LinuxQuestions.org
Page 3 of 20 12 3 4513 Last »
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Kernel Vulns (https://www.linuxquestions.org/questions/linux-security-4/kernel-vulns-399624/)

win32sux 05-31-2006 12:43 PM
Linux Kernel SMP "/proc" Race Condition Denial of Service (Not Critical)
 
Quote:
Description:
Tony Griffiths has reported a vulnerability in the Linux Kernel, which can be exploited malicious, local users to cause a DoS (Denial of Service).

The vulnerability is cause due to a memory corruption error in the "dentry_unused" list within the "prune_dcache()" function. This can be exploited to crash the kernel when running on SMP hardware by causing a race condition such that one or more tasks exit while another task is reading their /proc entries.

The vulnerability has been reported in versions 2.6.15 through 2.6.17. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.

Secunia is currently not aware of an official version addressing this.
Secunia Advisory

This is CVE-2006-2629.

win32sux 06-20-2006 12:17 PM
Linux 2.6.16.21 and 2.6.17.1 have been released. Both releases address security issues.

Regarding 2.6.16.21:

The ChangeLog shows it consists of 4 patches, 3 of which have CVE IDs:

Quote:
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length
This is CVE-2006-3085.

Quote:
[PATCH] run_posix_cpu_timers: remove a bogus BUG_ON()
This is CVE-2006-2445.

Quote:
[PATCH] powerpc: Fix machine check problem on 32-bit kernels
This is CVE-2006-2448.



Regarding 2.6.17.1:

The ChangeLog shows it consists of a patch for CVE-2006-3085:

Quote:
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length
Secunia Advisory

win32sux 06-30-2006 05:58 PM
Linux 2.6.16.23 and 2.6.17.3 have been released.

Both releases address a Netfilter vulnerability:
Quote:
NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks

When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash.
This is CVE-2006-2934.

ChangeLogs: 2.6.16.23, 2.6.17.3.

win32sux 07-07-2006 05:30 AM
Linux 2.6.16.24 and 2.6.17.4 have been released.

Both releases address a core dump handling vulnerability:
Quote:
fix prctl privilege escalation and suid_dumpable

During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.
This is CVE-2006-2451.

ChangeLogs: 2.6.16.24, 2.6.17.4.

win32sux 07-14-2006 11:43 PM
Linux 2.6.16.25 and 2.6.17.5 have been released.

Both releases address a /proc vulnerability:
Quote:
Fix nasty /proc vulnerability

We have a bad interaction with both the kernel and user space being able
to change some of the /proc file status. This fixes the most obvious
part of it, but I expect we'll also make it harder for users to modify
even their "own" files in /proc.
This is CVE-2006-3626.

ChangeLogs: 2.6.16.25, 2.6.17.5.


UPDATE: Linux 2.6.16.26 and 2.6.17.6 were released shortly after, to relax the /proc fix a bit. Because this patch isn't in and of itself a vulnerability fix, I will not be making a new post for it (this thread is only for vulnerabilities, not just any bugfixes).
Quote:
Clearign all of i_mode was a bit draconian. We only really care about
S_ISUID/ISGID, after all.
ChangeLogs: 2.6.16.26, 2.6.17.6.

win32sux 07-19-2006 07:07 AM
Linux 2.6.16.27 has been released.

It's three patches, one of which addresses a security vulnerability:
Quote:
USB serial ftdi_sio: Prevent userspace DoS

This patch limits the amount of outstanding 'write' data that can be
queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
simple accidents) that use up all the system memory by writing lots of
data to the serial port.
This is CVE-2006-2936.

ChangeLog: 2.6.16.27.

win32sux 07-24-2006 11:00 PM
Linux 2.6.17.7 has been released.

It consists of many patches, one of which addresses a security vulnerability:
Quote:
USB serial ftdi_sio: Prevent userspace DoS

This patch limits the amount of outstanding 'write' data that can be
queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
simple accidents) that use up all the system memory by writing lots of
data to the serial port.
This is CVE-2006-2936 (this was patched in 2.6.16.y over a week ago).

ChangeLog: 2.6.17.7.

win32sux 08-07-2006 12:46 PM
Linux Kernel Ext3 Invalid Inode Number Denial of Service
 
Quote:
James McKenzie has reported a vulnerability in Linux Kernel, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in ext3 when handling an invalid inode number. This can be exploited by sending a specially crafted NFS request with a V2 procedure (e.g. V2_LOOKUP) that specifies an invalid inode number.

Successful exploitation causes the exported directory to be remounted read-only.

The vulnerability has been reported in versions 2.6.14.4, 2.6.17.6, and 2.6.17.7. Other versions may also be affected.
Secunia Advisory | CVE-2006-3468

NOTE: It seems like 2.6.17.8 addresses this, but it's not entirely clear whether the patch is a temporary workaround or a permanent fix.

win32sux 08-11-2006 01:56 PM
Linux 2.4.33 has been released.

It consists of a great deal of maintenance patches over 2.4.32, several of which address security vulnerabilities. Here's the essence, as far as patches with CVE IDs are concerned:

Quote:
[NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039)
Quote:
[SCTP]: Validate the parameter length in HB-ACK chunk. (CVE-2006-1857)
Quote:
[SCTP]: Respect the real chunk length when walking parameters. (CVE-2006-1858)
Quote:
smbfs chroot issue (CVE-2006-1864)
Quote:
[SCTP]: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271)
Quote:
[SCTP]: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)
Quote:
[IPV4]: ip_route_input panic fix (CVE-2006-1525)
Quote:
[SCTP]: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)
Quote:
fix shm mprotect (CVE-2006-1524)
Quote:
orinoco: CVE-2005-3180: Information leakage due to incorrect padding
Quote:
Backport of CVE-2005-2709 fix
Quote:
x86-64: user code panics kernel in exec.c (CVE-2005-2708)
Quote:
Fix sendmsg overflow (CVE-2005-2490)
The complete ChangeLog is here.

NOTE: I realize it might be a little odd to see the 2.4.x kernel make it into this thread. But considering that 2.4.x is still in such wide use, I feel it's important we post vulnerability reports for it also. Furthermore, the release of 2.4.33 seems like the perfect time to start doing so IMHO.

win32sux 08-17-2006 07:39 PM
Linux Kernel UDF Truncation Denial of Service (Not Critical)
 
Quote:
Description:
Colin reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in UDF and can be exploited to cause the system to stop responding by truncating certain files.

Solution:
Restrict access to UDF partitions to trusted users only.
Secunia Advisory | CVE-2006-4145

win32sux 08-18-2006 12:38 PM
Linux 2.6.17.9 has been released.

It consists of a single patch for a PowerPC vulnerability:
Quote:
Clear HID0[en_attn] at CPU init time on PPC970.
CVE-2006-4093 | ChangeLog

win32sux 08-19-2006 09:28 PM
Linux 2.4.33.1 has been released.

It includes a patch for the PowerPC vulnerability, as well as one for CVE-2006-1528.

The ChangeLog is here.

win32sux 08-22-2006 06:15 PM
Linux 2.4.33.2 has been released.

It includes a patch for CVE-2006-3745 (SCTP local privilage elevation).

The ChangeLog is here.

win32sux 08-22-2006 06:20 PM
Linux 2.6.17.10 has been released.

It consists of three patches, two of which have CVE IDs:
Quote:
Fix possible UDF deadlock and memory corruption

UDF code is not really ready to handle extents larger that 1GB. This is
the easy way to forbid creating those.

Also truncation code did not count with the case when there are no
extents in the file and we are extending the file.
This is CVE-2006-4145.

Quote:
Fix sctp privilege elevation

sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.

It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
This is CVE-2006-3745.

The 2.6.17.10 ChangeLog is here.


UPDATE: Linux 2.6.17.11 has been released, but because it doesn't seem to include any fixes for security vulnerabilities, a new post here isn't warranted.

win32sux 08-26-2006 07:10 PM
Linux 2.6.16.28 has been released.

It consists of several bugfixes, four of which address security vulnerabilities.

From the ChangeLog:
Quote:
Security fixes since 2.6.16.27:
- CVE-2006-2935: cdrom: fix bad cgc.buflen assignment
- CVE-2006-3745: Fix sctp privilege elevation
- CVE-2006-4093: powerpc: Clear HID0 attention enable on PPC970 at boot time
- CVE-2006-4145: Fix possible UDF deadlock and memory corruption


All times are GMT -5. The time now is 08:30 PM.
Page 3 of 20 12 3 4513 Last »
Show 50 post(s) from this thread on one page