[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#302704: marked as done (CAN-2005-0750: Possible local root exploit through insufficient range checking in af_bluetooth)

Your message dated Thu, 19 May 2005 06:47:46 -0400
with message-id <E1DYiZ8-0006pf-00@newraff.debian.org>
and subject line Bug#302704: fixed in kernel-source-2.4.27 2.4.27-10
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Apr 2005 12:54:57 +0000
>From jmm@inutil.org Sat Apr 02 04:54:57 2005
Return-path: <jmm@inutil.org>
Received: from gluck.debian.org [192.25.206.10] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DHi9R-0001i5-00; Sat, 02 Apr 2005 04:54:57 -0800
Received: from inutil.org (vserver151.vserver151.serverflex.de) [193.22.164.111] 
	by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DHi9Q-0003Id-00; Sat, 02 Apr 2005 05:54:56 -0700
Received: from wlan-client-010.informatik.uni-bremen.de ([134.102.116.11] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1DHi9I-000336-PB
	for submit@bugs.debian.org; Sat, 02 Apr 2005 14:54:48 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
	id 1DHi9M-0004F8-Ui; Sat, 02 Apr 2005 14:54:52 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-0750: Possible local root exploit through insufficient range
 checking in af_bluetooth
X-Mailer: reportbug 3.9
Date: Sat, 02 Apr 2005 14:54:52 +0200
Message-Id: <E1DHi9M-0004F8-Ui@localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.116.11
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: kernel-source-2.4.27
Severity: grave
Tags: security
Justification: user security hole

CAN-2005-0750: Insufficient range checking in af_bluetooth allows local root exploit.

This is the full advisory:
http://lists.grok.org.uk/pipermail/full-disclosure/ attachments/20050327/3f128a09/adv1.pdf

This has been fixed in 2.4.30rc3, a fix is available in Bitkeeper:
http://linux.bkbits.net:8080/linux-2.4/gnupatch@4244717faf_jG6n164uKBvLcVKTAtw

Cheers,
        Moritz 

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 302704-close) by bugs.debian.org; 19 May 2005 10:51:52 +0000
>From katie@ftp-master.debian.org Thu May 19 03:51:52 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DYid6-0007Em-00; Thu, 19 May 2005 03:51:52 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DYiZ8-0006pf-00; Thu, 19 May 2005 06:47:46 -0400
From: Simon Horman <horms@debian.org>
To: 302704-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#302704: fixed in kernel-source-2.4.27 2.4.27-10
Message-Id: <E1DYiZ8-0006pf-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 19 May 2005 06:47:46 -0400
Delivered-To: 302704-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 4

Source: kernel-source-2.4.27
Source-Version: 2.4.27-10

We believe that the bug you reported is fixed in the latest version of
kernel-source-2.4.27, which is due to be installed in the Debian FTP archive:

kernel-doc-2.4.27_2.4.27-10_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-doc-2.4.27_2.4.27-10_all.deb
kernel-patch-debian-2.4.27_2.4.27-10_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-patch-debian-2.4.27_2.4.27-10_all.deb
kernel-source-2.4.27_2.4.27-10.diff.gz
  to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10.diff.gz
kernel-source-2.4.27_2.4.27-10.dsc
  to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10.dsc
kernel-source-2.4.27_2.4.27-10_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10_all.deb
kernel-tree-2.4.27_2.4.27-10_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-tree-2.4.27_2.4.27-10_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 302704@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.4.27 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 May 2005 14:48:47 +0900
Source: kernel-source-2.4.27
Binary: kernel-tree-2.4.27 kernel-source-2.4.27 kernel-patch-debian-2.4.27 kernel-doc-2.4.27
Architecture: source all
Version: 2.4.27-10
Distribution: unstable
Urgency: low
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description: 
 kernel-doc-2.4.27 - Linux kernel specific documentation for version 2.4.27
 kernel-patch-debian-2.4.27 - Debian patches to Linux 2.4.27
 kernel-source-2.4.27 - Linux kernel source for version 2.4.27 with Debian patches
 kernel-tree-2.4.27 - Linux kernel source tree for building Debian kernel images
Closes: 302704 302705 302864 305655 308757
Changes: 
 kernel-source-2.4.27 (2.4.27-10) unstable; urgency=low
 .
   * 155_net-bluetooth-signdness-fix.diff:
     [Security] Fix signedness problem at socket creation in bluetooth
     which can lead to local root exploit. See CAN-2005-0750
     (Simon Horman) (closes: Bug#302704)
 .
   * 156_fs-ext2-info-leak.diff:
     [Security] Fix information leak in ext2 which leads to
     a local information leak. See CAN-2005-0400
     (Simon Horman)
 .
   * 157_fs-isofs-range-check-1.diff, 157_fs-isofs-range-check-2.diff,
     157_fs-isofs-range-check-3.diff:
     [Security] Fix range checking in isofs which leads to a local crash
     and arbitary code execution.  See CAN-2005-0815
     (Simon Horman) (closes: #302864)
 .
   * 158_fs-binfmt_elf-dos.diff:
     Potential DOS in load_elf_library. See CAN-2005-0749
     (Simon Horman) (closes: #302705)
 .
   * 159_fs-cramfs-stat.diff
     Fix to stat output for cramfs
     (Simon Horman)
 .
   * 160_drivers-net-sis900-oops.diff
      sis900 kernel oops fix
     (Simon Horman)
 .
   * 161_drivers-net-amd8111e-irq.diff
     AMD8111e driver was releasing an irq in some error situations
     (Simon Horman)
 .
   * 162_drivers-net-via-rhine-irq.diff
     VIA Rhine driver was releasing an irq in some error situations
     (Simon Horman)
 .
   * 165_VM_IO.diff added, 140_VM_IO.diff removed:
     [CAN-2004-1057] Updated fix for DoS from accessing freed kernel pages.
     The previous fix seems to have cuased some problems and this
     is the one that is upstream.
     (Simon Horman, Dann Frazier)
 .
   * 164_net-ipv4-icmp-quench.diff:
      [CAN-2004-0790] Just silently ignore ICMP Source Quench messages.
      (Simon Horman)  (closes: #305655)
 .
   * 165_arch-ia64-kernel-missing-sysctl.diff:
      [CAN-2005-0137] Add missing sysctl slot for ia64 resolving
      local DoS. (Simon Horman)
 .
   * fs-binfmt_elf-dump-privelage.diff:
     Linux kernel ELF core dump privilege elevation
     See CAN-2005-1263. (closes: #308757). (Simon Horman)
Files: 
 59d9aeb90e71e4b6369a6b4986da690b 888 devel optional kernel-source-2.4.27_2.4.27-10.dsc
 0ccc5c9df0130e5da099cd1a7c8a7f64 688010 devel optional kernel-source-2.4.27_2.4.27-10.diff.gz
 157b883cbfb91812912c16728eb61fa0 633228 devel optional kernel-patch-debian-2.4.27_2.4.27-10_all.deb
 9478d7f77b06c30454ef7864d9487fd4 3576196 doc optional kernel-doc-2.4.27_2.4.27-10_all.deb
 3ae3d29a6b8a3de23a860627f3b440c3 31022934 devel optional kernel-source-2.4.27_2.4.27-10_all.deb
 15394d1f0d96b07955178f05296929e0 23348 devel optional kernel-tree-2.4.27_2.4.27-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCjGuZdu+M6Iexz7URAnSkAJ9SWaRWL1fYfJzpqtV+TXQ3LhkidgCgynIE
FHrCSlUvvU/NhZxzmELwM+0=
=kbKC
-----END PGP SIGNATURE-----
Reply to: