LinuxQuestions.org
Page 3 of 6 12 3 45 Last »
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Kernel Vulns (https://www.linuxquestions.org/questions/linux-security-4/kernel-vulns-399624/)

win32sux 09-25-2007 01:19 PM
Linux 2.6.22.8 has been released.
 
It consists of one patch for a security vulnerability.
Quote:
Convert snd-page-alloc proc file to use seq_file (CVE-2007-4571)

changeset ccec6e2c4a74adf76ed4e2478091a311b1806212 in mainline.

Use seq_file for the proc file read/write of snd-page-alloc module.
This automatically fixes bugs in the old proc code.
ChangeLog | CVE-2007-4571

win32sux 09-25-2007 01:24 PM
Linux Kernel ptrace Single Step "CS" Null Pointer Dereference (Not Critical)
 
Quote:
Description:
Evan Teran has reported a security issue in the Linux kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in ptrace when single-stepping a debugged child process with invalid values in the "CS" register, which can be exploited to cause a kernel oops.

Solution:
Fixed in the GIT repository.
Secunia Advisory | CVE-2007-3731

win32sux 11-08-2007 02:02 PM
Linux Kernel "ieee80211_rx()" Denial of Service Vulnerability (Less Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an off-by-two error within the function "ieee80211_rx()" in net/ieee80211/ieee80211_rx.c. This can be exploited to cause a kernel panic by sending a specially crafted ieee80211 frame with the IEEE80211_STYPE_QOS_DATA flag set to an affected system.

The vulnerability is reported in versions prior to 2.6.23.

Solution:
Update to version 2.6.23.
Secunia Advisory | CVE-2007-4997

win32sux 11-15-2007 08:08 PM
Linux Kernel CIFS "SendReceive()" Buffer Overflow (Less Critical)
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

The vulnerability is caused due to the "SendReceive()" function in fs/cifs/transport.c assuming wrong buffer sizes. This can be exploited to cause a buffer overflow by sending specially crafted responses to a vulnerable system.

Successful exploitation may require that a malicious server is used to mount a CIFS share.

The vulnerability is reported in version 2.6.23. Other versions may also be affected.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/?p=linux/kerne...5e1822ea93bcf3
Secunia Advisory | CVE-2007-5904

win32sux 11-18-2007 09:39 PM
Linux 2.6.23.8 has been released.
 
It consists of fixes for two security vulnerabilities:
Quote:
wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

patch a3474224e6a01924be40a8255636ea5522c1023a in mainline

The original meaning of the old test (p->state > TASK_STOPPED) was
"not dead", since it was before TASK_TRACED existed and before the
state/exit_state split. It was a wrong correction in commit
14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
TASK_TRACED instead. It should have been changed when TASK_TRACED
was introducted and again when exit_state was introduced.
Quote:
TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)

patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline.

NULL ptr can be returned from tcp_write_queue_head to cached_skb
and then assigned to skb if packets_out was zero. Without this,
system is vulnerable to a carefully crafted ACKs which obviously
is remotely triggerable.

Besides, there's very little that needs to be done in sacktag
if there weren't any packets outstanding, just skipping the rest
doesn't hurt.
ChangeLog | CVE-2007-5500 | CVE-2007-5501

win32sux 11-30-2007 08:35 AM
Linux Kernel "isdn_net_setcfg()" Buffer Overflow Vulnerability
 
Quote:
Description:
A vulnerability with unknown impact has been reported in the Linux Kernel.

The vulnerability is caused due to a boundary error within the "isdn_net_setcfg()" function in drivers/isdn/i4l/isdn_net.c when processing IOCTL configuration requests sent to the ISDN pseudo device (/dev/isdnctrl). This can be exploited to cause a buffer overflow via a specially crafted IIOCNETSCF IOCTL request.

Successful exploitation requires write access to /dev/isdnctrl.

The vulnerability is reported in version 2.6.23. Other versions may also be affected.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/?p=linux/kerne...bfa4b726a82e40

Restrict write access to /dev/isdnctrl to trusted users only.
Secunia Advisory | CVE-2007-6063

win32sux 12-05-2007 10:39 AM
Linux Kernel "do_coredump()" Information Disclosure
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The security issue is caused due to the "do_coredump()" function in fs/exec.c not correctly verifying the user ID of a core dump file when dumping the core into an existing file. This can be exploited to e.g. gain access to sensitive information by tricking an application with another user ID into dumping the core into a preexisting file.

The security issue is reported in 2.4.x and 2.6.x prior to 2.6.24-rc4.

Solution:
Fixed in the stable prepatch version 2.6.24-rc4.
Secunia Advisory | CVE-2007-6206

win32sux 12-12-2007 09:33 PM
Linux Kernel "mmap_min_addr" Security Bypass
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to the improper enforcing of the "mmap_min_addr" limit. This can be exploited to allocate pages lower than "mmap_min_addr" by expanding the stack or via "do_brk()" in specially crafted binaries.

The security issue affects all 2.6.23 versions.

Solution:
Fixed in version 2.6.24-rc5.
Secunia Advisory

win32sux 12-14-2007 09:21 PM
Linux 2.6.23.10 has been released.
 
It addresses several bugs, at least one of which is a security vulnerability:
Code:
    hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)
   
    patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline
   
    Relative hrtimers with a large timeout value might end up as negative
    timer values, when the current time is added in hrtimer_start().
   
    This in turn is causing the clockevents_set_next() function to set an
    huge timeout and sleep for quite a long time when we have a clock
    source which is capable of long sleeps like HPET. With PIT this almost
    goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
    sorts this out in the next timer interrupt, so we never noticed that
    problem which has been there since the first day of hrtimers.
   
    This bug became more apparent in 2.6.24 which activates HPET on more
    hardware.
ChangeLog | CVE-2007-5966

EDIT: Please note that 2.6.23.11 was released less than 10 hours later.

win32sux 01-14-2008 04:46 PM
Linux 2.6.23.14 has been released.
 
It solely consists of a patch for a security vulnerability.
Quote:
Use access mode instead of open flags to determine needed permissions (CVE-2008-0001)

patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline

Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka
"VFS: Allow the filesystem to return a full file pointer on open intent"
to be exact), Trond changed the open logic to keep track of the original
flags to a file open, in order to pass down the the intent of a dentry
lookup to the low-level filesystem.

However, when doing that reorganization, it changed the meaning of
namei_flags, and thus inadvertently changed the test of access mode for
directories (and RO filesystem) to use the wrong flag. So fix those
test back to use access mode ("acc_mode") rather than the open flag
("flag").

Issue noticed by Bill Roman at Datalight.
ChangeLog | CVE-2008-0001

win32sux 01-28-2008 09:27 PM
Linux Kernel minix File System Denial of Service Vulnerability
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to improper handling of corrupted data structures in the minix file system. This can be exploited to crash a system by mounting a specially crafted image.

This is related to:
SA23034

The vulnerability is reported in versions prior to 2.6.24.

Note: Several other issues, of which some may be security relevant, were also reported in the change log of version 2.6.24.

Solution:
Update to version 2.6.24.
Secunia Advisory | CVE-2006-6058

win32sux 02-01-2008 11:19 AM
Linux Kernel CHRP Denial of Service Security Issue
 
Quote:
Description:
A security issue has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).

The security is caused due to a NULL pointer dereference in arch/powerpc/platforms/chrp/setup.c, which can be exploited to crash a vulnerable system.

Successful exploitation requires certain PowerPC hardware.

Solution:
Restrict access to trusted users only.
Secunia Advisory | CVE-2007-6694

win32sux 02-08-2008 03:12 PM
Linux 2.6.24.1 has been released.
 
It includes several bugfixes, including two which address security vulnerabilities.
Quote:
splice: missing user pointer access verification (CVE-2008-0009/10)

patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline.

vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.
Quote:
vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007)

Drivers that register a ->fault handler, but do not range-check the
offset argument, must set VM_DONTEXPAND in the vm_flags in order to
prevent an expanding mremap from overflowing the resource.

I've audited the tree and attempted to fix these problems (usually by
adding VM_DONTEXPAND where it is not obvious).
ChangeLog | CVE-2008-0009 | CVE-2008-0010 | CVE-2008-0007

EDIT #1: For whatever reason, the 2.6.24.2 update which was released shortly after did not include a CVE ID in the ChangeLog.

EDIT #2: Here's the Secunia Advisory, which also includes CVE-2008-0600.

win32sux 05-01-2008 05:51 PM
Linux 2.6.25.1 has been released.
 
It includes fixes for a couple of security vulnerabilities.
Quote:
Fix dnotify/close race (CVE-2008-1375)

commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream.

We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.

Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely. Even after struct file in
question is gone and freed. Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...
Quote:
tehuti: move ioctl perm check closer to function start (CVE-2008-1675)

Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream

Noticed by davem.
Quote:
tehuti: check register size (CVE-2008-1675)

commit 6131a2601f42cd7fdbac0e960713396fe68af59f upstream
ChangeLog | CVE-2008-1375 | CVE-2008-1675

win32sux 05-07-2008 04:16 PM
Linux 2.6.25.2 has been released.
 
It consists solely of a patch for an SMP security issue.
Quote:
fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 upstream.

fcntl_setlk()/close() race prevention has a subtle hole - we need to
make sure that if we *do* have an fcntl/close race on SMP box, the
access to descriptor table and inode->i_flock won't get reordered.

As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
STORE descriptor table entry, LOAD inode->i_flock with not a single
lock in common on both sides. We do have BKL around the first STORE,
but check in locks_remove_posix() is outside of BKL and for a good
reason - we don't want BKL on common path of close(2).

Solution is to hold ->file_lock around fcheck() in there; that orders
us wrt removal from descriptor table that preceded locks_remove_posix()
on close path and we either come first (in which case eviction will be
handled by the close side) or we'll see the effect of close and do
eviction ourselves. Note that even though it's read-only access,
we do need ->file_lock here - rcu_read_lock() won't be enough to
order the things.
ChangeLog | CVE-2008-1669 | Secunia Advisory

win32sux 05-15-2008 12:24 PM
Linux Kernel Multiple Vulnerabilities
 
Quote:
Description:
Some vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to potentially cause a DoS (Denial of Service).

1) An error exists in the implementation of the "sys_utimensat()" system call. This can be exploited to update the access or modification time of arbitrary files via specially crafted arguments passed to the affected system call.

2) A memory leak exists in the "ipip6_rcv()" function included in the IPv6 over IPv4 (SIP) tunneling driver. This can be exploited to potentially exhaust all available memory via specially crafted network packets.

The vulnerabilities are reported in version 2.6.25.2. Prior versions may also be affected.

Solution:
Update to version 2.6.25.3.
Secunia Advisory | CVE-2008-2136 | CVE-2008-2148

win32sux 05-27-2008 12:17 PM
Linux Kernel Unspecified Vulnerability
 
Quote:
Description:
A vulnerability with an unknown impact has been reported in the Linux Kernel.

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability affects versions prior to 2.6.25.4.

Solution:
Update to version 2.6.25.4.
Secunia Advisory

win32sux 06-07-2008 12:22 AM
Linux 2.6.25.5 has been released.
 
It consists of a single patch for a security vulnerability.
Quote:
asn1: additional sanity checking during BER decoding (CVE-2008-1673)

upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5

- Don't trust a length which is greater than the working buffer.
An invalid length could cause overflow when calculating buffer size
for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.
ChangeLog | CVE-2008-1673

win32sux 06-16-2008 02:43 PM
Linux Kernel "pppol2tp_recvmsg()" Memory Corruption Vulnerability
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a boundary error in the "pppol2tp_recvmsg()" function and can potentially be exploited to corrupt kernel memory via a specially crafted PPP over L2TP packet.

The vulnerability is reported in 2.6.x versions prior to 2.6.26-rc6.

Solution:
Use PPP over L2TP in trusted networks only.

Fixed in version 2.6.26-rc6.
Secunia Advisory

win32sux 07-05-2008 07:59 AM
Linux Kernel x86_64 ptrace Local Memory Corruption Vulnerability
 
No CVE ID appears in the 2.6.25.10 ChangeLog.
Quote:
The Linux Kernel is prone to a memory-corruption vulnerability because it fails to properly bounds-check user-supplied input. The issue affects x86_64 ptrace and causes an overflow that subsequently results in the insecure freeing of a structure.

An attacker may exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.

Versions prior to Linux Kernel 2.6.25.10 are vulnerable.
CVE-2008-3077 | Bugtraq ID: 30077

win32sux 07-09-2008 01:09 PM
TTY Operations NULL Pointer Dereference Denial of Service Vulnerabilities
 
Another one without a CVE mentioned in the 2.6.25.10 ChangeLog.
Quote:
The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.
CVE-2008-2812 | Bugtraq ID: 30076

win32sux 08-06-2008 10:31 AM
Linux Kernel "snd_seq_oss_synth_make_info()" Information Disclosure
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.

The vulnerability is caused due to an error within the "snd_seq_oss_synth_make_info()" function in sound/core/seq/oss/seq_oss_synth.c. This can be exploited to disclose potentially sensitive memory by passing an invalid device number to the vulnerable function.

The vulnerability is reported in versions prior to 2.6.27-rc2.

Solution:
Fixed in version 2.6.27-rc2.
Secunia Advisory | CVE-2008-3272

EDIT: Note that stable version 2.6.26.2 was released today, and it includes a patch for this.

win32sux 08-07-2008 05:38 PM
Linux Kernel 'uvc_driver.c ' Format Descriptor Parsing Buffer Overflow Vulnerability
 
Seems 2.6.26.1 did include at least one security patch, which I missed (partly for reasons discussed here).

So I'm posting this late notice only for completeness' sake. =/

Quote:
The Linux kernel is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.

Versions prior to Linux kernel 2.6.26.1 are vulnerable.
Bugtraq ID: 30514

win32sux 08-22-2008 03:25 PM
Linux Kernel "rt6_fill_node()" Denial of Service Vulnerability
 
Quote:
Description:
A vulnerability has been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL-pointer dereference error within the "rt6_fill_node()" function in net/ipv6/route.c. This can be exploited to trigger a kernel panic via an "ip route get" command.

Successful exploitation requires that the IPv6 default route is not set.

The vulnerability is reported in version 2.6.26.2. Other versions may also be affected.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/?p=linux/kerne...b9123204f1327a

Restrict local access to trusted users only.
Secunia Advisory | CVE-2008-3686

win32sux 08-30-2008 03:00 AM
Linux Kernel 'sctp_setsockopt_auth_key()' Remote Denial of Service Vulnerability
 
Quote:
The Linux kernel is prone to a remote denial-of-service vulnerability because it fails to properly handle user-supplied input.

Attackers can exploit this issue to cause a kernel panic, denying service to legitimate users.

Versions since Linux kernel 2.6.24-rc1 are vulnerable.
Bugtraq ID: 30847

Quote:
Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows remote attackers to cause a denial of service (panic) or possibly have unspecified other impact via a crafted sca_keylength field associated with the SCTP_AUTH_KEY option.
CVE-2008-3526

win32sux 09-15-2008 02:35 PM
Linux Kernel s390 ptrace Local Denial of Service
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when running a 31-bit ptrace, which can be exploited to cause a kernel panic.

The vulnerability is reported in versions prior to 2.6.27-rc6 for the s390 architecture.

Solution:
Fixed in 2.6.27-rc6.
Secunia Advisory | CVE-2008-1514

win32sux 09-17-2008 08:33 PM
Linux kernel NFSv4 ACL Buffer Overflow Vulnerability
 
Quote:
The Linux kernel is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to execute arbitrary code or cause a denial-of-service condition.

Versions prior to Linux kernel 2.6.26.4 are vulnerable.
Bugtraq ID:31133 | CVE-2008-3915

win32sux 10-04-2008 09:09 AM
Linux Kernel "vmi_write_ldt_entry()" Privilege Escalation
 
Quote:
Description:
Eugene Teo has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users in a VMI guest to cause a DoS (Denial of Service) and potentially gain escalated privileges.

The vulnerability is caused due to an error within the "vmi_write_ldt_entry()" function in arch/x86/kernel/vmi_32.c. This can be exploited to write values into the IDT by e.g. calling "sys_modify_ldt()".

Successful exploitation requires that the kernel is running as VMI guest on a x86 system.

Solution:
Fixed in the GIT repository.
http://git.kernel.org/?p=linux/kerne...7398ca0606ab1c
Secunia Advisory

win32sux 10-08-2008 10:53 PM
Linux 2.6.26.6 has been released. AFAICT, it includes at least two security fixes. One for the previously mentioned CVE-2008-1514, and one for a SCTP INIT-ACK AUTH Extension Remote Denial of Service Vulnerability.

win32sux 10-20-2008 07:29 AM
Linux Kernel DRM_I915_HWS_ADDR IOCTL Privilege Escalation
 
Quote:
Description:
Olaf Kirch has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to potentially gain escalated privileges.

The vulnerability is caused due to the DRM_I915_HWS_ADDR IOCTL being available to non-root users, which can be exploited to e.g. zero and remap memory locations by sending a specially crafted IOCTL to the driver.

Successful exploitation may allow to execute arbitrary code with escalated privileges, but requires an Intel G33 series or newer chipset.

Solution:
Fixed in version 2.6.27-git8.
http://git.kernel.org/?p=linux/kerne...6c2a19c072e9bd
Secunia Advisory | CVE-2008-3831

win32sux 10-22-2008 05:24 PM
Linux 2.6.27.3 has been released.
 
It includes the fix for CVE-2008-3831 (mentioned above), and at least one more security-related fix:
Code:
    security: avoid calling a NULL function pointer in drivers/video/tvaudio.c
   
    commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream
   
    NULL function pointers are very bad security wise. This one got caught by
    kerneloops.org quite a few times, so it's happening in the field....
   
    Fix is simple, check the function pointer for NULL, like 6 other places
    in the same function are already doing.
2.6.27.3 ChangeLog

win32sux 10-26-2008 12:13 AM
Linux 2.6.27.4 has been released.
 
It includes at least one security vulnerability fix:
Code:
    ext[234]: Avoid printk floods in the face of directory corruption
   
    Note: some people thinks this represents a security bug, since it
    might make the system go away while it is printing a large number of
    console messages, especially if a serial console is involved.  Hence,
    it has been assigned CVE-2008-3528, but it requires that the attacker
    either has physical access to your machine to insert a USB disk with a
    corrupted filesystem image (at which point why not just hit the power
    button), or is otherwise able to convince the system administrator to
    mount an arbitrary filesystem image (at which point why not just
    include a setuid shell or world-writable hard disk device file or some
    such).  Me, I think they're just being silly. --tytso
2.6.27.4 ChangeLog | CVE-2008-3528

win32sux 11-13-2008 01:46 PM
Linux 2.6.27.6 has been released.
 
In addresses at least one security vulnerability:
Quote:
hfs: fix namelength memory corruption (CVE-2008-5025)
ChangeLog | CVE-2008-5025

win32sux 11-20-2008 08:11 PM
Linux 2.6.27.7 has been released.
 
It addresses at least one security vulnerability:
Quote:
V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble
ChangeLog | CVE-2008-5033

win32sux 11-28-2008 12:10 PM
Linux Kernel "sendmsg()" Garbage Collector Denial of Service
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due "sendmsg()" not correctly blocking while the UNIX garbage collector is running. This can be exploited to e.g. cause soft lockups or trigger out of memory conditions in other applications via certain UNIX socket operations.

Solution:
Fixed in the GIT repository.
Secunia Advisory

win32sux 12-05-2008 02:01 AM
Linux Kernel PARISC "parisc_show_stack()" Denial of Service
 
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "parisc_show_stack()" function when trying to unwind a stack containing userspace addresses, which can be exploited to crash a vulnerable system.

Successful exploitation requires that the kernel is running on a PARISC 32bit or 64bit machine.

Solution:
Fixed in version 2.6.28-rc7.
Secunia Advisory | Bugtraq

win32sux 12-05-2008 05:26 PM
Linux 2.6.27.8 has been released.
 
It includes at least one security fix (CVE-2008-5300).

The full changelog is here.

win32sux 12-13-2008 06:20 PM
Linux 2.6.27.9 has been released.
 
It includes at least one security fix.
Quote:
ATM: CVE-2008-5079: duplicate listen() on socket corrupts the vcc table

commit 17b24b3c97498935a2ef9777370b1151dfed3f6f upstream.

As reported by Hugo Dias that it is possible to cause a local denial
of service attack by calling the svc_listen function twice on the same
socket and reading /proc/net/atm/*vc
ChangeLog | CVE-2008-5079

win32sux 01-15-2009 01:00 PM
Linux Kernel 64bit ABI System Call Parameter Sign Extension Security Issue
 
Quote:
A security issue has been reported in the Linux Kernel, which can be exploited by malicious, local users to potentially cause a DoS (Denial of Service) or gain escalated privileges.

The security issue is caused due to the kernel accepting certain 32bit parameters passed in a 64bit register from userspace without ensuring that the value is correctly sign extended. This may be exploited to crash a system or potentially gain escalated privileges by passing specially crafted parameters to affected system calls.

Reportedly, the following architectures use a vulnerable ABI system when running a 64bit kernel and a 64bit userspace:
* S390
* PowerPC
* SPARC64
* MIPS
Secunia Advisory | CVE-2009-0029

win32sux 01-19-2009 04:24 PM
Linux Kernel "keyctl_join_session_keyring()" Denial of Service
 
Quote:
A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to a memory leak within the "keyctl_join_session_keyring()" function in security/keys/keyctl.c and can be exploited to exhaust all available memory.
Secunia Advisory | CVE-2009-0031

win32sux 01-26-2009 05:06 PM
Linux Kernel dell_rbu Denial of Service Security Issues
 
Quote:
Description:
Two security issues have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The security issues are caused due to errors within the "read_rbu_image_type()" and "read_rbu_packet_size()" functions in drivers/firmware/dell_rbu.c and can be exploited to crash a vulnerable system by e.g. reading zero bytes from /sys/devices/platform/dell_rbu/image_type or /sys/devices/platform/dell_rbu/packet_size.

Solution:
Update to version 2.6.27.13 or 2.6.28.2.
Secunia Advisory

win32sux 02-04-2009 12:10 PM
Linux Kernel Denial of Service Vulnerabilities
 
Quote:
Description:
Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service).

1) A vulnerability is caused due to an error within the "make_indexed_dir()" function in fs/ext3/namei.c, which can be exploited to e.g. crash a system via a specially crafted Ext3 system.

2) A vulnerability is caused due to an error within the "inotify_read()" function in fs/notify/inotify/inotify_user.c, which can result in the device's list mutex being unlocked twice. This can be exploited to e.g. cause a system crash by passing an invalid pointer to the "read()" function of an inotify instance while simultaneously accessing it from different tasks.

The vulnerabilities are reported in versions prior to 2.6.27.14 and 2.6.28.3. Other versions may also be affected.

Solution:
Update to version 2.6.27.14 and 2.6.28.3.
Secunia Advisory

win32sux 02-11-2009 04:58 PM
Linux Kernel Console Selection Local Privilege Escalation Vulnerability
 
Quote:
The Linux kernel is prone to a local privilege-escalation vulnerability.

A local attacker can exploit this issue to execute arbitrary code with elevated privileges or crash the affected kernel, denying service to legitimate users.

Versions prior to Linux kernel 2.6.28.4 are vulnerable.
Bugtraq

GazL 02-12-2009 08:40 AM
Quote:
Originally Posted by win32sux (Post 3440238)
If this is:
Quote:
Fix memory corruption in console selection
commit 878b8619f711280fd05845e21956434b5e588cc4 upstream.
... then for those sticking with the 27.x branch, it looks like it's also fixed in 2.6.27.15.


PS. Thanks for posting these win32sux. As my distro of choice doesn't tend to update the kernel except in the most severe cases, I find your announcements here invaluable.

unSpawn 02-12-2009 03:45 PM
Yeah, you have my gratitude as well. Keep up the good work win32sux!

win32sux 02-12-2009 05:39 PM
Linux Kernel Kprobe Memory Corruption Vulnerability
 
Glad to be of service, guys! :)

Quote:
The Linux kernel is prone to a memory-corruption vulnerability because of a design flaw in the Kprobe system.

Local attackers could exploit this issue to cause denial-of-service conditions and possibly to execute arbitrary code with kernel-level privileges, but this has not been confirmed.

Versions prior to Linux kernel 2.6.28.5 are vulnerable.
Bugtraq

win32sux 02-17-2009 06:07 PM
Linux Kernel 64 Bit ABI System Call Parameter Privilege Escalation Vulnerability
 
Quote:
The Linux Kernel is prone to a local privilege-escalation vulnerability.

A local attacker may be able to exploit this issue to read or write to unintended address spaces. This may result in denial-of-service conditions, the disclosure of sensitive information, or privilege escalation.

This issue affects versions prior to Linux 2.6.28.6 on some 64-bit architectures, including s390, PowerPC, SPARC64, and MIPS. Additional architectures may also be affected.
Bugtraq | CVE-2009-0029

win32sux 02-20-2009 11:42 AM
Linux Kernel SysKonnect FDDI Driver Statistics Reset Security Bypass
 
Quote:
A weakness has been reported in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.

The weakness is caused due to a logic error within the "skfp_ioctl()" function in drivers/net/skfp/skfddi.c, which can be exploited to reset the driver statistics without having CAP_NET_ADMIN capabilities.

The weakness is reported in versions prior to 2.6.27.18 and 2.6.28.6.
Secunia Advisory

win32sux 02-20-2009 05:36 PM
Linux Kernel 'sock.c' SO_BSDCOMPAT Option Information Disclosure Vulnerability
 
Quote:
The Linux Kernel is prone to an information-disclosure vulnerability because it fails to properly initialize certain memory before using using it in a user-accessible operation.

Successful exploits will allow attackers to view portions of kernel memory. Information harvested may be used in further attacks.

Versions prior to Linux Kernel 2.6.28.6 are vulnerable.
Bugtraq

craigevil 02-20-2009 08:42 PM
Gotta love sidux, slh keeps the kernel updated.

2.6.28-7.slh.1-sidux-686


All times are GMT -5. The time now is 02:21 PM.
Page 3 of 6 12 3 45 Last »
Show 50 post(s) from this thread on one page