LinuxQuestions.org
Page 2 of 6 1 2 34 Last »
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Kernel Vulns (https://www.linuxquestions.org/questions/linux-security-4/kernel-vulns-399624/)

win32sux 10-07-2006 12:51 AM
Linux Kernel Denial of Service Vulnerabilities (Moderately Critical)
 
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).

1) The "sys_perfmon()" function on Itanium (IA64) systems does not correctly handle file descriptor reference counts, which can be exploited to cause a DoS by consuming all available file descriptors.

2) The "clip_mkip()" function in net/atm/clip.c may dereference a previously freed pointer when processing received data, which can be exploited to cause a kernel panic.

Solution:
Update to version 2.6.18.
Secunia Advisory | CVE-2006-3741 | CVE-2006-4997

win32sux 10-11-2006 07:21 AM
Linux Kernel "clip_mkip()" Denial of Service Vulnerability (Moderately Critical)
 
Quote:
Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "clip_mkip()" function in the ATM (Asynchronous Transfer Mode) subsystem and can be exploited to cause a kernel panic.

Successful exploitation requires installed ATM hardware and configured ATM support.

Solution:
The vulnerability has been fixed in version 2.4.34-pre4.
Secunia Advisory | CVE-2006-4997

win32sux 10-13-2006 08:21 PM
Linux 2.6.17.14 has been released
 
It's a maintenance release, but it addresses a security vulnerability:
Quote:
dvb-core: Proper handling ULE SNDU length of 0

ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation
code has a bug that allows an attacker to send a malformed ULE packet
with SNDU length of 0 and bring down the receiving machine. This patch
fix the bug and has been tested on version 2.6.17.11. This bug is 100%
reproducible and the modified source code (GPL) used to produce this bug
will be posted on http://nrg.cs.usm.my/downloads.htm shortly. The
kernel will produce a dump during CRC32 checking on faulty ULE packet.
ChangeLog | CVE-2006-4623

win32sux 10-14-2006 01:46 AM
Linux 2.6.18.1 has been released
 
It includes a patch for an s390 architecture vulnerability:
Quote:
[S390] user readable uninitialised kernel memory.

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
ChangeLog | CVE-2006-5174

win32sux 11-01-2006 08:43 AM
Linux Kernel IPv6 Flow Label Denial of Service (Not Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the handling of seqfiles for "/proc/net/ip6_flowlabel", which can be exploited to cause kernel lockups and crashes via specially crafted flow labels.

Solution:
Fixed in the GIT repository.
Secunia Advisory | CVE-2006-5619

win32sux 11-03-2006 09:41 PM
Linux 2.6.18.2 has been released
 
It includes many bugfixes, one of which addresses the ip6_flowlabel vulnerabilty above:
Quote:
IPV6: fix lockup via /proc/net/ip6_flowlabel [CVE-2006-5619]
ChangeLog

win32sux 11-03-2006 09:53 PM
Linux 2.6.16.30 has been released
 
It includes many bugfixes, three of which address security vulnerabilities:
Quote:
[IA64] correct file descriptor reference counting in perfmon (CVE-2006-3741)

[ATM] CLIP: Do not refer freed skbuff in clip_mkip() (CVE-2006-4997)

dvb-core: Proper handling ULE SNDU length of 0 (CVE-2006-4623)
ChangeLog

win32sux 11-06-2006 11:06 AM
Linux Kernel ISO9660 Local Denial of Service (Not Critical)
 
Quote:
Description:
LMH has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to race conditions within the implementation of the ISO9660 file system. This can be exploited to cause an infinite loop in the "isofs_get_blocks()" function by mounting a specially crafted ISO9660 image and performing a read operation on the mounted file system.

Solution:
Allow only trusted users to mount ISO9660 images.
Secunia Advisory

win32sux 11-07-2006 12:37 PM
Linux Kernel Fragmented IPv6 Packet Filtering Bypass (Moderately Critical)
 
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerabilities are caused due to the incorrect processing of certain fragmented IPv6 packets. This can be exploited to bypass filtering rules by sending specially crafted packets.

Solution:
Fixed in the GIT repository.
Secunia Advisory

win32sux 11-19-2006 04:49 AM
Linux 2.6.16.31/32 (Late Notification)
 
I missed the last two releases for the 2.6.16.y branch. =/

2.6.16.31 was released the 7th, while 2.6.16.32 was released the 15th.

Both releases addressed security vulnerabilities.

For 2.6.16.31:
Quote:
[NETFILTER]: Fix ip6_tables extension header bypass bug (CVE-2006-4572)

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on extension header
matches.

When extension headers occur in the non-first fragment after the fragment
header (possibly with an incorrect nexthdr value in the fragment header)
a rule looking for this extension header will never match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Since all extension headers are before the protocol header this makes sure
an extension header is either not present or in the first fragment, where
we can properly parse it.
Quote:
[NETFILTER]: Fix ip6_tables protocol bypass bug (CVE-2006-4572)

As reported by Mark Dowd <Mark_Dowd@McAfee.com>, ip6_tables is susceptible
to a fragmentation attack causing false negatives on protocol matches.

When the protocol header doesn't follow the fragment header immediately,
the fragment header contains the protocol number of the next extension
header. When the extension header and the protocol header are sent in
a second fragment a rule like "ip6tables .. -p udp -j DROP" will never
match.

Drop fragments that are at offset 0 and don't contain the final protocol
header regardless of the ruleset, since this should not happen normally.
Quote:
[IPV6]: fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)

There's a bug in the seqfile handling for /proc/net/ip6_flowlabel, where,
after finding a flowlabel, the code will loop forever not finding any
further flowlabels, first traversing the rest of the hash bucket then just
looping.

This patch fixes the problem by breaking after the hash bucket has been
traversed.

Note that this bug can cause lockups and oopses, and is trivially invoked
by an unpriveleged user.
Quote:
[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
ChangeLog | CVE-2006-4572 | CVE-2006-5619 | CVE-2006-5174

For 2.6.16.32:
Quote:
ia64/sparc: fix local DoS with corrupted ELFs (CVE-2006-4538)

This patch prevents cross-region mappings
on IA64 and SPARC which could lead to system crash.
ChangeLog | CVE-2006-4538

win32sux 11-19-2006 05:06 AM
Linux 2.6.18.3 has been released.
 
It includes many bugfixes, one of which addresses a security vulnerability:
Quote:
[PATCH] security/seclvl.c: fix time wrap (CVE-2005-4352)

initlvl=2 in seclvl gives the guarantee
"Cannot decrement the system time".

But it was possible to set the time to the maximum unixtime value
(19 Jan 2038) resulting in a wrap to the minimum value.

This patch fixes this by disallowing setting the time to any date
after 2030 with initlvl=2.

This patch does not apply to kernel 2.6.19 since the seclvl module was
already removed in this kernel.
ChangeLog | CVE-2005-4352

win32sux 11-20-2006 02:48 PM
Linux 2.4.33.4 has been released
 
It includes several bugfixes, at least one of which addresses a security vulnerability:
Quote:
Backport fix for CVE-2006-4997 to 2.4 tree
ChangeLog | CVE-2006-4997

win32sux 11-30-2006 12:39 AM
Linux 2.6.18.4 has been released.
 
It consists of a single patch addressing a security vulnerability:
Quote:
[PATCH] bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)

Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).
ChangeLog | CVE-2006-5751


BTW: Seems I once again missed a 2.6.16.y security fix release. 2.6.16.33 was released November 22 and included a patch for CVE-2005-4352.

win32sux 12-09-2006 07:03 AM
Linux Kernel "ip_summed" Memory Corruption Vulnerability (Less Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a memory corruption in drivers/net/tokenring/ibmtr.c, which can be exploited to cause a DoS by sending specially crafted packet to a vulnerable system.

The vulnerability is reported in Linux Kernel 2.6.19.

Solution:
A patch is available in the GIT repository.
Secunia Advisory

win32sux 12-09-2006 07:11 AM
Linux 2.6.16.35 has been released.
 
It includes many bugfixes, one of which addresses a security vulnerability:
Quote:
bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)

Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).
ChangeLog | CVE-2006-5751

win32sux 12-12-2006 05:53 AM
Linux 2.6.19.1 has been released.
 
It includes several bugfixes, one of which addresses a security vulnerability:
Quote:
[PATCH] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304)
Changelog | CVE-2006-6304

win32sux 12-16-2006 05:53 PM
Linux 2.4.33.5 has been released.
 
It consists of a few bugfixes, one of which addresses a security vulnerability:
Quote:
[Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)
ChangeLog | CVE-2006-6106

win32sux 12-18-2006 09:52 PM
Linux 2.6.18.6 has been released.
 
It consists of a few bugfixes, one of which addresses a security vulnerability:
Quote:
Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)
Changelog | CVE-2006-6106

win32sux 12-19-2006 09:45 PM
Linux 2.4.33.6 has been released.
 
It consists of two bugfixes, one of which addresses a security vulnerability:
Quote:
Fix incorrect user space access locking in mincore() (CVE-2006-4814)
ChangeLog | CVE-2006-4814

win32sux 12-23-2006 04:59 PM
Linux 2.4.33.7 has been released.
 
It consists of a single patch addressing a security vulnerability:
Quote:
Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)
ChangeLog | CVE-2006-5749

win32sux 01-10-2007 06:16 PM
Linux 2.6.19.2 has been released.
 
It includes many bugfixes, including Linus Torvalds' much anticipated data corruption fix.

Of course, several security issues are also addressed:
Quote:
Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

handle ext3 directory corruption better (CVE-2006-6053)

corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)

Fix incorrect user space access locking in mincore() (CVE-2006-4814)
ChangeLog | Tarball | Patch

win32sux 01-27-2007 09:21 PM
Linux 2.6.16.38 has been released (01/20/2007).
 
It includes several bugfixes, at least ten of which address security vulnerabilities:
Quote:
corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

handle ext3 directory corruption better (CVE-2006-6053)

ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)

hfs_fill_super returns success even if no root inode (CVE-2006-6056)

x86_64: Don't leak NT bit into next task (CVE-2006-5755)

Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

grow_buffers() infinite loop fix (CVE-2006-5757/CVE-2006-6060)

i386: save/restore eflags in context switch (CVE-2006-5173)

Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

Fix incorrect user space access locking in mincore() (CVE-2006-4814)

win32sux 01-31-2007 04:28 PM
Linux Kernel "listxattr" Memory Corruption Vulnerability (Less Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges.

The vulnerability is caused due to an error within the "listxattr" system call when interpreting "bad_inode_ops" return values, which can be exploited to cause a memory corruption.

Successful exploitation requires a bad inode.

Solution:
The vulnerability is fixed in version 2.6.20-rc4.
Secunia Advisory | CVE-2006-5753

win32sux 02-13-2007 10:25 PM
Linux Kernel "key_alloc_serial()" Denial of Service (Not Critical)
 
Quote:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference within the "key_alloc_serial()" function, which can be exploited to crash the Kernel.
Secunia Advisory | CVE-2007-0006

win32sux 02-20-2007 04:54 AM
Linux 2.6.20.1 has been released.
 
It consists of a single patch over 2.6.20, addressing a security issue.
Quote:
[PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)

Due to type confusion, when an nfsacl verison 2 'ACCESS' request
finishes and tries to clean up, it calls fh_put on entiredly the
wrong thing and this can cause an oops.
ChangeLog | CVE-2007-0772 | Secunia Advisory


NOTE: The 2.6.18.y and 2.6.19.y branches also patched for this issue:

ChangeLog for 2.6.18.7 | ChangeLog for 2.6.19.4

win32sux 02-24-2007 07:45 PM
Linux 2.6.18.8 has been released.
 
It addresses several security vulnerabilities, and it's likely to be the last patch to hit 2.6.18.y unless something extremely serious comes-up.

Quote:
grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)

hfs_fill_super returns success even if no root inode (CVE-2006-6056)

Fix incorrect user space access locking in mincore() (CVE-2006-4814)
ChangeLog was not available at the time of this post, but should be here when it is.

win32sux 03-02-2007 05:06 PM
Linux 2.6.16.42 has been released.
 
It happened last week, but it slipped-by me. =/

It includes several bugfixes, including three for security vulnerabilities.
Quote:
fix bad_inode_ops memory corruption (CVE-2006-5753)

Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)

Keys: Fix key serial number collision handling (CVE-2007-0006)
ChangeLog | Patch

win32sux 03-05-2007 04:08 PM
Linux 2.6.19.6 has been released.
 
It includes several bugfixes, one which addresses a security vulnerability. This is quite likely the last 2.6.19.y release, unless something extremely serious is found.
Quote:
fix memory corruption from misinterpreted bad_inode_ops return values (CVE-2006-5753)
ChangeLog | Patch

NOTE: A few hours after, 2.6.19.7 was released, addressing a few issues which slipped past the -stable team. It does not appear to address any vulnerabilities. The ChangeLog for it is here.

win32sux 03-08-2007 08:12 PM
Linux Kernel Omnikey CardMan 4040 Driver Buffer Overflow (Not Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

The vulnerability is caused due to boundary errors within the "read()" and "write()" functions of the Omnikey CardMan 4040 driver. This can be exploited to cause a buffer overflow and may allow the execution of arbitrary code with kernel privileges.

The vulnerability is reported in versions prior to 2.6.21-rc3.
Secunia Advisory

win32sux 03-09-2007 04:10 PM
Linux 2.6.20.2 has been released.
 
It includes a ton of bugfixes, two of which address security vulnerabilities.
Quote:
IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]

Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
ChangeLog | Patch

win32sux 03-14-2007 03:05 PM
Linux Kernel NULL Pointer Dereferences and Security Bypass
 
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).

1) NULL pointer dereferences within net/netfilter/nfnetlink_log.c can potentially be exploited to cause a kernel panic by sending specially crafted packets to a vulnerable system.

2) An error exists within conntrack when assembling fragmented IPv6 packets. This can potentially be exploited to bypass certain rulesets that accept ESTABLISHED packets early.

Solution:
Update to version 2.6.20.3.
Secunia Advisory

win32sux 03-23-2007 01:53 PM
Linux Kernel "ipv6_fl_socklist" Denial of Service (Less Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to listening IPv6 TCP sockets incorrectly sharing the "ipv6_fl_socklist" IPv6 flowlist with child sockets. This can be exploited to e.g. cause a kernel crash by performing certain actions on IPv6 TCP sockets.
Secunia Advisory | CVE-2007-1592

win32sux 04-10-2007 11:40 AM
Linux Kernel "atalk_sum_skb()" AppleTalk Denial of Service (Less Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "atalk_sum_skb()" function when creating the checksum of an AppleTalk frame that is shorter than specified in the header. This can be exploited to trigger a "BUG_ON" condition by sending a specially crafted AppleTalk frame to a vulnerable system.

Successful exploitation requires that the AppleTalk kernel module is loaded.

Solution:
Update to version 2.6.20.5.
Secunia Advisory

win32sux 04-25-2007 11:16 PM
Linux Kernel "L2CAP" and "HCI" Information Disclosure (Not Critical)
 
Quote:
Description:
Two weaknesses have been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potential sensitive information.

The weaknesses are caused due to uninitialised variables within the "hci_sock_setsockopt()" function in net/bluetooth/hci_sock.c and the "l2cap_sock_setsockopt()" function in net/bluetooth/l2cap.c and can potentially be exploited to disclose uninitialised bytes of the kernel stack.

The weaknesses are reported in versions prior to 2.4.34.3.

Solution:
Update to version 2.4.34.3.
Secunia Advisory | CVE-2007-1353

win32sux 04-30-2007 11:34 AM
Linux Kernel IPv6 Type 0 Route Headers Denial of Service (Moderately Critical)
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The security issue is caused due to an error within the processing of packets with IPv6 type 0 route headers. This can be exploited to cause a DoS due to high network traffic by sending specially crafted IPv6 packets to vulnerable systems.

Solution:
Update to version 2.6.20.9 or 2.6.21.
Secunia Advisory | CVE-2007-2242

win32sux 05-01-2007 01:01 PM
Linux Kernel netlink NETLINK_FIB_LOOKUP Denial of Service (Not Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the handling of NETLINK_FIB_LOOKUP reply messages. This can be exploited to cause an infinite recursion, which could result in a stack overflow.

The vulnerability is reported in versions prior to 2.6.20.8. Other versions may also be affected.

Solution:
Update to version 2.6.20.8.
Secunia Advisory

win32sux 05-08-2007 08:30 AM
Linux Kernel PPPoE Socket "PPPIOCGCHAN" Denial of Service (Not Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to a memory leak when releasing PPPoE sockets after they are connected, but before the "PPPIOCGCHAN" ioctl is called. This can be exploited to cause a DoS due to memory exhaustion.

The vulnerability is reported in versions prior to 2.6.21-git8. Other versions may also be affected.

Solution:
Update to version 2.6.21-git8.
Secunia Advisory

win32sux 05-24-2007 05:17 PM
Linux 2.6.21.3 has been released.
 
It addresses a GEODE-AES security vulnerability.
Quote:
[PATCH] GEODE-AES: Allow in-place operations [CVE-2007-2451]

Allow in-place crypto operations. Also remove the coherent user flag
(we use it automagically now), and by default use the user written
key rather then the HW hidden key - this makes crypto just work without
any special considerations, and thats OK, since its our only usage
model.
ChangeLog is here.

win32sux 06-01-2007 10:45 AM
Linux Kernel VFAT IOCTLs Denial of Service (Not Critical)
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The security issue is caused due to an error within the handling of certain VFAT IOCTLs on 64bit systems, which can be exploited to crash the kernel by calling certain IOCTLs with malicious parameters.

Successful exploitation requires a 64bit-system and vfat and msdos file systems.

Solution:
Update to version 2.6.21.2.
Secunia Advisory | CVE-2007-2878

win32sux 06-08-2007 05:10 AM
Linux 2.6.21.4 has been released.
 
It is purely a security-fix update, addressing a few vulnerabilities.

Quote:
PATCH] NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

[PATCH] cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)

[PATCH] random: fix error in entropy extraction (CVE-2007-2453 1 of 2)

[PATCH] random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
ChangeLog | Secunia Advisory

win32sux 07-02-2007 07:43 AM
Linux Kernel USBLCD Driver Out of Memory Denial of Service (Not Critical)
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The USBLCD driver does not limit the memory consumption during writes to the device. This can be exploited to cause an out-of-memory condition by writing a large amount of data to an affected device.

Successful exploitation requires write access to a device using the driver.

Solution:
The vulnerability is fixed in version 2.6.22-rc7.
Secunia Advisory

win32sux 07-09-2007 11:29 AM
Linux Kernel "decode_choices()" Denial of Service (Moderately Critical)
 
Quote:
Description:
Zhongling Wen has reported a vulnerability in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "decode_choice()" function in net/netfilter/bf_conntrack_h323_asn1.c when handling choices that are still encoded in the fixed-size bitfield. This can be exploited to cause an access to undefined types, resulting in a crash.

Solution:
Update to version 2.6.21.6, 2.6.20.15, or 2.6.22.
Secunia Advisory

win32sux 07-10-2007 01:57 PM
Linux Kernel Multiple Denial of Service Vulnerabilities (Moderately Critical)
 
The above advisory has been updated by Secunia.
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service).

1) A vulnerability is caused due to an error within the "decode_choice()" function in net/netfilter/bf_conntrack_h323_asn1.c when handling choices that are still encoded in the fixed-size bitfield. This can be exploited to cause access to undefined types, resulting in a crash.

2) A vulnerability is caused due to the Kernel clearing the MSR bits after copying the state into the thread_struct. This can be exploited to cause corruption of the floating point state after returning from signal handlers, resulting in a DoS.

Successful exploitation requires a PowerPC based architecture.

Solution:
Vulnerability #1: Update to version 2.6.21.6, 2.6.20.15, or 2.6.22.
Vulnerability #2: Update to version 2.6.22.
Secunia Advisory | CVE-2007-3107

win32sux 07-10-2007 04:11 PM
Linux 2.6.22.1 has been released.
 
Two days after the release of 2.6.22, a security update is available.
Quote:
NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.
ChangeLog | Patch

win32sux 08-07-2007 01:17 PM
Linux Kernel AACRAID Driver IOCTL Security Bypass (Less Critical)
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to the AACRAID driver not correctly checking the privileges for IOCTLs. This can be exploited to perform potentially dangerous operations by sending certain IOCTLs to the driver.

The security issue is reported in versions prior to 2.6.23-rc2. Other versions may also be affected.

Solution:
Update to version 2.6.23-rc2.
Secunia Advisory

win32sux 08-09-2007 07:07 PM
Linux 2.6.22.2 has been released.
 
It includes a patch for a security vulnerability.
Quote:
drm/i915: Fix i965 secured batchbuffer usage (CVE-2007-3851)

This 965G and above chipsets moved the batch buffer non-secure bits to
another place. This means that previous drm's allowed in-secure batchbuffers
to be submitted to the hardware from non-privileged users who are logged
into X and and have access to direct rendering.
ChangeLog | CVE-2007-3851

win32sux 08-09-2007 07:09 PM
Linux Kernel CIFS Signing Options Weakness (Not Critical)
 
Quote:
Description:
A weakness has been reported in the Linux Kernel, which potentially can be exploited by malicious people to bypass certain security restrictions.

The weakness is caused due to the Linux Kernel not correctly enforcing the defined signing options when mounting a CIFS file system. This may weaken the security and can be leveraged to perform further attacks.

Solution:
The weakness is fixed in version 2.6.23-rc1.
Secunia Advisory | CVE-2007-3843

win32sux 08-15-2007 01:30 PM
Linux 2.6.22.3 has been released.
 
It includes several bugfixes, one of which addresses a security vulnerability.
Quote:
random: fix bound check ordering (CVE-2007-3105)

If root raised the default wakeup threshold over the size of the
output pool, the pool transfer function could overflow the stack with
RNG bytes, causing a DoS or potential privilege escalation.
ChangeLog | CVE-2007-3105

win32sux 08-21-2007 06:13 PM
Linux 2.6.22.4 has been released.
 
It solely consists of a patch for a security vulnerability:
Quote:
Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)

This fixes a vulnerability in the "parent process death signal"
implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
and iSEC Security Research.
ChangeLog | CVE-2007-3848

win32sux 09-21-2007 07:26 PM
Linux 2.6.22.7 has been released.
 
It solely consists of a patch for a x86_64 security vulnerability.
Quote:
[PATCH] x86_64: Zero extend all registers after ptrace in 32bit entry path.

Strictly it's only needed for eax.

It actually does a little more than strictly needed -- the other registers
are already zero extended.

Also remove the now unnecessary and non functional compat task check
in ptrace.
ChangeLog | CVE-2007-4573


All times are GMT -5. The time now is 05:30 AM.
Page 2 of 6 1 2 34 Last »
Show 50 post(s) from this thread on one page