Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release

To: debian-security@lists.debian.org
Cc: debian-kernel@lists.debian.org
Subject: Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
From: Joey Hess <joeyh@debian.org>
Date: Wed, 12 Jan 2005 14:32:54 -0500
Message-id: <[🔎] 20050112193254.GA16211@kitenet.net>
Mail-followup-to: debian-security@lists.debian.org, debian-kernel@lists.debian.org
In-reply-to: <200501121745.43535.jluehr@gmx.net>
References: <200501121745.43535.jluehr@gmx.net>

Jan Lühr wrote:
> things seem to be in a rush right now, and I'm looking for a little overview.
> In the past 1-2 months several kernel exploits rushed through the news that
> might / can / probably will affect debian stable. However, I haven't seen any
> signle DSA regarding the following issues: Can you please give me an
> overview:  Which problems do affected kernel-source-2,4.18? - If so, what is
> the current status of the according DSA?

I'm afraid that I can only tell you the status of 2.6.8 and 2.4.27 in
unstable/testing. AFAIK there have not been DSAs for any of these to fix
stable, and I don't know which ones really affect stable. Probably most of
them.

Some of the information below may be incorrect, the kernel team knows better
than I.

> CAN-2005-0001 "Linux kernel i386 SMP page fault handler privilege escalation": 
> http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt (I'm not runnig 
> SMP ;)

The kernel team are aware of it, I expect a fix will be uploaded soon
for unstable.

> CAN-2004-1235 "Linux kernel uselib() privilege elevation" 
> http://isec.pl/vulnerabilities/isec-0021-uselib.txt (Sounds scary PoC Code is 
> included, seems to be discussed here)

Fixed in kernel-source-2.6.8 2.6.9-5 and kernel-source-2.4.27 2.4.27-8
(which should be released today or so), and the kernel-image packages
indirectly built from them.

> CAN-2004-1137 "Linux kernel IGMP vulnerabilities" (Sounds really scary. Are we 
> effected? Debian Woody seems to be uneffected, but what about sarge / sid?)
> http://isec.pl/vulnerabilities/isec-0018-igmp.txt

Fixed in kernel-source-2.4.27 2.4.27-7.

> CAN-2004-1016 "Linux kernel scm_send local DoS"
>  http://isec.pl/vulnerabilities/isec-0019-scm.txt

Also fixed in kernel-source-2.4.27 2.4.27-7.

> Georgi Guninski security advisory #72, 2004 "Fun with the linux kernel 
> (2.6,2.4)"
> http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html

This is CAN-2004-1333 and was fixed in kernel-source-2.6.8 2.6.8-11.
AFAIK 2.4 is not yet fixed.

> grsecurity 2.1.0
>  http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-01/0070.html
> gives on scary / FUD-ish view on the linux kernel. Without discussing their 
> thesis in detail, are patches available? Is kernel-source-2.4.18 affected?

I don't think CANs have yet been assigned for those holes.


A few others you left out:

CAN-2004-1337

	Apparently only affects 2.6, we're not very vulnerable since the
	module is loaded by the initrd. Not yet fixed.

CAN-2004-1335

	Fixed in kernel-source-2.6.8. 2.4 is not fixed.

CAN-2004-1234

	Does not affect sarge since we have a kernel > 2.4.25.

CAN-2004-1191

	Should not affect our 2.4 kernel since it was fixed in 2.4.27.
	Probably our 2.6.8 kernel is vulnerable.

CAN-2004-1190

	Could be SuSE specific, unclear and not enough info.

CAN-2004-1151

	My notes indicate that this was fixed in svn at some point, but
	I can't find the fix now.

CAN-2004-1144

	Amd64 specific, don't know if we're vulnerable.

CAN-2004-1074

	Fixed in kernel-source-2.6.8 2.6.8-11, kernel-source-2.4.27
	2.4.27-7, and te binary packages uild from them.

CAN-2004-1073
CAN-2004-1072
CAN-2004-1071
CAN-2004-1070

	2.6.8 and 2.4.27 are not vulnerable to these.

CAN-2004-1069

	Only affects 2.6. Fixed in kernel-source-2.6.8 2.6.8-11.

CAN-2004-1068

	Fixed in kernel-source-2.4.27 2.4.27-7, kernel-source-2.6.8 2.6.8-11.

CAN-2004-1058

	AFAIK it's unfixed.

CAN-2004-1056

	Fixed in kernel-source-2.4.27 2.4.27-8 (not yet released),
	kernel-source-2.6.8 2.6.8-11.

CAN-2004-1017

	Unknown.

CAN-2004-1016

	Fixed in kernel-image-2.4.27-i386 2.4.27-7.

CAN-2004-0949

	Fixed in 2.4.27, but 2.6.8 may still be vulnerable.

CAN-2004-0887

	s390 specific. Fixed in linux-kernel-image-2.6.8-s390 2.6.8-3,
	kernel-source-2.6.8 2.6.8-10

CAN-2004-0883

	Unknown.

CAN-2004-0814

	Fixed in kernel-source-2.6.8 2.6.8-8, kernel-source-2.4.27 2.4.27-7

CAN-2004-0813

	Fixed in recent 2.6 and 2.4 kernels.

CAN-2004-0685

	Unknown.

CAN-2004-0596

	Unknown.

CAN-2003-0465

	May be unfixed in our 2.4.27 kernel on some arches (bug #280492)
	i386 and ppc32 are ok.
	2.6 fixed.

-- 
see shy jo, wondering when the kernel security silly season closes

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
  - From: Jan Lühr <jluehr@gmx.net>

Prev by Date: Bug#240932: (fwd) RE: ide troubles
Next by Date: Bug#281905: #281905 please enable CONFIG_EFI_PARTITION; it's needed for > 2TiB
Previous by thread: Bug#290090: kernel-image-2.6.8-powerpc: please enable CONFIG_SND_VIRMIDI
Next by thread: Re: CAN-2005-0001, CAN-2004-1235, CAN-2004-1137, CAN-2004-1016, Georgi Guninski security advisory #72, 2004, grsecurity 2.1.0 release
Index(es):
- Date
- Thread