Kernel Vulns

win32sux · 11-19-2006, 05:06 AM

It includes many bugfixes, one of which addresses a security vulnerability:

Quote:

[PATCH] security/seclvl.c: fix time wrap (CVE-2005-4352)

initlvl=2 in seclvl gives the guarantee
"Cannot decrement the system time".

But it was possible to set the time to the maximum unixtime value
(19 Jan 2038) resulting in a wrap to the minimum value.

This patch fixes this by disallowing setting the time to any date
after 2030 with initlvl=2.

This patch does not apply to kernel 2.6.19 since the seclvl module was
already removed in this kernel.

ChangeLog | CVE-2005-4352

win32sux · 11-20-2006, 02:48 PM

It includes several bugfixes, at least one of which addresses a security vulnerability:

Quote:

Backport fix for CVE-2006-4997 to 2.4 tree

ChangeLog | CVE-2006-4997

win32sux · 11-30-2006, 12:39 AM

It consists of a single patch addressing a security vulnerability:

Quote:

[PATCH] bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)

Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).

ChangeLog | CVE-2006-5751

BTW: Seems I once again missed a 2.6.16.y security fix release. 2.6.16.33 was released November 22 and included a patch for CVE-2005-4352.

win32sux · 12-09-2006, 07:03 AM

Quote:

Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a memory corruption in drivers/net/tokenring/ibmtr.c, which can be exploited to cause a DoS by sending specially crafted packet to a vulnerable system.

The vulnerability is reported in Linux Kernel 2.6.19.

Solution:
A patch is available in the GIT repository.

Secunia Advisory

win32sux · 12-09-2006, 07:11 AM

It includes many bugfixes, one of which addresses a security vulnerability:

Quote:

bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)

Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).

ChangeLog | CVE-2006-5751

win32sux · 12-12-2006, 05:53 AM

It includes several bugfixes, one of which addresses a security vulnerability:

Quote:

[PATCH] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304)

Changelog | CVE-2006-6304

win32sux · 12-16-2006, 05:53 PM

It consists of a few bugfixes, one of which addresses a security vulnerability:

Quote:

[Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

ChangeLog | CVE-2006-6106

win32sux · 12-18-2006, 09:52 PM

It consists of a few bugfixes, one of which addresses a security vulnerability:

Quote:

Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

Changelog | CVE-2006-6106

win32sux · 12-19-2006, 09:45 PM

It consists of two bugfixes, one of which addresses a security vulnerability:

Quote:

Fix incorrect user space access locking in mincore() (CVE-2006-4814)

ChangeLog | CVE-2006-4814

win32sux · 12-23-2006, 04:59 PM

It consists of a single patch addressing a security vulnerability:

Quote:

Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

ChangeLog | CVE-2006-5749

win32sux · 01-10-2007, 06:16 PM

It includes many bugfixes, including Linus Torvalds' much anticipated data corruption fix.

Of course, several security issues are also addressed:

Quote:

Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

handle ext3 directory corruption better (CVE-2006-6053)

corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)

Fix incorrect user space access locking in mincore() (CVE-2006-4814)

ChangeLog | Tarball | Patch

win32sux · 01-27-2007, 09:21 PM

It includes several bugfixes, at least ten of which address security vulnerabilities:

Quote:

corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

handle ext3 directory corruption better (CVE-2006-6053)

ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054)

hfs_fill_super returns success even if no root inode (CVE-2006-6056)

x86_64: Don't leak NT bit into next task (CVE-2006-5755)

Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

grow_buffers() infinite loop fix (CVE-2006-5757/CVE-2006-6060)

i386: save/restore eflags in context switch (CVE-2006-5173)

Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

Fix incorrect user space access locking in mincore() (CVE-2006-4814)

win32sux · 01-31-2007, 04:28 PM

Quote:

Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges.

The vulnerability is caused due to an error within the "listxattr" system call when interpreting "bad_inode_ops" return values, which can be exploited to cause a memory corruption.

Successful exploitation requires a bad inode.

Solution:
The vulnerability is fixed in version 2.6.20-rc4.

Secunia Advisory | CVE-2006-5753

win32sux · 02-13-2007, 10:25 PM

Quote:

A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference within the "key_alloc_serial()" function, which can be exploited to crash the Kernel.

Secunia Advisory | CVE-2007-0006

win32sux · 02-20-2007, 04:54 AM

It consists of a single patch over 2.6.20, addressing a security issue.

Quote:

[PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)

Due to type confusion, when an nfsacl verison 2 'ACCESS' request
finishes and tries to clean up, it calls fh_put on entiredly the
wrong thing and this can cause an oops.

ChangeLog | CVE-2007-0772 | Secunia Advisory

NOTE: The 2.6.18.y and 2.6.19.y branches also patched for this issue:

ChangeLog for 2.6.18.7 | ChangeLog for 2.6.19.4