[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#303498: marked as done (CAN-2005-0749: Elf Binary Loading Local DoS)

Your message dated Thu, 19 May 2005 07:17:46 -0400
with message-id <E1DYj2A-0001yB-00@newraff.debian.org>
and subject line Bug#303498: fixed in kernel-source-2.6.8 2.6.8-16
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 7 Apr 2005 02:50:51 +0000
>From geoffc@strategicdata.com.au Wed Apr 06 19:50:51 2005
Return-path: <geoffc@strategicdata.com.au>
Received: from sdcarl02.strategicdata.com.au (sd01.mel.strategicdata.com.au) [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DJN6Y-0007aL-00; Wed, 06 Apr 2005 19:50:51 -0700
Received: from sd01 (localhost [])
	by mail-int.strategicdata.com.au (Postfix) with ESMTP id 7883AC000D48
	for <submit@bugs.debian.org>; Thu,  7 Apr 2005 12:50:48 +1000 (EST)
	from sd01.mel.strategicdata.com.au (localhost [])
	by localhost ([]);
	Thu, 07 Apr 2005 02:50:48 +0000
Received: from carthanach.mel.strategicdata.com.au (carthanach.mel.strategicdata.com.au [])
	by sd01.mel.strategicdata.com.au (Postfix) with SMTP id 48C11C000D48
	for <submit@bugs.debian.org>; Thu,  7 Apr 2005 12:50:48 +1000 (EST)
Received: by carthanach.mel.strategicdata.com.au (sSMTP sendmail emulation); Thu,  7 Apr 2005 12:50:48 +1000
From: "Geoff Crompton" <geoffc@strategicdata.com.au>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-0749: Elf Binary Loading Local DoS
X-Mailer: reportbug 3.8
Date: Thu, 07 Apr 2005 12:50:47 +1000
Message-Id: <20050407025048.48C11C000D48@sd01.mel.strategicdata.com.au>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: important

SecurityFocus http://www.securityfocus.com/bid/12935/discussion/ has the
> It is reported that issue exists in the 'load_elf_library' function.
> Linux Kernel and prior versions are affected by this issue.

Ubuntu mentions this issue as part of USN-103-1, and it's fixed in

The patch from to for the load_elf_library is here:

The changelog for that change says in relation:
>From: Herbert Xu <herbert@gondor.apana.org.au>
>Yichen Xie <yxie@cs.stanford.edu> points out that
>load_elf_library can modify `elf_phdata' before freeing it.

I'm not enough of a programmer to prepare a diff for the 2.6.8 source.

Received: (at 303498-close) by bugs.debian.org; 19 May 2005 11:20:19 +0000
>From katie@ftp-master.debian.org Thu May 19 04:20:19 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DYj4c-0007F5-00; Thu, 19 May 2005 04:20:18 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DYj2A-0001yB-00; Thu, 19 May 2005 07:17:46 -0400
From: Simon Horman <horms@debian.org>
To: 303498-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#303498: fixed in kernel-source-2.6.8 2.6.8-16
Message-Id: <E1DYj2A-0001yB-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 19 May 2005 07:17:46 -0400
Delivered-To: 303498-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 5

Source: kernel-source-2.6.8
Source-Version: 2.6.8-16

We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:

  to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16_all.deb
  to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16_all.deb
  to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16.diff.gz
  to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16.dsc
  to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16_all.deb
  to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 303498@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.6.8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Thu, 19 May 2005 16:51:34 +0900
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8 kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-16
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
 kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
 kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
 kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
 kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 272683 295725 300163 301372 301488 301528 301799 301799 301799 301799 302352 303140 303498 304548 307552 308034 308634 308724 308855 309429
 kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
   * smbfs-overrun.dpatch:
     Reinstated smbfs-overrun.dpatch to complete fix for CAN-2004-1191
     (Simon Horman) (closes: #300163)
   * radeon-race-2.dpatch:
     Symbol fix for radeon race fix in 2.6.8-15.
     (Simon Horman) (closes: #301488, #301528, #308034)
   * drivers-input-serio-nmouse.dpatch:
     [Security] fix N_MOUSE TTY privelage problem. See CAN-2005-0839
     (Simon Horman) (closes: #301372)
   * net-bluetooth-signdness-fix.dpatch:
     [Security] Fix signedness problem at socket creation in bluetooth
     which can lead to local root exploit. See CAN-2005-0750
     (Simon Horman) (closes: #301799)
   * fs-ext2-info-leak.dpatch:
     [Security] Fix information leak in ext2 which leads to
     a local information leak. See CAN-2005-0400
     (Simon Horman) (closes: #301799)
   * fs-isofs-range-check-1.dpatch, fs-isofs-range-check-2.dpatch,
     [Security] Fix range checking in isofs which leads to a local crash
     and arbitary code execution.  See CAN-2005-0815
     (Simon Horman) (closes: #301799)
   * mm-shmem-truncate.dpatch
     [Security] tmpfs caused truncate bug which leads to a local dos.
     CVE yet to be assigned.
     (Simon Horman)
   * fs-binfmt_elf-dos.dpatch:
     Potential DOS in load_elf_library. See CAN-2005-0749
     (Simon Horman) (closes: #301799, #303498)
   * arch-ppc64-hugepage-aio-panic.dpatch:
     fix AIO panic on PPC64 caused by is_hugepage_only_range().
     See CAN-2005-0916. (Simon Horman) (closes: #302352)
   * kernel-futex-deadlock.dpatch:
     Fix possible deadlog in fitex mmap_sem. See CAN-2005-0937
     (closes: #303140) (Simon Horman)
   * net-ipv4-bic-binary-search.patch:
     Fix BIC congestion avoidance algorithm error
     (Simon Horman)
   * net-ipv4-ipsec-icmp-deadlock.patch:
     Fix IPSEC ICMP deadlock
     (Simon Horman)
   * drivers-media-video-saa7110-oops.patch:
     Fix saa7110 driver to handle I2C_FUNC_I2C support correctly,
     prefiously it would oops.
     (Simon Horman)
   * fs-cramfs-stat.dpatch:
     Fix bogus blocks field for devices in cramfs.
     (Simon Horman)
   * drivers-media-video-i2c-msg.dpatch:
     Fix i2c message flags in video drivers
     (Simon Horman)
   * drivers-net-sis900-oops.dpatch:
     Fix oops in sis900 driver caused by it being preemted
     before it has finished setting sis_priv->mii
     (Simon Horman)
   * drivers-net-via-rhine-wol-oops.dpatch:
     Fix oops in VIA Rhine driver caused by assuming all cards have WOL support.
     (Simon Horman)
   * net-netrom-double-lock.dpatch:
     Fix dealock in netrom caused by double locking.
     (Simon Horman)
   * drivers-net-amd811e-irq.dpatch:
     Fix bug in AMD8111e driver where it neglects to release an
     irq on some error conditions.
     (Simon Horman)
   * net-xfrm-find_acq_byseq.dpatch:
     Fix __xfrm_find_acq_byseq() so it only returns objects
     in the XFRM_STATE_ACQ state.
     (Simon Horman)
   * drivers-net-via-rhine-irq.dpatch:
     VIA Rhine driver was releasing an irq in some error situations
     (Simon Horman)
   * sound-core-timer-oops.dpatch:
     Fix ALSA timer notification.
     o Ooops in read()
     o wake-up polls and signals with new events
     (Simon Horman)
   * fs-jdb-race.dpatch:
     Fix race in JDB
     (Simon Horman)
   * arch-ia64-syscall-audit.dpatch:
     Fix ia64 syscall auditing
     (Simon Horman)
   * drivers-i2c-chips-eprom.dpatch:
     Fix oops in eprom driver that occrs when data is read from sysfs
     (Simon Horman)
   * lib-rwsem-spinlock.dpatch:
     Fix dealock that occurs dio_complete() does up_read() from IRQ context
     by using interupd disabling spin locks.
     (Simon Horman)
   * fs-jdb-slow-leak.dpatch:
     Fix longstanding jdb commit leak - since 2.6.6. (Maximilian Attems)
   * sparc64-sigpoll-2.6.8.dpatch:
     Separate __SI_FAULT and __SI_POLL branches in copy_siginfo_to_user32()
     to resolve fcntl() bug. (Jurij Smakov, Simon Horman) (closes: #272683)
   * net-ipv4-icmp-quench.diff:
     [CAN-2004-0790] Just silently ignore ICMP Source Quench messages.
     (Simon Horman)  (See: #305655)
   * sparc64-sunsu-init.dpatch:
     [sparc64] Patch by David Miller to fix the initialization of the
     sunsu serial driver. Mouse connected to the serial port is now
     detected properly. Thanks to Frans Pop for testing. (Jurij Smakov)
     (closes: #295725)
     Ref: http://lists.debian.org/debian-sparc/2005/04/msg00203.html
   * drivers-i2c-sysfs-permisions.dpatch:
     I2C: Fix incorrect sysfs file permissions in it87 and via686a drivers.
     See CAN-2005-1369. (closes: #307552) (Simon Horman)
   * arch-sparc64-kernel-ptrace-cont-bogosity.dpatch:
     SPARC: Fix PTRACE_CONT bogosity. (Simon Horman)
   * net-ipv4-fib_hash-crash.dpatch:
     DoS vulnerability in fib_seq_start()
     See CAN-2005-1041. (closes: #304548). (Simon Horman)
   * fs-binfmt_elf-dump-privelage.dpatch:
     Linux kernel ELF core dump privilege elevation
     See CAN-2005-1263. (closes: #308634, #308724, #308855). (Simon Horman)
   * drivers-block-raw-ioctl.dpatch:
     [SECURITY] Fix root hole in raw device. See CAN-2005-1264.
     (closes: #309429) (Simon Horman)
   * net-ipv4-ipvs-icmp-leak.dpatch:
     Fix leak in LVS ICMP handler that manifests under heavy traffic situations.
     (Simon Horman)
   * Add myself as an uploader (Simon Horman)
 639732a50dc3105cc1ccfb2a848d109f 989 devel optional kernel-source-2.6.8_2.6.8-16.dsc
 0bc5e87dffd47078dcd7f01793576843 911998 devel optional kernel-source-2.6.8_2.6.8-16.diff.gz
 78776b39100d55bc04e87069aa94576c 930508 devel optional kernel-patch-debian-2.6.8_2.6.8-16_all.deb
 aa9d24c8aa7c10270625032ad45e208e 34924214 devel optional kernel-source-2.6.8_2.6.8-16_all.deb
 e1979374bcaf53de9c13d5855c58fd49 29284 devel optional kernel-tree-2.6.8_2.6.8-16_all.deb
 fd2e4e8f57268058aa1e9eb982ef6611 6175240 doc optional kernel-doc-2.6.8_2.6.8-16_all.deb

Version: GnuPG v1.4.0 (GNU/Linux)


Reply to: