Bug#296700: marked as done ([CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction)
Your message dated Mon, 14 Mar 2005 08:32:38 -0500
with message-id <E1DApgU-0000jJ-00@newraff.debian.org>
and subject line Bug#296700: fixed in kernel-source-2.6.8 2.6.8-14
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Feb 2005 06:29:15 +0000
>From micah@riseup.net Wed Feb 23 22:29:15 2005
Return-path: <micah@riseup.net>
Received: from buffy.riseup.net (mail.riseup.net) [69.90.134.155]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D4CUt-0006l9-00; Wed, 23 Feb 2005 22:29:15 -0800
Received: from localhost (localhost [127.0.0.1])
by mail.riseup.net (Postfix) with ESMTP id 96047A2F25
for <submit@bugs.debian.org>; Wed, 23 Feb 2005 22:28:50 -0800 (PST)
Received: from mail.riseup.net ([127.0.0.1])
by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 05000-20 for <submit@bugs.debian.org>;
Wed, 23 Feb 2005 22:28:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.riseup.net (Postfix) with ESMTP id 410B3A2F18
for <submit@bugs.debian.org>; Wed, 23 Feb 2005 22:28:50 -0800 (PST)
Received: by pond (Postfix, from userid 1000)
id 7124F3A802; Thu, 24 Feb 2005 00:29:28 -0600 (CST)
Content-Type: multipart/mixed; boundary="===============1195735746=="
MIME-Version: 1.0
From: Micah Anderson <micah@riseup.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2005-0204]: AMD64,
allows local users to write to privileged IO ports via OUTS instruction
X-Mailer: reportbug 3.8
Date: Thu, 24 Feb 2005 00:29:27 -0600
Message-Id: <20050224062928.7124F3A802@pond>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
This is a multi-part MIME message sent by reportbug.
--===============1195735746==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: kernel-source-2.6.8
Version: 2.6.8-13
Severity: normal
Tags: security patch
Hello,
CAN-2005-0204 reads:
Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T
architectures, allows local users to write to privileged IO ports via
the OUTS instruction.
Although this says "before 2.6.9" this *includes* both 2.6.8 and 2.6.9.
REDHAT:RHSA-2005:092
URL:http://www.redhat.com/support/errata/RHSA-2005-092.html
The RedHat bug associated with this is located at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148855
A patch to fix the problem is attached to this bugreport, it is
located here (also linked to the RedHat bug):
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=110424&action=view
This apparantly only affects AMD64 and EM64T, and applies to 2.6.8 as
well as 2.6.9.
Kernel 2.4.27 appears to have a similar vulnerability, although this
patch would not apply cleanly to that tree, but looks relatively
trivial to modify appropriately.
Please include this CAN number in changelog entries about this problem.
Thanks,
Micah
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii bzip2 1.0.2-1 A high-quality block-sorting file
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
-- no debconf information
--===============1195735746==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="can-2005-0204"
--- linux-2.6.9/include/asm-x86_64/desc.h~ 2005-01-30 20:08:12.799247944 -0800
+++ linux-2.6.9/include/asm-x86_64/desc.h 2005-01-30 20:08:12.799247944 -0800
@@ -128,7 +128,7 @@
{
set_tssldt_descriptor(&cpu_gdt_table[cpu][GDT_ENTRY_TSS], (unsigned long)addr,
DESC_TSS,
- sizeof(struct tss_struct) - 1);
+ IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7);
}
static inline void set_ldt_desc(unsigned cpu, void *addr, int size)
--===============1195735746==--
---------------------------------------
Received: (at 296700-close) by bugs.debian.org; 14 Mar 2005 13:38:39 +0000
>From katie@ftp-master.debian.org Mon Mar 14 05:38:39 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DApmJ-0002JM-00; Mon, 14 Mar 2005 05:38:39 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DApgU-0000jJ-00; Mon, 14 Mar 2005 08:32:38 -0500
From: Andres Salomon <dilinger@voxel.net>
To: 296700-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#296700: fixed in kernel-source-2.6.8 2.6.8-14
Message-Id: <E1DApgU-0000jJ-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 14 Mar 2005 08:32:38 -0500
Delivered-To: 296700-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: kernel-source-2.6.8
Source-Version: 2.6.8-14
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.8_2.6.8-14_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-14_all.deb
kernel-patch-debian-2.6.8_2.6.8-14_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-14_all.deb
kernel-source-2.6.8_2.6.8-14.diff.gz
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-14.diff.gz
kernel-source-2.6.8_2.6.8-14.dsc
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-14.dsc
kernel-source-2.6.8_2.6.8-14_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-14_all.deb
kernel-tree-2.6.8_2.6.8-14_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-14_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 296700@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Salomon <dilinger@voxel.net> (supplier of updated kernel-source-2.6.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 14 Mar 2005 05:18:40 -0500
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8 kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-14
Distribution: unstable
Urgency: high
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Andres Salomon <dilinger@voxel.net>
Description:
kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 295626 296700
Changes:
kernel-source-2.6.8 (2.6.8-14) unstable; urgency=high
.
* Backport more scsi-ioctl fixes: add CMD_WARNED, remove dulicate
safe_for_read(READ_BUFFER), add LOG_SENSE as read-ok and
LOG_SELECT as write-ok, quieten scsi ioctl when asking for
a lot of memory and failing. (Maximilian Attems)
.
* ia64-ptrace-speedup.dpatch
Backport needed to form a base on top of which ia64-ptrace-fixes will
apply. (dann frazier)
.
* [SECURITY] ia64-ptrace-fixes.dpatch
Fix some corner cases in ia64 ptrace code; CAN-2005-0136
(dann frazier).
.
* [SECURITY] ia64-unwind-fix.dpatch
unw_unwind_to_user sanity check; CAN-2005-0135
(dann frazier).
.
* Updated kernel-tree description from Martin F Krafft
(Simon Horman)
.
* Updated apply script so it can handle point versions
(Simon Horman)
.
* skb-reset-ip_summed.dpatch: resolve checksumming exploit in
fragmented packet forwarding (Joshua Kwan)
.
* sparc64-nis-killer.dpatch: patch that fixes some compatibility functions
that (as a side effect) caused NIS to flatten a sparc64 machine.
closes: #295626 (Joshua Kwan)
.
* Turn ifeq into a shell construct to allow things to still work if the orig
tarball is unavailable. (Joshua Kwan)
.
* au88x0-use-short-name.dpatch: Use CARD_SHORT_NAME in au88x0.c to allow
card-specific driver names (CARD_SHORT_NAME is redefined by each driver.)
(Joshua Kwan)
.
* proc-cmdline-mmput-leak.dpatch: [CAN-2004-1058] fix race that could
allow user processes to read environment data from processes in the
middle of spawning. (Joshua Kwan)
.
* 025-track_dummy_capability.dpatch, 027-track_dummy_capability.dpatch:
[CAN-2004-1337] The dummy capabilities module wasn't keeping track of
processes capabilities; so, when a capabilities module was loaded,
all untracked processes would magically be given root capabilities.
Backport from 2.6.10's kernel-source. (Joshua Kwan)
.
* setsid-race.dpatch: [CAN-2005-0178] fix setsid() race that could lead
to a denial of service. (Joshua Kwan)
.
* outs.dpatch: [CAN-2005-0204] AMD64, allows local users to write to
privileged IO ports via OUTS instruction.
(Simon Horman) (closes: #296700)
.
* ipv4-fragment-queues-1.dpatch, ipv4-fragment-queues-2.dpatch,
ipv4-fragment-queues-3.dpatch, ipv4-fragment-queues-4.dpatch:
fix potential information leak by making fragment queues private.
(Joshua Kwan, Simon Horman)
.
* sparc64-sb1500-clock-2.6.dpatch by David Miller: enable recognition
of the clock chip on SunBlade 1500, it won't boot otherwise.
(Jurij Smakov).
.
* 2.6.11.2 [SECURITY] epoll: return proper error on overflow condition
(Maximilian Attems)
.
* nfs-O_DIRECT-fix.dpatch: [CAN-2005-0207] set some things to NULL in
an error condition to prevent some nondeterministic behavior.
(Joshua Kwan)
.
* [sparc] Added sparc-sunsab-serial-lockup.dpatch to eliminate the serial
console lockup on machines with sunsab serial controller (Jurij Smakov).
.
* nls-table-overflow.dpatch: [CAN-2005-0177] NLS ASCII table should be 256
entries, not 128! (Joshua Kwan)
.
* [SECURITY] 109-binfmt_elf_loader_solar_designer_fixes.dpatch
Fix from Solar Designer; the binfmt_elf load routines are returning
incorrect values, and are not strict enough in checking the number of
program headers (Andres Salomon).
.
* [SECURITY] 115-proc_file_read_nbytes_signedness_fix.dpatch
Heap overflow fix in /proc; WDYBTGT3-1 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
No CAN# assigned yet, afaik (Andres Salomon).
.
* [SECURITY] 116-n_tty_copy_from_read_buf_signedness_fixes.dpatch
copy_from_read_buf() fix; WDYBTGT3-2 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
No CAN#, yet (Andres Salomon).
.
* [SECURITY] 117-reiserfs_file_64bit_size_t_fixes.dpatch
reiserfs integer fixes; WDYBTGT3-4 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
(Andres Salomon).
.
* [SECURITY] 123-atm_get_addr_signedness_fix.dpatch
Fix atm_get_addr()'s usage of its size arg, by making it
unsigned. WDYBTGT3-3 on
http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
(Andres Salomon).
.
* 143-sysfs_write_file_signedness_problem.dpatch
sysfs_write_file assigns the result of fill_write_buffer (which is
signed and returns negative upon error) to an unsigned int. Clearly,
bad and wrong.. (Andres Salomon)
Files:
19017701efb72cca2e5dcd47328ca951 956 devel optional kernel-source-2.6.8_2.6.8-14.dsc
1657f46bafe414da9a01420c594d2c49 888287 devel optional kernel-source-2.6.8_2.6.8-14.diff.gz
9c7124b2b53852954e34177839663286 864716 devel optional kernel-patch-debian-2.6.8_2.6.8-14_all.deb
e185dde5774f1ac1dbe069689dfe85cd 34922198 devel optional kernel-source-2.6.8_2.6.8-14_all.deb
b38d4abcc09e2d018f46af59c23e9c18 27292 devel optional kernel-tree-2.6.8_2.6.8-14_all.deb
b8b10533316d5c888ca74be2d047e1bd 6176440 doc optional kernel-doc-2.6.8_2.6.8-14_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCNY8k78o9R9NraMQRAl5ZAKCR5aZX+jDWo6QNKA3/3IIQ6eX+2wCffB+N
eMyPoqKTGn6OItsGodNKCKc=
=nK2I
-----END PGP SIGNATURE-----
Reply to: