause a denial of service or an information leak when     performing a lookup of a non-existent memory page.

  - CVE-2005-3109     The HFS and HFS+ (hfsplus) modules allow local attackers     to cause a denial of service (oops) by using hfsplus to     mount a filesystem that is not hfsplus.

  - CVE-2005-3110     A race condition in the ebtables netfilter module on an     SMP system running under high load may allow remote     attackers to cause a denial of service (crash).

  - CVE-2005-3271     Roland McGrath discovered that exec() does not properly     clear posix-timers in multi-threaded environments, which     results in a resource leak and could allow a large     number of multiple local users to cause a denial of     service by using more posix-timers than specified by the     quota for a single user.

  - CVE-2005-3272     The kernel allows remote attackers to poison the bridge     forwarding table using frames that have already been     dropped by filtering, which can cause the bridge to     forward spoofed packets.

  - CVE-2005-3273     The ioctl for the packet radio ROSE protocol does not     properly verify the arguments when setting a new router,     which allows attackers to trigger out-of-bounds errors.

  - CVE-2005-3274     A race condition on SMP systems allows local users to     cause a denial of service (null dereference) by causing     a connection timer to expire while the connection table     is being flushed before the appropriate lock is     acquired.

  - CVE-2005-3275     An error in the NAT code allows remote attackers to     cause a denial of service (memory corruption) by causing     two packets for the same protocol to be NATed at the     same time, which leads to memory corruption.

  - CVE-2005-3276     A missing memory cleanup in the thread handling routines     before copying data into userspace allows a user process     to obtain sensitive information.

This update also contains a number of corrections for issues that turned out to have no security implication afterwards.

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2005-0756     Alexander Nyberg discovered that the ptrace() system     call does not properly verify addresses on the amd64     architecture which can be exploited by a local attacker     to crash the kernel.

  - CVE-2005-0757     A problem in the offset handling in the xattr file     system code for ext3 has been discovered that may allow     users on 64-bit systems that have access to an ext3     filesystem with extended attributes to cause the kernel     to crash.

  - CVE-2005-1762     A vulnerability has been discovered in the ptrace()     system call on the amd64 architecture that allows a     local attacker to cause the kernel to crash.

  - CVE-2005-1767     A vulnerability has been discovered in the stack segment     fault handler that could allow a local attacker to cause     a stack exception that will lead the kernel to crash     under certain circumstances.

  - CVE-2005-1768     Ilja van Sprundel discovered a race condition in the     IA32 (x86) compatibility execve() systemcall for amd64     and IA64 that allows local attackers to cause the kernel     to panic and possibly execute arbitrary code.

  - CVE-2005-2456     Balazs Scheidler discovered that a local attacker could     call setsockopt() with an invalid xfrm_user policy     message which would cause the kernel to write beyond the     boundaries of an array and crash.

  - CVE-2005-2458     Vladimir Volovich discovered a bug in the zlib routines     which are also present in the Linux kernel and allows     remote attackers to crash the kernel.

  - CVE-2005-2459     Another vulnerability has been discovered in the zlib     routines which are also present in the Linux kernel and     allows remote attackers to crash the kernel.

  - CVE-2005-2553     A NULL pointer dereference in ptrace when tracing a     64-bit executable can cause the kernel to crash.

  - CVE-2005-2801     Andreas Gruenbacher discovered a bug in the ext2 and     ext3 file systems. When data areas are to be shared     among two inodes not all information were compared for     equality, which could expose wrong ACLs for files.

  - CVE-2005-2872     Chad Walstrom discovered that the ipt_recent kernel     module to stop SSH bruteforce attacks could cause the     kernel to crash on 64-bit architectures.

  - CVE-2005-3275     An error in the NAT code allows remote attackers to     cause a denial of service (memory corruption) by causing     two packets for the same protocol to be NATed at the     same time, which leads to memory corruption.

Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the sixth regular update.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

This is the sixth regular kernel update to Red Hat Enterprise Linux 3.

New features introduced by this update include :

  - diskdump support on HP Smart Array devices -     netconsole/netdump support over bonded interfaces - new     chipset and device support via PCI table updates -     support for new 'oom-kill' and 'kscand_work_percent'     sysctls - support for dual core processors and ACPI     Power Management timers on AMD64 and Intel EM64T systems

There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3.

There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include kswapd, inode handling, the SATA subsystem, diskdump handling, ptrace() syscall support, and signal handling.

The following device drivers have been upgraded to new versions :

3w-9xxx ---- 2.24.03.008RH cciss ------ 2.4.58.RH1 e100 ------- 3.4.8-k2 e1000 ------ 6.0.54-k2 emulex ----- 7.3.2 fusion ----- 2.06.16i.01 iscsi ------ 3.6.2.1 ipmi ------- 35.4 lpfcdfc ---- 1.2.1 qlogic ----- 7.05.00-RH1 tg3 -------- 3.27RH

The following security bugs were fixed in this update :

  - a flaw in syscall argument checking on Itanium systems     that allowed a local user to cause a denial of service     (crash) (CVE-2005-0136)

  - a flaw in stack expansion that allowed a local user of     mlockall() to cause a denial of service (memory     exhaustion) (CVE-2005-0179)

  - a small memory leak in network packet defragmenting that     allowed a remote user to cause a denial of service     (memory exhaustion) on systems using netfilter     (CVE-2005-0210)

  - flaws in ptrace() syscall handling on AMD64 and Intel     EM64T systems that allowed a local user to cause a     denial of service (crash) (CVE-2005-0756, CVE-2005-1762,     CVE-2005-2553)

  - flaws in ISO-9660 file system handling that allowed the     mounting of an invalid image on a CD-ROM to cause a     denial of service (crash) or potentially execute     arbitrary code (CVE-2005-0815)

  - a flaw in ptrace() syscall handling on Itanium systems     that allowed a local user to cause a denial of service     (crash) (CVE-2005-1761)

  - a flaw in the alternate stack switching on AMD64 and     Intel EM64T systems that allowed a local user to cause a     denial of service (crash) (CVE-2005-1767)

  - race conditions in the ia32-compat support for exec()     syscalls on AMD64, Intel EM64T, and Itanium systems that     could allow a local user to cause a denial of service     (crash) (CVE-2005-1768)

  - flaws in IPSEC network handling that allowed a local     user to cause a denial of service or potentially gain     privileges (CVE-2005-2456, CVE-2005-2555)

  - a flaw in sendmsg() syscall handling on 64-bit systems     that allowed a local user to cause a denial of service     or potentially gain privileges (CVE-2005-2490)

  - flaws in unsupported modules that allowed     denial-of-service attacks (crashes) or local privilege     escalations on systems using the drm, coda, or moxa     modules (CVE-2004-1056, CVE-2005-0124, CVE-2005-0504)

  - potential leaks of kernel data from jfs and ext2 file     system handling (CVE-2004-0181, CVE-2005-0400)

Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed.

All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

A Denial of Service vulnerability was detected in the stack segment fault handler. A local attacker could exploit this by causing stack fault exceptions under special circumstances (scheduling), which lead to a kernel crash. (CAN-2005-1767)

Vasiliy Averin discovered a Denial of Service vulnerability in the 'tiocgdev' ioctl call and in the 'routing_ioctl' function. By calling fget() and fput() in special ways, a local attacker could exploit this to destroy file descriptor structures and crash the kernel.
(CAN-2005-3044).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2005-663.

ID	Name	Product	Family	Severity
22788	Debian DSA-922-1 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	high
22787	Debian DSA-921-1 : kernel-source-2.4.27 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
21849	CentOS 3 : kernel (CESA-2005:663)	Nessus	CentOS Local Security Checks	medium
20599	Ubuntu 4.10 / 5.04 : linux-source-2.6.10, linux-source-2.6.8.1 vulnerabilities (USN-187-1)	Nessus	Ubuntu Local Security Checks	low
19832	RHEL 3 : kernel (RHSA-2005:663)	Nessus	Red Hat Local Security Checks	medium
801410	CentOS RHSA-2005-663 Security Check	Log Correlation Engine	Generic	high

CVE-2005-1767

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins