LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-31-2006, 12:43 PM   #31
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel SMP "/proc" Race Condition Denial of Service (Not Critical)


Quote:
Description:
Tony Griffiths has reported a vulnerability in the Linux Kernel, which can be exploited malicious, local users to cause a DoS (Denial of Service).

The vulnerability is cause due to a memory corruption error in the "dentry_unused" list within the "prune_dcache()" function. This can be exploited to crash the kernel when running on SMP hardware by causing a race condition such that one or more tasks exit while another task is reading their /proc entries.

The vulnerability has been reported in versions 2.6.15 through 2.6.17. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.

Secunia is currently not aware of an official version addressing this.
Secunia Advisory

This is CVE-2006-2629.
 
Old 06-20-2006, 12:17 PM   #32
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.21 and 2.6.17.1 have been released. Both releases address security issues.

Regarding 2.6.16.21:

The ChangeLog shows it consists of 4 patches, 3 of which have CVE IDs:

Quote:
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length
This is CVE-2006-3085.

Quote:
[PATCH] run_posix_cpu_timers: remove a bogus BUG_ON()
This is CVE-2006-2445.

Quote:
[PATCH] powerpc: Fix machine check problem on 32-bit kernels
This is CVE-2006-2448.



Regarding 2.6.17.1:

The ChangeLog shows it consists of a patch for CVE-2006-3085:

Quote:
[PATCH] xt_sctp: fix endless loop caused by 0 chunk length
Secunia Advisory

Last edited by win32sux; 06-20-2006 at 06:27 PM.
 
Old 06-30-2006, 05:58 PM   #33
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.23 and 2.6.17.3 have been released.

Both releases address a Netfilter vulnerability:
Quote:
NETFILTER: SCTP conntrack: fix crash triggered by packet without chunks

When a packet without any chunks is received, the newconntrack variable
in sctp_packet contains an out of bounds value that is used to look up an
pointer from the array of timeouts, which is then dereferenced, resulting
in a crash.
This is CVE-2006-2934.

ChangeLogs: 2.6.16.23, 2.6.17.3.
 
Old 07-07-2006, 05:30 AM   #34
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.24 and 2.6.17.4 have been released.

Both releases address a core dump handling vulnerability:
Quote:
fix prctl privilege escalation and suid_dumpable

During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.
This is CVE-2006-2451.

ChangeLogs: 2.6.16.24, 2.6.17.4.
 
Old 07-14-2006, 11:43 PM   #35
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.25 and 2.6.17.5 have been released.

Both releases address a /proc vulnerability:
Quote:
Fix nasty /proc vulnerability

We have a bad interaction with both the kernel and user space being able
to change some of the /proc file status. This fixes the most obvious
part of it, but I expect we'll also make it harder for users to modify
even their "own" files in /proc.
This is CVE-2006-3626.

ChangeLogs: 2.6.16.25, 2.6.17.5.


UPDATE: Linux 2.6.16.26 and 2.6.17.6 were released shortly after, to relax the /proc fix a bit. Because this patch isn't in and of itself a vulnerability fix, I will not be making a new post for it (this thread is only for vulnerabilities, not just any bugfixes).
Quote:
Clearign all of i_mode was a bit draconian. We only really care about
S_ISUID/ISGID, after all.
ChangeLogs: 2.6.16.26, 2.6.17.6.

Last edited by win32sux; 07-15-2006 at 04:38 PM.
 
Old 07-19-2006, 07:07 AM   #36
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.27 has been released.

It's three patches, one of which addresses a security vulnerability:
Quote:
USB serial ftdi_sio: Prevent userspace DoS

This patch limits the amount of outstanding 'write' data that can be
queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
simple accidents) that use up all the system memory by writing lots of
data to the serial port.
This is CVE-2006-2936.

ChangeLog: 2.6.16.27.
 
Old 07-24-2006, 11:00 PM   #37
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.17.7 has been released.

It consists of many patches, one of which addresses a security vulnerability:
Quote:
USB serial ftdi_sio: Prevent userspace DoS

This patch limits the amount of outstanding 'write' data that can be
queued up for the ftdi_sio driver, to prevent userspace DoS attacks (or
simple accidents) that use up all the system memory by writing lots of
data to the serial port.
This is CVE-2006-2936 (this was patched in 2.6.16.y over a week ago).

ChangeLog: 2.6.17.7.

Last edited by win32sux; 07-24-2006 at 11:03 PM.
 
Old 08-07-2006, 12:46 PM   #38
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel Ext3 Invalid Inode Number Denial of Service

Quote:
James McKenzie has reported a vulnerability in Linux Kernel, which can be exploited by malicious users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in ext3 when handling an invalid inode number. This can be exploited by sending a specially crafted NFS request with a V2 procedure (e.g. V2_LOOKUP) that specifies an invalid inode number.

Successful exploitation causes the exported directory to be remounted read-only.

The vulnerability has been reported in versions 2.6.14.4, 2.6.17.6, and 2.6.17.7. Other versions may also be affected.
Secunia Advisory | CVE-2006-3468

NOTE: It seems like 2.6.17.8 addresses this, but it's not entirely clear whether the patch is a temporary workaround or a permanent fix.

Last edited by win32sux; 08-08-2006 at 12:43 PM.
 
Old 08-11-2006, 01:56 PM   #39
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.4.33 has been released.

It consists of a great deal of maintenance patches over 2.4.32, several of which address security vulnerabilities. Here's the essence, as far as patches with CVE IDs are concerned:

Quote:
[NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039)
Quote:
[SCTP]: Validate the parameter length in HB-ACK chunk. (CVE-2006-1857)
Quote:
[SCTP]: Respect the real chunk length when walking parameters. (CVE-2006-1858)
Quote:
smbfs chroot issue (CVE-2006-1864)
Quote:
[SCTP]: Fix state table entries for chunks received in CLOSED state. (CVE-2006-2271)
Quote:
[SCTP]: Fix panic's when receiving fragmented SCTP control chunks. (CVE-2006-2272)
Quote:
[IPV4]: ip_route_input panic fix (CVE-2006-1525)
Quote:
[SCTP]: Prevent possible infinite recursion with multiple bundled DATA. (CVE-2006-2274)
Quote:
fix shm mprotect (CVE-2006-1524)
Quote:
orinoco: CVE-2005-3180: Information leakage due to incorrect padding
Quote:
Backport of CVE-2005-2709 fix
Quote:
x86-64: user code panics kernel in exec.c (CVE-2005-2708)
Quote:
Fix sendmsg overflow (CVE-2005-2490)
The complete ChangeLog is here.

NOTE: I realize it might be a little odd to see the 2.4.x kernel make it into this thread. But considering that 2.4.x is still in such wide use, I feel it's important we post vulnerability reports for it also. Furthermore, the release of 2.4.33 seems like the perfect time to start doing so IMHO.
 
Old 08-17-2006, 07:39 PM   #40
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel UDF Truncation Denial of Service (Not Critical)

Quote:
Description:
Colin reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in UDF and can be exploited to cause the system to stop responding by truncating certain files.

Solution:
Restrict access to UDF partitions to trusted users only.
Secunia Advisory | CVE-2006-4145
 
Old 08-18-2006, 12:38 PM   #41
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.17.9 has been released.

It consists of a single patch for a PowerPC vulnerability:
Quote:
Clear HID0[en_attn] at CPU init time on PPC970.
CVE-2006-4093 | ChangeLog
 
Old 08-19-2006, 09:28 PM   #42
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.4.33.1 has been released.

It includes a patch for the PowerPC vulnerability, as well as one for CVE-2006-1528.

The ChangeLog is here.

Last edited by win32sux; 08-19-2006 at 09:38 PM.
 
Old 08-22-2006, 06:15 PM   #43
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.4.33.2 has been released.

It includes a patch for CVE-2006-3745 (SCTP local privilage elevation).

The ChangeLog is here.
 
Old 08-22-2006, 06:20 PM   #44
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.17.10 has been released.

It consists of three patches, two of which have CVE IDs:
Quote:
Fix possible UDF deadlock and memory corruption

UDF code is not really ready to handle extents larger that 1GB. This is
the easy way to forbid creating those.

Also truncation code did not count with the case when there are no
extents in the file and we are extending the file.
This is CVE-2006-4145.

Quote:
Fix sctp privilege elevation

sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.

It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
This is CVE-2006-3745.

The 2.6.17.10 ChangeLog is here.


UPDATE: Linux 2.6.17.11 has been released, but because it doesn't seem to include any fixes for security vulnerabilities, a new post here isn't warranted.

Last edited by win32sux; 08-23-2006 at 09:43 PM.
 
Old 08-26-2006, 07:10 PM   #45
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux 2.6.16.28 has been released.

It consists of several bugfixes, four of which address security vulnerabilities.

From the ChangeLog:
Quote:
Security fixes since 2.6.16.27:
- CVE-2006-2935: cdrom: fix bad cgc.buflen assignment
- CVE-2006-3745: Fix sctp privilege elevation
- CVE-2006-4093: powerpc: Clear HID0 attention enable on PPC970 at boot time
- CVE-2006-4145: Fix possible UDF deadlock and memory corruption
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kernel 2.4 in Zipslack (Waring: unable to open an initial console | Kernel Panic...) kurtamos Linux - General 2 05-10-2006 12:58 PM
Kernel-Patch Debian Logo 2.6.2 not correctly working for custom kernel 2.6.11 smp deepclutch Debian 3 06-27-2005 03:59 AM
kernel panic: try passing init= option to kernel...installation with Red Hat 9 kergen Linux - Hardware 1 09-30-2004 03:28 AM
are there any vulns for kernel 2.6.5? trax Linux - Security 2 04-24-2004 04:10 PM
snort rules to vulns not yet published zuessh Linux - Security 1 02-12-2004 02:17 PM


All times are GMT -5. The time now is 06:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration