Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.
Linux Kernel "snd_seq_oss_synth_make_info()" Information Disclosure
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to disclose potentially sensitive information.
The vulnerability is caused due to an error within the "snd_seq_oss_synth_make_info()" function in sound/core/seq/oss/seq_oss_synth.c. This can be exploited to disclose potentially sensitive memory by passing an invalid device number to the vulnerable function.
The vulnerability is reported in versions prior to 2.6.27-rc2.
Linux Kernel 'uvc_driver.c ' Format Descriptor Parsing Buffer Overflow Vulnerability
Seems 2.6.26.1 did include at least one security patch, which I missed (partly for reasons discussed here).
So I'm posting this late notice only for completeness' sake. =/
Quote:
The Linux kernel is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to Linux kernel 2.6.26.1 are vulnerable.
Linux Kernel "rt6_fill_node()" Denial of Service Vulnerability
Quote:
Description:
A vulnerability has been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to a NULL-pointer dereference error within the "rt6_fill_node()" function in net/ipv6/route.c. This can be exploited to trigger a kernel panic via an "ip route get" command.
Successful exploitation requires that the IPv6 default route is not set.
The vulnerability is reported in version 2.6.26.2. Other versions may also be affected.
Integer overflow in the sctp_setsockopt_auth_key function in net/sctp/socket.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel 2.6.24-rc1 through 2.6.26.3 allows remote attackers to cause a denial of service (panic) or possibly have unspecified other impact via a crafted sca_keylength field associated with the SCTP_AUTH_KEY option.
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when running a 31-bit ptrace, which can be exploited to cause a kernel panic.
The vulnerability is reported in versions prior to 2.6.27-rc6 for the s390 architecture.
Linux Kernel "vmi_write_ldt_entry()" Privilege Escalation
Quote:
Description:
Eugene Teo has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users in a VMI guest to cause a DoS (Denial of Service) and potentially gain escalated privileges.
The vulnerability is caused due to an error within the "vmi_write_ldt_entry()" function in arch/x86/kernel/vmi_32.c. This can be exploited to write values into the IDT by e.g. calling "sys_modify_ldt()".
Successful exploitation requires that the kernel is running as VMI guest on a x86 system.
Linux Kernel DRM_I915_HWS_ADDR IOCTL Privilege Escalation
Quote:
Description:
Olaf Kirch has reported a vulnerability in the Linux kernel, which can be exploited by malicious, local users to potentially gain escalated privileges.
The vulnerability is caused due to the DRM_I915_HWS_ADDR IOCTL being available to non-root users, which can be exploited to e.g. zero and remap memory locations by sending a specially crafted IOCTL to the driver.
Successful exploitation may allow to execute arbitrary code with escalated privileges, but requires an Intel G33 series or newer chipset.
It includes the fix for CVE-2008-3831 (mentioned above), and at least one more security-related fix:
Code:
security: avoid calling a NULL function pointer in drivers/video/tvaudio.c
commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream
NULL function pointers are very bad security wise. This one got caught by
kerneloops.org quite a few times, so it's happening in the field....
Fix is simple, check the function pointer for NULL, like 6 other places
in the same function are already doing.
It includes at least one security vulnerability fix:
Code:
ext[234]: Avoid printk floods in the face of directory corruption
Note: some people thinks this represents a security bug, since it
might make the system go away while it is printing a large number of
console messages, especially if a serial console is involved. Hence,
it has been assigned CVE-2008-3528, but it requires that the attacker
either has physical access to your machine to insert a USB disk with a
corrupted filesystem image (at which point why not just hit the power
button), or is otherwise able to convince the system administrator to
mount an arbitrary filesystem image (at which point why not just
include a setuid shell or world-writable hard disk device file or some
such). Me, I think they're just being silly. --tytso
Linux Kernel "sendmsg()" Garbage Collector Denial of Service
Quote:
Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
The vulnerability is caused due "sendmsg()" not correctly blocking while the UNIX garbage collector is running. This can be exploited to e.g. cause soft lockups or trigger out of memory conditions in other applications via certain UNIX socket operations.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.