Bug#296906: marked as done (CAN-2005-0530: information disclosure because of signedness error in copy_from_read_buf)

To: Horms <horms@debian.org>
Cc: Debian Kernel Team <debian-kernel@lists.debian.org>
Subject: Bug#296906: marked as done (CAN-2005-0530: information disclosure because of signedness error in copy_from_read_buf)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 23 Mar 2005 23:48:11 -0800
Message-id: <[🔎] handler.296906.D296906.11116499335815.ackdone@bugs.debian.org>
In-reply-to: <20050324073844.GA5552@verge.net.au>
References: <20050324073844.GA5552@verge.net.au> <E1D4geB-0005f5-Mb@k.local>

Your message dated Thu, 24 Mar 2005 16:38:44 +0900
with message-id <20050324073844.GA5552@verge.net.au>
and subject line CAN-2005-0530 not in 2.4.27
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Feb 2005 14:40:53 +0000
>From sf@sfritsch.de Fri Feb 25 06:40:52 2005
Return-path: <sf@sfritsch.de>
Received: from mail-out.m-online.net [212.18.0.9] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D4geC-0001ju-00; Fri, 25 Feb 2005 06:40:52 -0800
Received: from mail.m-online.net (svr20.m-online.net [192.168.3.148])
	by mail-out.m-online.net (Postfix) with ESMTP id 930605DAD
	for <submit@bugs.debian.org>; Fri, 25 Feb 2005 15:40:51 +0100 (CET)
Received: from k.local (ppp-82-135-14-157.mnet-online.de [82.135.14.157])
	by mail.m-online.net (Postfix) with ESMTP id 8082056EB9
	for <submit@bugs.debian.org>; Fri, 25 Feb 2005 15:40:51 +0100 (CET)
Received: from stf by k.local with local (Exim 4.44)
	id 1D4geB-0005f5-Mb
	for submit@bugs.debian.org; Fri, 25 Feb 2005 15:40:51 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-0530: information disclosure because of signedness error in
 copy_from_read_buf
X-Mailer: reportbug 3.8
Date: Fri, 25 Feb 2005 15:40:51 +0100
Message-Id: <E1D4geB-0005f5-Mb@k.local>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: kernel-source-2.6.8
Version: 2.6.8-13
Severity: grave
Tags: security
Justification: user security hole

"Signedness error in the copy_from_read_buf function in n_tty.c for
Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel
memory via a negative argument."

The offending code is also in 2.6.8 and 2.4.27.

A fix is at
http://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3w

Advisory at
http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2

Please also fix 2.6.9 and 2.6.10


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-as2-stf-k-1
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-5     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-5    high-quality block-sorting file co
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 

-- no debconf information

---------------------------------------
Received: (at 296906-done) by bugs.debian.org; 24 Mar 2005 07:38:53 +0000
>From horms@koto.vergenet.net Wed Mar 23 23:38:53 2005
Return-path: <horms@koto.vergenet.net>
Received: from koto.vergenet.net [210.128.90.7] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DEMvd-0001Uu-00; Wed, 23 Mar 2005 23:38:53 -0800
Received: by koto.vergenet.net (Postfix, from userid 7100)
	id E3B8934028; Thu, 24 Mar 2005 16:15:37 +0900 (JST)
Date: Thu, 24 Mar 2005 16:38:44 +0900
From: Horms <horms@debian.org>
To: 296906-done@bugs.debian.org, 296906-submitter@bugs.debian.org
Cc: micha@debian.org
Subject: CAN-2005-0530 not in 2.4.27
Message-ID: <20050324073844.GA5552@verge.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Cluestick: seven
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 296906-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

According to Marcelo Tosatti, this bug is not present in 2.4,
I agree with his analysis though I previously thought 
2.4.27 was vulnerable.

http://lkml.org/lkml/2005/3/23/140

-- 
Horms

Reply to:

Prev by Date: Re: kernel-image-2.4.27-2-k7 missing CPU name from description
Next by Date: Re: ABI-changing kernel security fixes for sarge
Previous by thread: kernel-image-2.6.10-amd64_2.6.10-5_i386.changes ACCEPTED
Next by thread: Processing of kernel-image-2.6.8-amd64_2.6.8-12_i386.changes
Index(es):
- Date
- Thread