Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
Jan Lühr <jluehr@gmx.net> writes:
> Greetings,
>
> Am Mittwoch, 14. April 2004 16:52 schrieb Martin Schulze:
> > --------------------------------------------------------------------------
> > Debian Security Advisory DSA 479-1 security@debian.org
> > http://www.debian.org/security/ Martin Schulze
> > April 14th, 2004 http://www.debian.org/security/faq
> > --------------------------------------------------------------------------
> >
> > Package : kernel-source-2.4.18 kernel-image-2.4.18-1-alpha
> > kernel-image-2.4.18-1-i386 kernel-image-2.4.18-i386bf
> > kernel-patch-2.4.18-powerpc Vulnerability : several vulnerabilities
> > Problem-Type : local
> > Debian-specific: no
> > CVE ID : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177
> > CAN-2004-0178
>
> puh - synchronised with the realese 2.4.26 and no warnings of
> bugtraq or fd... Good work. I imagine that everything is fixed in
> 2.4.26. Does someone know if 2.4.26 is a bugfix pre-release? I'm
> getting a little bit confused right know, if there are serious issue
> with the kernel, why wasn't there any earlier release of 2.4.26?
Okay... This is the result of a cursory check, do your homework, yada,
yada...
CAN-2004-0003
According to the patch in
http://www.uwsg.iu.edu/hypermail/linux/kernel/0403.1/0360.html
2.4.26 contains the fix.
CAN-2004-0010
I don't use ncpfs, and I do not care. I could not find anything
about this either
CAN-2004-0109
The patch in <20040414171147.GB23419@redhat.com> is in 2.4.26.
CAN-2004-0177
A diff of fs/ext3 between 2.4.25 and 2.4.26 yields nothing.
The same for JBD yields:
--- linux-2.4.25/fs/jbd/journal.c Wed Feb 18 05:36:31 2004
+++ linux-2.4.26/fs/jbd/journal.c Wed Apr 14 06:05:40 2004
@@ -671,6 +671,7 @@
bh = getblk(journal->j_dev, blocknr, journal->j_blocksize);
lock_buffer(bh);
+ memset(bh->b_data, 0, journal->j_blocksize);
BUFFER_TRACE(bh, "return this buffer");
return journal_add_journal_head(bh);
}
And the changelog mentions:
Theodore Y. T'so:
o zerout JBD journal descriptor blocks
So I think that's it: the fix CAN-2004-0177 is in the kernel.
CAN-2004-0178
A diff of drivers/sound between 2.4.25 and 2.4.26 yields some new
PCI ids for i810_audio.c as well as:
--- linux-2.4.25/drivers/sound/sb_audio.c Mon Feb 25 11:38:06 2002
+++ linux-2.4.26/drivers/sound/sb_audio.c Wed Apr 14 06:05:32 2004
@@ -879,7 +879,7 @@
c -= locallen; p += locallen;
}
/* used = ( samples * 16 bits size ) */
- *used = len << 1;
+ *used = max_in > ( max_out << 1) ? (max_out << 1) : max_in;
/* returned = ( samples * 8 bits size ) */
*returned = len;
}
That must be it. The snippet appeared in pre3, the changelog says:
<andikies:t-online.de>:
o sb16 sample size fix
And the Debian advisory mentions Andi Kies.
SUMMARY
Except for CAN-2004-0010 (ncpfs), 2.4.26 contains all the security
fixes from DSA 479-1.
Phil.
Reply to: