Re: 2.4 kernels
On Wed, Jul 07, 2004 at 03:17:37PM +0200, Francesco P. Lovergine wrote:
> On Wed, Jul 07, 2004 at 03:29:48AM -0700, William Lee Irwin III wrote:
> > On Wed, Jul 07, 2004 at 11:44:06AM +0900, Horms wrote:
> > > What needs to be done?
> >
> > Basically, update cvs to the current 2.4 in order to get security fixes
> > from newer mainline 2.4, and send out packages.
> >
>
> Just a comment: there's not a single CVE# reference in the changelog for the
> whole year 2004. That's a bad habit, because it causes nightmare when
> security patches need to be verified. What follows are issues to be
> checked for 2.4.26 and 2.6.7, AFAIK.
I noticed this too and have been meaning to send a message very similar
to what you have below. I have also gone through and determined which
version of the 2.4 kernel each bug is fixed in. This might help our
cause. You can see my efforts at http://www.ultramonkey.org/bugs/cve/
I believe most of the CAN-2003/2004 entries that are not in the
changelog (which in the case of 2004, is all of them) by CAN number,
are resolved in 2.4.26 and all of them are resolved in 2.4.27-rc3.
I also very concerned that there have been no security updates
for the woody kernel for quite some time. I am partucularly concerned
about CAN-2004-0554, which you listed below.
I have added some aditional information below that may be helpful.
I have also added other CAN entries that I believe should be in the
Changelog.
I have only investigated the 2.4.26 debian kernel and the woody kernel.
The former more thourougly than the latter. I have not looked at 2.6,
but I believe most of these bugs do not apply to 2.6.7. Also, I only
loked at that i386 debian package.
* CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device
drivers do not pad frames with null bytes, which allows remote
attackers to obtain information from previous packets or kernel
memory by using malformed packets, as demonstrated by Etherleak.
(text:CAN-2003-0001)
Resolved in: upstream: 2.4.21-pre5
woody: 2.4.18-7
sid/sarge: 2.4.20-5
* CAN-2003-0018: Linux kernel 2.4.10 through 2.4.21-pre4 does not
properly handle the O_DIRECT feature, which allows local attackers
with write privileges to read portions of previously deleted files,
or cause file system corruption. This bug has been fixed by
disabling O_DIRECT. characters used in serial links.
(text:DSA-358-4)
Resolved in: upstream: 2.4.21-pre4
woody: 2.4.18-11
sid/sarge: 2.4.21-1
* CAN-2003-0127: The kernel module loader in Linux kernel 2.2.x
before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain
root privileges by using ptrace to attach to a child process that
is spawned by the kernel. (text:CAN-2003-0127)
Resolved in: upstream: 2.4.21-rc2
woody: 2.4.18-8
sid/sarge: 2.4.20-6
* CAN-2003-0187: The connection tracking core of Netfilter for
Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the
ip_conntrack module loaded, allows remote attackers to cause a
denial of service (resource consumption) due to an inconsistency
with Linux 2.4.20's support of linked lists, which causes Netfilter
to fail to identify connections with an UNCONFIRMED status and use
large timeouts. (text:CAN-2003-0187)
Resolved in: upstream: 2.4.21-pre6 (Introduced in 2.4.20-pre6)
woody: Not Vulnerable (<2.4.20-pre6)
sid/sarge: 2.4.20-13
* CAN-2003-0244: The route cache implementation in Linux 2.4,
and the Netfilter IP conntrack module, allows remote attackers to
cause a denial of service (CPU consumption) via packets with forged
source addresses that cause a large number of hash table collisions.
(text:CAN-2003-0244)
Resolved in: upstream: 2.4.21-rc2
woody: 2.4.18-8
sid/sarge: 2.4.20-7
* CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and
earlier does not properly restrict privileges, which allows local
users to gain read or write access to certain I/O ports.
(text:CAN-2003-0246)
Resolved in: upstream: 2.4.21-rc4
woody: 2.4.18-8
sid/sarge: 2.4.20-7
* CAN-2003-0247: Unknown vulnerability in the TTY layer of the Linux
kernel 2.4 allows attackers to cause a denial of service ("kernel
oops"). the kernel. (text:CAN-2003-0247)
Resolved in: upstream: 2.4.21-rc4
woody: 2.4.18-8
sid/sarge: 2.4.20-8
* CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to
modify CPU state registers via a malformed address.
(text:CAN-2003-0248)
Resolved in: upstream: 2.4.22-pre10
woody: 2.4.18_2.4.18-8
sid/sarge: 2.4.20-8
* CAN-2003-0465: The kernel strncpy function in Linux 2.4 and 2.5 does
not %NUL pad the buffer on architectures other than x86, as opposed to
the expected behavior of strncpy as implemented in libc, which could
lead to information leaks. (text:CAN-2003-0465)
Not sure about this, as it doesn't effect x86.
* CAN-2003-0619: Integer signedness error in the decode_fh function of
nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to
cause a denial of service (kernel panic) via a negative size value
within XDR data of an NFSv3 procedure call. (text:DSA-358-4)
Resolved in: upstream: 2.4.21-pre3
woody: 2.4.18-10
sid/sarge: 2.4.22-1
* CAN-2003-0643: The Linux Socket Filter implementation contains a bug
which can lead to a local dos. Due to a unsigned->signed conversion
and insufficient bounds checking it is possible to crash the kernel
by accessing unmapped memory. The bug was introduced during the
attempt to fix other signedness issues in 2.4.3-pre3. (text:Patrick
McHardy, LKML)
Resolved in: upstream: 2.4.22-pre10
woody: 2.4.18-11
sid/sarge: 2.4.21-4
* CAN-2003-0699: The C-Media PCI sound driver in Linux before 2.4.21
does not use the get_user function to access userspace, which crosses
security boundaries and may facilitate the exploitation of
vulnerabilities, a different vulnerability than CAN-2003-0700.
(text:CAN-2003-0699)
Resolved in: upstream: 2.4.21-rc2
woody: Vulnerable
sid/sarge: 2.4.21-1
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.930.114.28??nav=index.html
* CAN-2003-0700: The C-Media PCI sound driver in Linux before 2.4.22
does not use the get_user function to access userspace in certain
conditions, which crosses security boundaries and may facilitate the
exploitation of vulnerabilities, a different vulnerability than
CAN-2003-0699 (text:CAN-2003-0700)
Resolved in: upstream: 2.4.22-pre3
woody: Vulnerable
sid/sarge: 2.4.21-4
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1003.10.93??nav=index.html
* CAN-2003-0961: Integer overflow in the do_brk function for the brk
system call in Linux kernel 2.4.22 and earlier allows local users to
gain root privileges. (text:CAN-2003-0961)
Resolved in: upstream: 2.4.23-pre7
woody: 2.4.18-14.1
sid/sarge: 2.4.23-1
* CAN-2003-0984: Real time clock (RTC) routines in Linux kernel 2.4.23
and earlier do not properly initialize their structures, which could
leak kernel data to user space. (text:CAN-2003-0985)
Resolved in: upstream: 2.4.24-rc1
woody: Vulnerable
sid/sarge: 2.4.24-1
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1136.94.1??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2003-0984.patch
* CAN-2003-0985: The mremap system call (do_mremap) in Linux kernel 2.4
and 2.6 does not properly perform bounds checks, which allows local
users to cause a denial of service and possibly gain privileges by
causing a remapping of a virtual memory area (VMA) to create a zero
length VMA, a different vulnerability than CAN-2004-0077.
(text:CAN-2003-0985)
Resolved in: upstream: 2.4.24-rc1
woody: 2.4.18_2.4.18-14.1
sid/sarge: 2.4.24-1
* CAN-2004-0003: A vulnerability has been discovered in the R128 DRI
driver in the Linux kernel which could potentially lead an attacker
to gain unauthorised privileges. Alan Cox and Thomas Biege developed
a correction for this. (text:DSA-479-1)
Resolved in: upstream: 2.4.26-rc4
woody: 2.4.18-14.3
sid/sarge: 2.4.25-2
* CAN-2004-0010: Arjan van de Ven discovered a stack-based
buffer overflow in the ncp_lookup function for ncpfs in the Linux
kernel, which could lead an attacker to gain unauthorised
privileges. Petr Vandrovec developed a correction for this.
(text:DSA-479-1)
Resolved in: upstream: 2.4.25-pre7
woody: Vulnerable
sid/sarge: 2.4.25-1
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1276.3.9??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0010.patch
* CAN-2004-0075: The Vicam USB driver in Linux before 2.4.25 does not
use the copy_from_user function when copying data from userspace to
kernel space, which crosses security boundaries and allows local
users to cause a denial of service.
Resolved in: upstream: 2.4.25-pre5
woody: Vulnerable
sid/sarge: 2.4.25-1
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1267.1.128??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0075.patch
* CAN-2004-0077: The do_mremap function for the mremap system call in
Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not
properly check the return value from the do_munmap function when the
maximum number of VMA descriptors is exceeded, which allows local
users to gain root privileges, a different vulnerability than
CAN-2003-0985. (text:CAN-2004-0077)
Resolved in: upstream: 2.4.26-pre3
woody: 2.4.18-14.2
sid/sarge: 2.4.24-3
* CAN-2004-0109: zen-parse discovered a buffer overflow vulnerability
in the ISO9660 filesystem component of Linux kernel which could be
abused by an attacker to gain unauthorised root access. Sebastian
Krahmer and Ernie Petrides developed a correction for this.
(text:DSA-479)
Resolved in: upstream: 2.4.26-rc4
woody: 2.4.18-14.3
sid/sarge: 2.4.25-2
> * CAN-2004-0133: The XFS file system in 2.4 series kernels has an
> information leak by which data in the memory can be written to the
> device hosting the file system, allowing users to obtain portions of
> kernel memory by reading the raw block device.
Resolved in: upstream: 2.4.26-pre2 (XFS added in 2.4.25)
woody: Not Vulnerable (<2.4.25)
sid/sarge: 2.4.26_2.4.26-1
* CAN-2004-0177: Solar Designer discovered an information leak in the
ext3 code of Linux. In a worst case an attacker could read
sensitive data such as cryptographic keys which would otherwise
never hit disk media. Theodore Ts'o developed a correction for
this. (text: Debian Woody changelog)
Resolved in: upstream: 2.4.26-pre4
woody: 2.4.18-14.3
sid/sarge: 2.4.26-1
* CAN-2004-0178: The OSS code for the Sound Blaster driver in Linux
2.4.x does not properly handle certain sample sizes, which allows
local users to cause a denial of service (crash). (text:CAN-2004-0178)
Resolved in: upstream: 2.4.26-pre3
woody: 2.4.18-14.3
sid/sarge: 2.4.25-2
> * CAN-2004-0181: The JFS file system in 2.4 series kernels has an
> information leak by which data in the memory can be written to the
> device hosting the file system, allowing users to obtain portions of
> kernel memory by reading the raw device.
Resolved in: upstream: 2.4.26-pre5
woody: Vulnerable
sid/sarge: 2.4.25-2
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1302.51.1??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0181.patch
> * CAN-2004-0228: Due to an integer signedness error in the CPUFreq
> /proc handler code in 2.6 series Linux kernels, local users can
> escalate their privileges.
This code is not present in 2.4 (as of 2.4.27-pre3).
Resolved in: upstream: Not Vulnerable
woody: Not Vulnerable
sid/sarge: Not Vulnerable
> * CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers
> does not use the fb_copy_cmap method of copying structures. The
> impact of this issue is unknown, however.
This code is not present in 2.4 (as of 2.4.27-pre3).
Resolved in: upstream: Not Vulnerable
woody: Not Vulnerable
sid/sarge: Not Vulnerable
> * CAN-2004-0394: A buffer overflow in the panic() function of 2.4
> series Linux kernels exists, but it may not be exploitable under
> normal circumstances due to its functionality.
Resolved in: upstream: Vulnerable
woody: Vulnerable
sid/sarge: Vulnerable
Fix: http://lkml.org/lkml/2002/6/24/142
Personally, while the patch seems harmless enough, it is hard,
really hard, to see how this could be exploited.
* CAN-2004-0424: Integer overflow in the ip_setsockopt function in
Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows
local users to cause a denial of service (crash) or executee
arbitrary code via the MCAST_MSFILTER socket option.
(text:CAN-2004-0424)
Resolved in: upstream: 2.4.26-pre3
woody: Not Vulnerable (< 2.4.22)
sid/sarge: 2.4.26_2.4.26-1
> * CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series
> Linux kernels does not properly decrement the mm_count counter when
> an error occurs, triggering a memory leak that allows local users to
> cause a Denial of Service by exhausting other applications of memory;
> causing the kernel to panic or to kill services.
Resolved in: upstream: 2.4.26-rc4
woody: None
sid/sarge: 2.4.26_2.4.26-1
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1356??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0427.patch
> * CAN-2004-0495: Multiple vulnerabilities found by the Sparse source
> checker in the kernel allow local users to escalate their privileges
> or gain access to kernel memory.
Resolved in: upstream: 2.4.27-rc1
woody: None
sid/sarge: None
Fix: http://www.ultramonkey.org/bugs/patch/linux-2.4.27-viro-sparse.patch
(From RHEL 15.0.3.EL kernel SRPM, not all patched files are
present in the debian or kernel.org kernels. But the patch for
those files that are applied cleanly)
* CAN-2004-0497: Missing check for fsuid in sys_chown(). fsuid is set
by the privelaged sytem call sys_setfsuid(). fsuid was added for, and
is generally only used by the Linux user space NFS daemons. Clients
of this daemon can potentially expolit this vulnerability to make
unauthorised changes to the ownership of files on a remote system.
(text: Minoura Makoto and myself)
Resolved in: upstream: 2.4.27-rc3
woody: None
sid/sarge: None
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1467??nav=index.html
http://linux.bkbits.net:8080/linux-2.4/cset@1.1469??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0497.patch
> * CAN-2004-0535: The e1000 NIC driver does not properly initialize
> memory structures before using them, allowing users to read kernel
> memory.
Resolved in: upstream: 2.4.27-rc3
woody: None
sid/sarge: None
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1359.1.12??nav=index.html
http://www-test.ultramonkey.org/bugs/cve-patch/CAN-2004-0535.patch
>
> * CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an
> AMD64 architecture allow local users to cause a Denial of Service by
> a total system hang, due to an infinite loop that triggers a signal
> handler with a certain sequence of fsave and frstor instructions.
Resolved in: upstream: 2.4.27-pre6
woody: None
sid/sarge: None
Fix: http://linux.bkbits.net:8080/linux-2.4/cset@1.1438.1.9??nav=index.html
http://linux.bkbits.net:8080/linux-2.4/cset@1.1438.4.1??nav=index.html
http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0554.patch
* CAN-2004-0587: Insecure permissions for the
/proc/scsi/qla2300/HbaApiNode file in Linux allows local users to
cause a denial of service. (text:CAN-2004-587)
Not present in debian or kernel.org 2.4 kernel.
Resolved in: upstream: Not Vulnerable
woody: Not Vulnerable
sid/sarge: Not Vulnerable
--
Horms
Reply to: