Bug#300163: marked as done ([CAN-2004-1191]: Race condition could allow local users to read unauthorized memory from "foreign memory pages.")
Your message dated Thu, 19 May 2005 07:17:45 -0400
with message-id <E1DYj29-0001xx-00@newraff.debian.org>
and subject line Bug#300163: fixed in kernel-source-2.6.8 2.6.8-16
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Mar 2005 04:42:31 +0000
>From micah@riseup.net Thu Mar 17 20:42:31 2005
Return-path: <micah@riseup.net>
Received: from mail.riseup.net [69.90.134.155]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DC9Je-0001VZ-00; Thu, 17 Mar 2005 20:42:30 -0800
Received: from localhost (localhost [127.0.0.1])
by mail.riseup.net (Postfix) with ESMTP id 2599CA2C69
for <submit@bugs.debian.org>; Thu, 17 Mar 2005 20:42:25 -0800 (PST)
Received: from mail.riseup.net ([127.0.0.1])
by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 30454-33 for <submit@bugs.debian.org>;
Thu, 17 Mar 2005 20:42:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.riseup.net (Postfix) with ESMTP id 48F2CA2C5E
for <submit@bugs.debian.org>; Thu, 17 Mar 2005 20:42:24 -0800 (PST)
Received: by pond (Postfix, from userid 1000)
id 29961564F9; Thu, 17 Mar 2005 22:42:29 -0600 (CST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Micah Anderson <micah@riseup.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2004-1191]: Race condition could allow local users to read unauthorized
memory from "foreign memory pages."
X-Mailer: reportbug 3.8
Date: Thu, 17 Mar 2005 22:42:28 -0600
Message-Id: <20050318044229.29961564F9@pond>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.1 required=4.0 tests=BAYES_00,HAS_PACKAGE,
NORMAL_HTTP_TO_IP autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: kernel-source-2.6.8
Version: 2.6.8-14
Severity: normal
Tags: security patch
CAN-2004-1191 reads:
Race condition ... when run on SMP systems that have more than 4GB of
memory, could allow local users to read unauthorized memory from
"foreign memory pages." Apparantly it also allows remote attackers to
obtain sensitive information, caused by a vulnerability in the
smb_recv_trans2 function, could also send a specially-crafted TRANS2
SMB packet to cause a kernel memory leak.
More information about this is here:
http://www.novell.com/linux/security/advisories/2004_42_kernel.html
http://xforce.iss.net/xforce/xfdb/18137
2.6.8 needs both these patches:
http://linux.bkbits.net:8080/linux-2.6/patch@1.1938.197.15?nav=cset@1.1938.197.15
http://linux.bkbits.net:8080/linux-2.6/cset%4041e9a86bi4MvUzMJ8Ru62gdkFgHKtg
The second patch has been applied to Debian's kernel-source-2.6.8, but
the first is also needed.
Micah
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii bzip2 1.0.2-5 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
-- no debconf information
---------------------------------------
Received: (at 300163-close) by bugs.debian.org; 19 May 2005 11:21:42 +0000
>From katie@ftp-master.debian.org Thu May 19 04:21:42 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYj5x-0007k8-00; Thu, 19 May 2005 04:21:42 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DYj29-0001xx-00; Thu, 19 May 2005 07:17:45 -0400
From: Simon Horman <horms@debian.org>
To: 300163-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#300163: fixed in kernel-source-2.6.8 2.6.8-16
Message-Id: <E1DYj29-0001xx-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 19 May 2005 07:17:45 -0400
Delivered-To: 300163-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: kernel-source-2.6.8
Source-Version: 2.6.8-16
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.6.8, which is due to be installed in the Debian FTP archive:
kernel-doc-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-doc-2.6.8_2.6.8-16_all.deb
kernel-patch-debian-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-patch-debian-2.6.8_2.6.8-16_all.deb
kernel-source-2.6.8_2.6.8-16.diff.gz
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16.diff.gz
kernel-source-2.6.8_2.6.8-16.dsc
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16.dsc
kernel-source-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-source-2.6.8_2.6.8-16_all.deb
kernel-tree-2.6.8_2.6.8-16_all.deb
to pool/main/k/kernel-source-2.6.8/kernel-tree-2.6.8_2.6.8-16_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 300163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.6.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 19 May 2005 16:51:34 +0900
Source: kernel-source-2.6.8
Binary: kernel-source-2.6.8 kernel-doc-2.6.8 kernel-tree-2.6.8 kernel-patch-debian-2.6.8
Architecture: source all
Version: 2.6.8-16
Distribution: unstable
Urgency: low
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.6.8 - Linux kernel specific documentation for version 2.6.8
kernel-patch-debian-2.6.8 - Debian patches to Linux 2.6.8
kernel-source-2.6.8 - Linux kernel source for version 2.6.8 with Debian patches
kernel-tree-2.6.8 - Linux kernel source tree for building Debian kernel images
Closes: 272683 295725 300163 301372 301488 301528 301799 301799 301799 301799 302352 303140 303498 304548 307552 308034 308634 308724 308855 309429
Changes:
kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
.
* smbfs-overrun.dpatch:
Reinstated smbfs-overrun.dpatch to complete fix for CAN-2004-1191
(Simon Horman) (closes: #300163)
.
* radeon-race-2.dpatch:
Symbol fix for radeon race fix in 2.6.8-15.
(Simon Horman) (closes: #301488, #301528, #308034)
.
* drivers-input-serio-nmouse.dpatch:
[Security] fix N_MOUSE TTY privelage problem. See CAN-2005-0839
(Simon Horman) (closes: #301372)
.
* net-bluetooth-signdness-fix.dpatch:
[Security] Fix signedness problem at socket creation in bluetooth
which can lead to local root exploit. See CAN-2005-0750
(Simon Horman) (closes: #301799)
.
* fs-ext2-info-leak.dpatch:
[Security] Fix information leak in ext2 which leads to
a local information leak. See CAN-2005-0400
(Simon Horman) (closes: #301799)
.
* fs-isofs-range-check-1.dpatch, fs-isofs-range-check-2.dpatch,
fs-isofs-range-check-3.dpatch:
[Security] Fix range checking in isofs which leads to a local crash
and arbitary code execution. See CAN-2005-0815
(Simon Horman) (closes: #301799)
.
* mm-shmem-truncate.dpatch
[Security] tmpfs caused truncate bug which leads to a local dos.
CVE yet to be assigned.
(Simon Horman)
.
* fs-binfmt_elf-dos.dpatch:
Potential DOS in load_elf_library. See CAN-2005-0749
(Simon Horman) (closes: #301799, #303498)
.
* arch-ppc64-hugepage-aio-panic.dpatch:
fix AIO panic on PPC64 caused by is_hugepage_only_range().
See CAN-2005-0916. (Simon Horman) (closes: #302352)
.
* kernel-futex-deadlock.dpatch:
Fix possible deadlog in fitex mmap_sem. See CAN-2005-0937
(closes: #303140) (Simon Horman)
.
* net-ipv4-bic-binary-search.patch:
Fix BIC congestion avoidance algorithm error
(Simon Horman)
.
* net-ipv4-ipsec-icmp-deadlock.patch:
Fix IPSEC ICMP deadlock
(Simon Horman)
.
* drivers-media-video-saa7110-oops.patch:
Fix saa7110 driver to handle I2C_FUNC_I2C support correctly,
prefiously it would oops.
(Simon Horman)
.
* fs-cramfs-stat.dpatch:
Fix bogus blocks field for devices in cramfs.
(Simon Horman)
.
* drivers-media-video-i2c-msg.dpatch:
Fix i2c message flags in video drivers
(Simon Horman)
.
* drivers-net-sis900-oops.dpatch:
Fix oops in sis900 driver caused by it being preemted
before it has finished setting sis_priv->mii
(Simon Horman)
.
* drivers-net-via-rhine-wol-oops.dpatch:
Fix oops in VIA Rhine driver caused by assuming all cards have WOL support.
(Simon Horman)
.
* net-netrom-double-lock.dpatch:
Fix dealock in netrom caused by double locking.
(Simon Horman)
.
* drivers-net-amd811e-irq.dpatch:
Fix bug in AMD8111e driver where it neglects to release an
irq on some error conditions.
(Simon Horman)
.
* net-xfrm-find_acq_byseq.dpatch:
Fix __xfrm_find_acq_byseq() so it only returns objects
in the XFRM_STATE_ACQ state.
(Simon Horman)
.
* drivers-net-via-rhine-irq.dpatch:
VIA Rhine driver was releasing an irq in some error situations
(Simon Horman)
.
* sound-core-timer-oops.dpatch:
Fix ALSA timer notification.
o Ooops in read()
o wake-up polls and signals with new events
(Simon Horman)
.
* fs-jdb-race.dpatch:
Fix race in JDB
(Simon Horman)
.
* arch-ia64-syscall-audit.dpatch:
Fix ia64 syscall auditing
(Simon Horman)
.
* drivers-i2c-chips-eprom.dpatch:
Fix oops in eprom driver that occrs when data is read from sysfs
(Simon Horman)
.
* lib-rwsem-spinlock.dpatch:
Fix dealock that occurs dio_complete() does up_read() from IRQ context
by using interupd disabling spin locks.
(Simon Horman)
.
* fs-jdb-slow-leak.dpatch:
Fix longstanding jdb commit leak - since 2.6.6. (Maximilian Attems)
.
* sparc64-sigpoll-2.6.8.dpatch:
Separate __SI_FAULT and __SI_POLL branches in copy_siginfo_to_user32()
to resolve fcntl() bug. (Jurij Smakov, Simon Horman) (closes: #272683)
.
* net-ipv4-icmp-quench.diff:
[CAN-2004-0790] Just silently ignore ICMP Source Quench messages.
(Simon Horman) (See: #305655)
.
* sparc64-sunsu-init.dpatch:
[sparc64] Patch by David Miller to fix the initialization of the
sunsu serial driver. Mouse connected to the serial port is now
detected properly. Thanks to Frans Pop for testing. (Jurij Smakov)
(closes: #295725)
Ref: http://lists.debian.org/debian-sparc/2005/04/msg00203.html
.
* drivers-i2c-sysfs-permisions.dpatch:
I2C: Fix incorrect sysfs file permissions in it87 and via686a drivers.
See CAN-2005-1369. (closes: #307552) (Simon Horman)
.
* arch-sparc64-kernel-ptrace-cont-bogosity.dpatch:
SPARC: Fix PTRACE_CONT bogosity. (Simon Horman)
.
* net-ipv4-fib_hash-crash.dpatch:
DoS vulnerability in fib_seq_start()
See CAN-2005-1041. (closes: #304548). (Simon Horman)
.
* fs-binfmt_elf-dump-privelage.dpatch:
Linux kernel ELF core dump privilege elevation
See CAN-2005-1263. (closes: #308634, #308724, #308855). (Simon Horman)
.
* drivers-block-raw-ioctl.dpatch:
[SECURITY] Fix root hole in raw device. See CAN-2005-1264.
(closes: #309429) (Simon Horman)
.
* net-ipv4-ipvs-icmp-leak.dpatch:
Fix leak in LVS ICMP handler that manifests under heavy traffic situations.
(Simon Horman)
.
* Add myself as an uploader (Simon Horman)
Files:
639732a50dc3105cc1ccfb2a848d109f 989 devel optional kernel-source-2.6.8_2.6.8-16.dsc
0bc5e87dffd47078dcd7f01793576843 911998 devel optional kernel-source-2.6.8_2.6.8-16.diff.gz
78776b39100d55bc04e87069aa94576c 930508 devel optional kernel-patch-debian-2.6.8_2.6.8-16_all.deb
aa9d24c8aa7c10270625032ad45e208e 34924214 devel optional kernel-source-2.6.8_2.6.8-16_all.deb
e1979374bcaf53de9c13d5855c58fd49 29284 devel optional kernel-tree-2.6.8_2.6.8-16_all.deb
fd2e4e8f57268058aa1e9eb982ef6611 6175240 doc optional kernel-doc-2.6.8_2.6.8-16_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCjHI3du+M6Iexz7URAq/zAKDTAZe8lyhnOIFcKkev6kc5tTGxpwCfVq+J
F3wXWBaIkWSeK3n/ystmga0=
=fqDP
-----END PGP SIGNATURE-----
Reply to: