[FLSA-2005:2336] Updated kernel packages fix security issues

From: Marc Deslauriers (marcdeslauriers_at_videotron.ca)
Date: 02/25/05

  • Next message: Martin Pitt: "[USN-85-1] Gaim vulnerabilities"
    Date: Thu, 24 Feb 2005 22:39:58 -0500
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    
    
    

    ---------------------------------------------------------------------
                    Fedora Legacy Update Advisory

    Synopsis: Updated kernel packages fix security issues
    Advisory ID: FLSA:2336
    Issue date: 2005-02-24
    Product: Red Hat Linux, Fedora Core
    Keywords: Bugfix
    Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2336
    CVE Names: CAN-2004-0177 CAN-2004-0685 CAN-2004-0814
                        CAN-2004-0883 CAN-2004-0949 CAN-2004-1016
                        CAN-2004-1017 CAN-2004-1056 CAN-2004-1068
                        CAN-2004-1070 CAN-2004-1071 CAN-2004-1072
                        CAN-2004-1073 CAN-2004-1074 CAN-2004-1137
                        CAN-2004-1234 CAN-2004-1235 CAN-2005-0001
    ---------------------------------------------------------------------

    ---------------------------------------------------------------------
    1. Topic:

    Updated kernel packages that fix several security issues are now
    available.

    The Linux kernel handles the basic functions of the operating system.

    2. Relevant releases/architectures:

    Red Hat Linux 7.3 - i386
    Red Hat Linux 9 - i386
    Fedora Core 1 - i386

    3. Problem description:

    This update includes fixes for several security issues:

    The ext3 code in kernels before 2.4.26 did not properly initialize
    journal descriptor blocks. A privileged local user could read portions
    of kernel memory. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CAN-2004-0177 to this issue.

    Conectiva discovered flaws in certain USB drivers affecting kernels
    prior to 2.4.27 which used the copy_to_user function on uninitialized
    structures. These flaws could allow local users to read small amounts
    of kernel memory. (CAN-2004-0685)

    Multiple race conditions in the terminal layer could allow local users
    to obtain portions of kernel data via a TIOCSETD ioctl call to a
    terminal interface that is being accessed by another thread. This could
    also allow remote attackers to cause a denial of service (panic) by
    switching from console to PPP line discipline, then quickly sending data
    that is received during the switch. (CAN-2004-0814)

    Stefan Esser discovered various flaws including buffer overflows in
    the smbfs driver affecting kernels prior to 2.4.28. A local user may be
    able to cause a denial of service (crash) or possibly gain privileges.
    In order to exploit these flaws the user would require control of
    a connected Samba server. (CAN-2004-0883, CAN-2004-0949)

    ISEC security research and Georgi Guninski independantly discovered a
    flaw in the scm_send function in the auxiliary message layer. A local
    user could create a carefully crafted auxiliary message which could
    cause a denial of service (system hang). (CAN-2004-1016)

    Multiple overflows were discovered and corrected in the io_edgeport
    driver. (CAN-2004-1017)

    The Direct Rendering Manager (DRM) driver does not properly check the
    DMA lock, which could allow remote attackers or local users to cause a
    denial of service (X Server crash) and possibly modify the video output.
    (CAN-2004-1056)

    A missing serialization flaw in unix_dgram_recvmsg was discovered that
    affects kernels prior to 2.4.28. A local user could potentially make
    use of a race condition in order to gain privileges. (CAN-2004-1068)

    Paul Starzetz of iSEC discovered various flaws in the ELF binary loader
    affecting kernels prior to 2.4.28. A local user could use these flaws to
    gain read access to executable-only binaries or possibly gain
    privileges. (CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073,
    CAN-2004-1074)

    ISEC security research discovered multiple vulnerabilities in the IGMP
    functionality of the kernels. These flaws could allow a local user to
    cause a denial of service (crash) or potentially gain privileges. Where
    multicast applications are being used on a system, these flaws may also
    allow remote users to cause a denial of service. (CAN-2004-1137)

    Kirill Korotaev found a flaw in load_elf_binary affecting kernels prior
    to 2.4.26. A local user could create a carefully crafted binary in such
    a way that it would cause a denial of service (system crash).
    (CAN-2004-1234)

    iSEC Security Research discovered a VMA handling flaw in the uselib(2)
    system call of the Linux kernel. A local user could make use of this
    flaw to gain elevated (root) privileges. (CAN-2004-1235)

    iSEC Security Research discovered a flaw in the page fault handler code
    that could lead to local users gaining elevated (root) privileges on
    multiprocessor machines. (CAN-2005-0001)

    All users are advised to upgrade their kernels to the packages
    associated with their machine architectures and configurations as listed
    in this erratum.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To install kernel packages manually, use "rpm -ivh <package>" and modify
    system settings to boot the kernel you have installed. To do this, edit
    /boot/grub/grub.conf and change the default entry to "default=0" (or, if
    you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
    run lilo)

    Please note that this update is also available via yum and apt. Many
    people find this an easier way to apply updates. To use yum issue:

    yum update

    or to use apt:

    apt-get update; apt-get upgrade

    This will start an interactive process that will result in the
    appropriate RPMs being upgraded on your system. This assumes that you
    have yum or apt-get configured for obtaining Fedora Legacy content.
    Please visit http://www.fedoralegacy.org/docs for directions on how to
    configure yum and apt-get.

    Note that this may not automatically pull the new kernel in if you have
    configured apt/yum to ignore kernels. If so, follow the manual
    instructions above.

    5. Bug IDs fixed:

    http://bugzilla.fedora.us - bug #2336 - Kernel bugs

    6. RPMs required:

    Red Hat Linux 7.3:

    SRPM:
    http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kernel-2.4.20-42.7.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-BOOT-2.4.20-42.7.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-doc-2.4.20-42.7.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-source-2.4.20-42.7.legacy.i386.rpm

    i586:
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.i586.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-42.7.legacy.i586.rpm

    i686:
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.i686.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-bigmem-2.4.20-42.7.legacy.i686.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-42.7.legacy.i686.rpm

    athlon:
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.athlon.rpm
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-42.7.legacy.athlon.rpm

    Red Hat Linux 9:

    SRPM:
    http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kernel-2.4.20-42.9.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-42.9.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-42.9.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-42.9.legacy.i386.rpm

    i586:
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.i586.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-42.9.legacy.i586.rpm

    i686:
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.i686.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-bigmem-2.4.20-42.9.legacy.i686.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-42.9.legacy.i686.rpm

    athlon:
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.athlon.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-42.9.legacy.athlon.rpm

    Fedora Core 1:

    SRPM:
    http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kernel-2.4.22-1.2199.4.legacy.nptl.src.rpm

    i386:
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-BOOT-2.4.22-1.2199.4.legacy.nptl.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-doc-2.4.22-1.2199.4.legacy.nptl.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-source-2.4.22-1.2199.4.legacy.nptl.i386.rpm

    i586:
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-2.4.22-1.2199.4.legacy.nptl.i586.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.4.legacy.nptl.i586.rpm

    i686:
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-2.4.22-1.2199.4.legacy.nptl.i686.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.4.legacy.nptl.i686.rpm

    athlon:
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-2.4.22-1.2199.4.legacy.nptl.athlon.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.4.legacy.nptl.athlon.rpm

    7. Verification:

    SHA1 sum Package Name
    ---------------------------------------------------------------------

    7900b4d4608f6f23f1b19f8545a67bd733493c65
    redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.athlon.rpm
    dad7ced597c96a258e11d0de8437356ac82e40f3
    redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.i386.rpm
    caea6cb5c96897341c71e023e71d90b1b01bdde9
    redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.i586.rpm
    ffe552201b6bfdc5359596ae901bc249a365cec6
    redhat/7.3/updates/i386/kernel-2.4.20-42.7.legacy.i686.rpm
    4be06cfe9783c4d045fbfff4774e50f308fa6934
    redhat/7.3/updates/i386/kernel-bigmem-2.4.20-42.7.legacy.i686.rpm
    7d4b1b49e292ade40eb1f14e89338ae8df014981
    redhat/7.3/updates/i386/kernel-BOOT-2.4.20-42.7.legacy.i386.rpm
    6a17058770d6e6c2b8706232d1ceb60866b36ab0
    redhat/7.3/updates/i386/kernel-doc-2.4.20-42.7.legacy.i386.rpm
    b8e1b78b834e48ec35906b3924eb2bd12a33e4d6
    redhat/7.3/updates/i386/kernel-smp-2.4.20-42.7.legacy.athlon.rpm
    55e2477c5ddd3934c2bfbc770ff0df7cce44a6a0
    redhat/7.3/updates/i386/kernel-smp-2.4.20-42.7.legacy.i586.rpm
    c923851d4e460a672891db11bbc98089189a5a93
    redhat/7.3/updates/i386/kernel-smp-2.4.20-42.7.legacy.i686.rpm
    dfcf9626635256e898e9696b7c8e58d826069be4
    redhat/7.3/updates/i386/kernel-source-2.4.20-42.7.legacy.i386.rpm
    f4620b08ec8e2ae3973d5b3e555893ab3a7ce340
    redhat/7.3/updates/SRPMS/kernel-2.4.20-42.7.legacy.src.rpm
    2d6d73763d1d7631b61c40b8093757466dd24cd7
    redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.athlon.rpm
    7b1f8f93eb586ae3fbe834670801d45b999700c2
    redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.i386.rpm
    8d472f8c69a624b310758472c7f387c258f73c02
    redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.i586.rpm
    618c079b5c9336a0bf0c4e7342616c001eea5f15
    redhat/9/updates/i386/kernel-2.4.20-42.9.legacy.i686.rpm
    dcc66fd50b44cdb55c543d2d0496de595e627d7a
    redhat/9/updates/i386/kernel-bigmem-2.4.20-42.9.legacy.i686.rpm
    d092d4efcc10b605fdf9724c5bd65560811063c4
    redhat/9/updates/i386/kernel-BOOT-2.4.20-42.9.legacy.i386.rpm
    d99388a8d0f9b0b7e19aa61d25399dc4e5489427
    redhat/9/updates/i386/kernel-doc-2.4.20-42.9.legacy.i386.rpm
    ccfaec93e1a5145ec9d91f0d3e7eeab19a3a81a4
    redhat/9/updates/i386/kernel-smp-2.4.20-42.9.legacy.athlon.rpm
    75e49f1b57037546407f3631a3c5f75fb2d671ee
    redhat/9/updates/i386/kernel-smp-2.4.20-42.9.legacy.i586.rpm
    c7b63e8f26ccb8a237a5918d50e04b112e13f700
    redhat/9/updates/i386/kernel-smp-2.4.20-42.9.legacy.i686.rpm
    f1e82fb01bcf318ee1e6d48ac3119ee8caa6be11
    redhat/9/updates/i386/kernel-source-2.4.20-42.9.legacy.i386.rpm
    d11209f3d111ed3e633662c5f651772f11282f8e
    redhat/9/updates/SRPMS/kernel-2.4.20-42.9.legacy.src.rpm
    91df569f7f98a976f2686628c9a45160c8f730c6
    fedora/1/updates/i386/kernel-2.4.22-1.2199.4.legacy.nptl.athlon.rpm
    1ef2868a7a990521a080925ca81981cafa676258
    fedora/1/updates/i386/kernel-2.4.22-1.2199.4.legacy.nptl.i586.rpm
    5b093d72e5f7398f3b829c6ce557eb9817042732
    fedora/1/updates/i386/kernel-2.4.22-1.2199.4.legacy.nptl.i686.rpm
    b66170a9431426138e454ddec7f3b98ec45a10fb
    fedora/1/updates/i386/kernel-BOOT-2.4.22-1.2199.4.legacy.nptl.i386.rpm
    4c5895f14271a8b5bc6e5489c053fba1f96e71f8
    fedora/1/updates/i386/kernel-doc-2.4.22-1.2199.4.legacy.nptl.i386.rpm
    a358e368bea67f2cbbf32a6a1c9242e1cd7dffeb
    fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.4.legacy.nptl.athlon.rpm
    c16b6217ac2ade811576e303a7eb1ddc0214d692
    fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.4.legacy.nptl.i586.rpm
    d307317b04336c289cddde005e11c30b188119cb
    fedora/1/updates/i386/kernel-smp-2.4.22-1.2199.4.legacy.nptl.i686.rpm
    3b0301c812ad4379c6eb7bbd7970ab4f9602b37c
    fedora/1/updates/i386/kernel-source-2.4.22-1.2199.4.legacy.nptl.i386.rpm
    d14e7971299e22a38cdeee145028d797ea477a1c
    fedora/1/updates/SRPMS/kernel-2.4.22-1.2199.4.legacy.nptl.src.rpm

    These packages are GPG signed by Fedora Legacy for security. Our key is
    available from http://www.fedoralegacy org/about/security.php

    You can verify each package with the following command:

         rpm --checksig -v <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the sha1sum with the following command:

         sha1sum <filename>

    8. References:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0177
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0685
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0814
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0883
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0949
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1016
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1017
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1056
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1068
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1070
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1071
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1072
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1073
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1074
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1137
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1234
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0001

    9. Contact:

    The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
    project details at http://www.fedoralegacy.org

    ---------------------------------------------------------------------

    
    



  • Next message: Martin Pitt: "[USN-85-1] Gaim vulnerabilities"

    Relevant Pages

    • [FLSA-2005:2336] Updated kernel packages fix security issues
      ... Updated kernel packages that fix several security issues are now ... A privileged local user could read portions ... Conectiva discovered flaws in certain USB drivers affecting kernels ...
      (Bugtraq)
    • [Full-Disclosure] [FLSA-2005:2336] Updated kernel packages fix security issues
      ... Updated kernel packages that fix several security issues are now ... A privileged local user could read portions ... Conectiva discovered flaws in certain USB drivers affecting kernels ...
      (Full-Disclosure)
    • Re: remote kernel exploits?
      ... and its pond scum (kiddies, sec mailing lists, etc :-). ... consider the possibility that vulnerabilities in Open Source kernels don't ... in the Security community take a "system-centric" approach to security. ...
      (Incidents)
    • [Full-Disclosure] Re: remote kernel exploits?
      ... consider the possibility that vulnerabilities in Open Source kernels don't ... in the Security community take a "system-centric" approach to security. ... > - - You'd think several high profile sites would've been attacked already ...
      (Full-Disclosure)
    • Re: [PATCH] getsockopt() early argument sanity checking
      ... (2.6 kernels could benefit from the same change, too, but at the moment ... This is a security hardening measure ... The only race-free solution would be to add an argument to all getsockopt ... sizeof(int) as unsigned int) and all those places would benefit from this. ...
      (Linux-Kernel)