26994

27322

28170

28971

29058

http://tree.celinuxforum.org/gitstat/commit-detail.php?commit=856fc29505556cf263f3dcda2533cf3766c14ab6

DSA-1381

DSA-1504

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.19-rc4

MDKSA-2007:216

MDVSA-2008:008

MDVSA-2008:105

RHSA-2007:0940

25904

USN-558-1

USN-578-1

kernel-hugetlbfs-dos(36925)

oval:org.mitre.oval:def:10451

From Red Hat Security Advisory 2007:0940 :

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important)

* A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling.
(CVE-2007-3848, Important)

* A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important)

* A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate)

* A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate)

* A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate)

* A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference.
(CVE-2007-3731, Moderate)

* A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed.
(CVE-2007-3513, Moderate)

* A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited.
(CVE-2007-3105, Low)

In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included.

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.

These new kernel packages contain fixes for the following security issues :

  - A flaw was found in the backported stack unwinder fixes     in Red Hat Enterprise Linux 5. On AMD64 and Intel 64     platforms, a local user could trigger this flaw and     cause a denial of service. (CVE-2007-4574, Important)

  - A flaw was found in the handling of process death     signals. This allowed a local user to send arbitrary     signals to the suid-process executed by that user. A     successful exploitation of this flaw depends on the     structure of the suid-program and its signal handling.
    (CVE-2007-3848, Important)

  - A flaw was found in the Distributed Lock Manager (DLM)     in the cluster manager. This allowed a remote user who     is able to connect to the DLM port to cause a denial of     service. (CVE-2007-3380, Important)

  - A flaw was found in the aacraid SCSI driver. This     allowed a local user to make ioctl calls to the driver     which should otherwise be restricted to privileged     users. (CVE-2007-4308, Moderate)

  - A flaw was found in the prio_tree handling of the     hugetlb support that allowed a local user to cause a     denial of service. This only affected kernels with     hugetlb support. (CVE-2007-4133, Moderate)

  - A flaw was found in the eHCA driver on PowerPC     architectures that allowed a local user to access 60k of     physical address space. This address space could contain     sensitive information. (CVE-2007-3850, Moderate)

  - A flaw was found in ptrace support that allowed a local     user to cause a denial of service via a NULL pointer     dereference. (CVE-2007-3731, Moderate)

  - A flaw was found in the usblcd driver that allowed a     local user to cause a denial of service by writing data     to the device node. To exploit this issue, write access     to the device node was needed. (CVE-2007-3513, Moderate)

  - A flaw was found in the random number generator     implementation that allowed a local user to cause a     denial of service or possibly gain privileges. If the     root user raised the default wakeup threshold over the     size of the output pool, this flaw could be exploited.
    (CVE-2007-3105, Low)

In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included.

Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the following security issues :

* A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important)

* A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling.
(CVE-2007-3848, Important)

* A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important)

* A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate)

* A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate)

* A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate)

* A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference.
(CVE-2007-3731, Moderate)

* A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed.
(CVE-2007-3513, Moderate)

* A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited.
(CVE-2007-3105, Low)

In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included.

Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues.

The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740)

The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer.
(CVE-2007-3851)

The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. (CVE-2007-4133)

The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This vulnerability is now being fixed in the Xen kernel too. (CVE-2007-4573)

Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two error.
(CVE-2007-4997)

The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 relies on user space to close the device, which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. (CVE-2007-5093)

A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375)

The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669)

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-5823     LMH reported a potential local DoS which could be     exploited by a malicious user with the privileges to     mount and read a corrupted cramfs filesystem.

  - CVE-2006-6054     LMH reported a potential local DoS which could be     exploited by a malicious user with the privileges to     mount and read a corrupted ext2 filesystem.

  - CVE-2006-6058     LMH reported an issue in the minix filesystem that     allows local users with mount privileges to create a DoS     (printk flood) by mounting a specially crafted corrupt     filesystem.

  - CVE-2006-7203     OpenVZ Linux kernel team reported an issue in the smbfs     filesystem which can be exploited by local users to     cause a DoS (oops) during mount.

  - CVE-2007-1353     Ilja van Sprundel discovered that kernel memory could be     leaked via the Bluetooth setsockopt call due to an     uninitialized stack buffer. This could be used by local     attackers to read the contents of sensitive kernel     memory.

  - CVE-2007-2172     Thomas Graf reported a typo in the DECnet protocol     handler that could be used by a local attacker to     overrun an array via crafted packets, potentially     resulting in a Denial of Service (system crash). A     similar issue exists in the IPV4 protocol handler and     will be fixed in a subsequent update.

  - CVE-2007-2525     Florian Zumbiehl discovered a memory leak in the PPPOE     subsystem caused by releasing a socket before     PPPIOCGCHAN is called upon it. This could be used by a     local user to DoS a system by consuming all available     memory.

  - CVE-2007-3105     The PaX Team discovered a potential buffer overflow in     the random number generator which may permit local users     to cause a denial of service or gain additional     privileges. This issue is not believed to effect default     Debian installations where only root has sufficient     privileges to exploit it.

  - CVE-2007-3739     Adam Litke reported a potential local denial of service     (oops) on powerpc platforms resulting from unchecked VMA     expansion into address space reserved for hugetlb pages.

  - CVE-2007-3740     Steve French reported that CIFS filesystems with     CAP_UNIX enabled were not honoring a process' umask     which may lead to unintentionally relaxed permissions.

  - CVE-2007-3848     Wojciech Purczynski discovered that pdeath_signal was     not being reset properly under certain conditions which     may allow local users to gain privileges by sending     arbitrary signals to suid binaries.

  - CVE-2007-4133     Hugh Dickins discovered a potential local DoS (panic) in     hugetlbfs. A misconversion of hugetlb_vmtruncate_list to     prio_tree may allow local users to trigger a BUG_ON()     call in exit_mmap.

  - CVE-2007-4308     Alan Cox reported an issue in the aacraid driver that     allows unprivileged local users to make ioctl calls     which should be restricted to admin privileges.

  - CVE-2007-4573     Wojciech Purczynski discovered a vulnerability that can     be exploited by a local user to obtain superuser     privileges on x86_64 systems. This resulted from     improper clearing of the high bits of registers during     ia32 system call emulation. This vulnerability is     relevant to the Debian amd64 port as well as users of     the i386 port who run the amd64 linux-image flavour.

  - CVE-2007-5093     Alex Smith discovered an issue with the pwc driver for     certain webcam devices. If the device is removed while a     userspace application has it open, the driver will wait     for userspace to close the device, resulting in a     blocked USB subsystem. This issue is of low security     impact as it requires the attacker to either have     physical access to the system or to convince a user with     local access to remove the device on their behalf.

  - CVE-2007-6063     Venustech AD-LAB discovered a a buffer overflow in the     isdn ioctl handling, exploitable by a local user.

  - CVE-2007-6151     ADLAB discovered a possible memory overrun in the ISDN     subsystem that may permit a local user to overwrite     kernel memory by issuing ioctls with unterminated data.

  - CVE-2007-6206     Blake Frantz discovered that when a core file owned by a     non-root user exists, and a root-owned process dumps     core over it, the core file retains its original     ownership. This could be used by a local user to gain     access to sensitive information.

  - CVE-2007-6694     Cyrill Gorcunov reported a NULL pointer dereference in     code specific to the CHRP PowerPC platforms. Local users     could exploit this issue to achieve a Denial of Service     (DoS).

  - CVE-2008-0007     Nick Piggin of SuSE discovered a number of issues in     subsystems which register a fault handler for memory     mapped areas. This issue can be exploited by local users     to achieve a Denial of Service (DoS) and possibly     execute arbitrary code.

The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update :

                             Debian 3.1 (sarge)            kernel-image-2.6.8-alpha    2.6.8-17sarge1                kernel-image-2.6.8-amd64    2.6.8-17sarge1                kernel-image-2.6.8-hppa     2.6.8-7sarge1                 kernel-image-2.6.8-i386     2.6.8-17sarge1                kernel-image-2.6.8-ia64     2.6.8-15sarge1                kernel-image-2.6.8-m68k     2.6.8-5sarge1                 kernel-image-2.6.8-s390     2.6.8-6sarge1                 kernel-image-2.6.8-sparc    2.6.8-16sarge1                kernel-patch-powerpc-2.6.8  2.6.8-13sarge1                fai-kernels                 1.9.1sarge8

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service.
(CVE-2006-6058)

Alexander Schulze discovered that the skge driver does not properly use the spin_lock and spin_unlock functions. Remote attackers could exploit this by sending a flood of network traffic and cause a denial of service (crash). (CVE-2006-7229)

Hugh Dickins discovered that hugetlbfs performed certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE. A local user could exploit this and cause a denial of service via kernel panic.
(CVE-2007-4133)

Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. (CVE-2007-4997)

Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. (CVE-2007-5093)

Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop.
(CVE-2007-5500)

Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063)

It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151)

Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file's ownership. Local users could exploit this to gain access to sensitive information. (CVE-2007-6206)

Hugh Dickins discovered the when using the tmpfs filesystem, under rare circumstances, a kernel page may be improperly cleared. A local user may be able to exploit this and read sensitive kernel data or cause a denial of service via crash. (CVE-2007-6417)

Bill Roman discovered that the VFS subsystem did not properly check access modes. A local user may be able to gain removal privileges on directories. (CVE-2008-0001).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service.
(CVE-2006-6058)

Certain calculations in the hugetlb code were not correct. A local attacker could exploit this to cause a kernel panic, leading to a denial of service. (CVE-2007-4133)

Eric Sesterhenn and Victor Julien discovered that the hop-by-hop IPv6 extended header was not correctly validated. If a system was configured for IPv6, a remote attacker could send a specially crafted IPv6 packet and cause the kernel to panic, leading to a denial of service. This was only vulnerable in Ubuntu 7.04. (CVE-2007-4567)

Permissions were not correctly stored on JFFS2 ACLs. For systems using ACLs on JFFS2, a local attacker may gain access to private files.
(CVE-2007-4849)

Chris Evans discovered that the 802.11 network stack did not correctly handle certain QOS frames. A remote attacker on the local wireless network could send specially crafted packets that would panic the kernel, resulting in a denial of service. (CVE-2007-4997)

The Philips USB Webcam driver did not correctly handle disconnects. If a local attacker tricked another user into disconnecting a webcam unsafely, the kernel could hang or consume CPU resources, leading to a denial of service. (CVE-2007-5093)

Scott James Remnant discovered that the waitid function could be made to hang the system. A local attacker could execute a specially crafted program which would leave the system unresponsive, resulting in a denial of service. (CVE-2007-5500)

Ilpo Jarvinen discovered that it might be possible for the TCP stack to panic the kernel when receiving a crafted ACK response. Only Ubuntu 7.10 contained the vulnerable code, and it is believed not to have been exploitable. (CVE-2007-5501)

When mounting the same remote NFS share to separate local locations, the first location's mount options would apply to all subsequent mounts of the same NFS share. In some configurations, this could lead to incorrectly configured permissions, allowing local users to gain additional access to the mounted share.
(https://launchpad.net/bugs/164231)

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-5755     The NT bit maybe leaked into the next task which can     make it possible for local attackers to cause a Denial     of Service (crash) on systems which run the amd64     flavour kernel. The stable distribution ('etch') was not     believed to be vulnerable to this issue at the time of     release, however Bastian Blank discovered that this     issue still applied to the xen-amd64 and     xen-vserver-amd64 flavours, and is resolved by this DSA.

  - CVE-2007-4133     Hugh Dickins discovered a potential local DoS (panic) in     hugetlbfs. A misconversion of hugetlb_vmtruncate_list to     prio_tree may allow local users to trigger a BUG_ON()     call in exit_mmap.

  - CVE-2007-4573     Wojciech Purczynski discovered a vulnerability that can     be exploited by a local user to obtain superuser     privileges on x86_64 systems. This resulted from     improper clearing of the high bits of registers during     ia32 system call emulation. This vulnerability is     relevant to the Debian amd64 port as well as users of     the i386 port who run the amd64 linux-image flavour.

      DSA-1378 resolved this problem for the amd64 flavour kernels,       but Tim Wickberg and Ralf Hemmenstadt reported an outstanding       issue with the xen-amd64 and xen-vserver-amd64 flavours that is       resolved by this DSA.

  - CVE-2007-5093     Alex Smith discovered an issue with the pwc driver for     certain webcam devices. If the device is removed while a     userspace application has it open, the driver will wait     for userspace to close the device, resulting in a     blocked USB subsystem. This issue is of low security     impact as it requires the attacker to either have     physical access to the system or to convince users with     local access to remove the device on their behalf.

These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch4.

This is an update to DSA-1381-1 which included only amd64 binaries for linux-2.6. Builds for all other architectures are now available, as well as rebuilds of ancillary packages that make use of the included linux source.

The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update :

                           Debian 4.0 (etch)           fai-kernels               1.17+etch.13etch4           kernel-patch-openvz       028.18.1etch5               user-mode-linux           2.6.18-1um-2etch.13etch4

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2007-0940.

ID	Name	Product	Family	Severity
67581	Oracle Linux 5 : kernel (ELSA-2007-0940)	Nessus	Oracle Linux Local Security Checks	medium
60272	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
43654	CentOS 5 : kernel (CESA-2007:0940)	Nessus	CentOS Local Security Checks	medium
37772	Mandriva Linux Security Advisory : kernel (MDVSA-2008:105)	Nessus	Mandriva Local Security Checks	high
31148	Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	high
31093	Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-578-1)	Nessus	Ubuntu Local Security Checks	high
29740	Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerabilities (USN-558-1)	Nessus	Ubuntu Local Security Checks	high
27565	RHEL 5 : kernel (RHSA-2007:0940)	Nessus	Red Hat Local Security Checks	medium
26211	Debian DSA-1381-2 : linux-2.6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
801440	CentOS RHSA-2007-0940 Security Check	Log Correlation Engine	Generic	high

CVE-2007-4133

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins