Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This post is just a bump, so that all thread subscribers are made aware of the two updates which were made to the previous post yesterday (UPDATE #1) and today (UPDATE #2).
Linux 2.6.16.6 was released about 13 hours ago. As can be seen in the ChangeLog, it included a fair number of bugfix patches (23 commits since 2.6.16.5 was released). One of these patches was indeed assigned a CVE ID. In Hugh Dickins' (patch author) own words:
Quote:
I found that all of 2.4 and 2.6 have been letting mprotect give write permission to a readonly attachment of shared memory, whether or not IPC would give the caller that permission.
Linux 2.6.16.8 has been released. From the ChangeLog:
Quote:
This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
The bug is caused by ip_route_input dereferencing skb->nh.protocol of the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing it). It only happens if the route requested is for a multicast IP address.
Linux 2.6.16.9 has been released. From the ChangeLog:
Quote:
AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE when an exception is pending. This means the value leak through context switches and allow processes to observe some x87 instruction state of other processes.
Linux Kernel perfmon Local Denial of Service Vulnerability (Not Critical)
Quote:
Description:
A vulnerability has been reported in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error in perfmon (perfmon.c) during exit processing and may cause a crash when a task is interrupted while another process is accessing the "mm_struct" structure.
Solution:
Secunia is currently not aware of an official version addressing this.
Linux Kernel CIFS chroot Directory Traversal Vulnerability (Not Critical)
Quote:
Description:
Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to an input validation error in the CIFS mounted filesystem. This can be exploited to bypass chroot restrictions via the "..\\" directory traversal sequences.
The vulnerability has been reported in versions prior to 2.6.16.11.
Linux Kernel SMBFS chroot Directory Traversal Vulnerability (Not Critical)
Quote:
Description:
Marcel Holtmann has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to an input validation error in the SMBFS mounted filesystem. This can be exploited to bypass chroot restrictions via the "..\\" directory traversal sequences.
Solution:
Restrict access to affected systems.
Secunia is currently not aware of an official version addressing this.
fix infinite loop in the SCTP-netfilter code: check SCTP chunk size to
guarantee progress of for_each_sctp_chunk(). (all other uses of
for_each_sctp_chunk() are preceded by do_basic_checks(), so this fix
should be complete.)
Mark Moseley reported that a chroot environment on a SMB share can be left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for smbfs.
SCTP Denial of Service Vulnerabilities (Moderately Critical)
Quote:
Description:
Mu Security research team has reported two vulnerabilities in Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).
1) An incorrect use of state table entries in the SCTP code when certain ECNE chunks are received in CLOSED state can be exploited to cause kernel panic via a specially crafted packet.
2) An error in the handling of incoming IP-fragmented SCTP control chunks can be exploited to cause kernel panic via specially crafted packets.
The vulnerabilities have been reported in version 2.6.16. Other versions may also be affected.
Solution:
The vulnerabilities have been fixed in the CVS repositories, and will reportedly be fixed in version 2.6.17.
It is insane to be giving lease_init() the task of freeing the lock it is
supposed to initialise, given that the lock is not guaranteed to be
allocated on the stack. This causes lockups in fcntl_setlease().
The ChangeLog shows three CVE issues (among other things) are addressed:
Quote:
SCTP: Validate the parameter length in HB-ACK chunk
If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow. We should really make sure that the chunk format is
what we expect, before attempting to touch the data.
SCTP: Respect the real chunk length when walking parameters
When performing bound checks during the parameter processing, we
want to use the real chunk and paramter lengths for bounds instead
of the rounded ones. This prevents us from potentially walking of
the end if the chunk length was miscalculated. We still use rounded
lengths when advancing the pointer. This was found during a
conformance test that changed the chunk length without modifying
parameters.
Netfilter: do_add_counters race, possible oops or info leak
Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.
The ChangeLog shows it consists of a single patch for a Netfilter SNMP NAT issue:
Quote:
Fix memory corruption caused by snmp_trap_decode:
- When snmp_trap_decode fails before the id and address are allocated,
the pointers contain random memory, but are freed by the caller
(snmp_parse_mangle).
- When snmp_trap_decode fails after allocating just the ID, it tries
to free both address and ID, but the address pointer still contains
random memory. The caller frees both ID and random memory again.
- When snmp_trap_decode fails after allocating both, it frees both,
and the callers frees both again.
The corruption can be triggered remotely when the ip_nat_snmp_basic
module is loaded and traffic on port 161 or 162 is NATed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.