Re: drafting a DSA for 2.6.8
On Fri, Oct 07, 2005 at 12:21:38AM -0600, dann frazier wrote:
> In order to hopefully help kickstart the security update process, I've
> drafted some DSA text for our sarge/2.6.8 kernels (attached). Thanks to
> Micah, we have CAN IDs assigned for a number of things we just had
> marked as security. I tried to map all of the patches to CANs, but
> these are the ones remaining. Does anyone know if there is a CAN ID for
> any of the following?
>
> arch-ia64-ptrace-getregs-putregs.dpatch
> arch-x86_64-kernel-smp-boot-race.dpatch
> fs-exec-posix-timers-leak-1.dpatch
> fs-exec-posix-timers-leak-2.dpatch
> net-bridge-forwarding-poison-1.dpatch
> net-bridge-forwarding-poison-2.dpatch
> net-bridge-mangle-oops-1.dpatch
> net-bridge-mangle-oops-2.dpatch
> net-bridge-netfilter-etables-smp-race.dpatch
CAN-2005-3110 ?
That is the only one I have added in 2.6.8-16sarge2 (svn) as a changelog
annotation for 2.6.8-16sarge1 that you don't already have below.
> net-ipv4-ipvs-conn_tab-race.dpatch
> net-netlink-autobind-return.dpatch
> net-rose-ndigis-verify.dpatch
> netfilter-NAT-memory-corruption.dpatch
> netfilter-ip_conntrack_untracked-refcount.dpatch
> ppc32-time_offset-misuse.dpatch
> sound-usb-usbaudio-unplug-oops.dpatch
> sys_get_thread_area-leak.dpatch
>
> --
> dann frazier <dannf@dannf.org>
> Packages : kernel-source-2.6.8
> kernel-image-2.6.8-alpha
> kernel-image-2.6.8-amd64
> kernel-image-2.6.8-hppa
> kernel-image-2.6.8-i386
> kernel-image-2.6.8-ia64
> kernel-image-2.6.8-m68k
> kernel-image-2.6.8-s390
> kernel-image-2.6.8-sparc
> kernel-patch-2.6.8-powerpc
> Vulnerability : multiple
> Problem type : remote, local, DoS
> Debian-specific: no
> CVE Id(s) : CAN-2005-3105 CAN-2005-1763 CAN-2005-1762 CAN-2005-0756
> CAN-2005-3108 CAN-2005-3106 CAN-2005-3107 CAN-2005-3109
> CAN-2005-1265 CAN-2005-0757 CAN-2005-1765 CAN-2005-1761
> CAN-2005-2548 CAN-2004-2302 CAN-2005-1767 CAN-2005-2458
> CAN-2005-2459 CAN-2005-2456 CAN-2005-2872 CAN-2005-2801
>
> Multiple security vulnerabilities have been identified in the Linux kernel.
> These vulnerabilities could allow an attacker to execute arbitrary code or
> initiate a denial of service (DoS) attack.
>
>
> CAN-2005-3105
>
> The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito
> processors does not properly maintain cache coherency as required by
> the architecture, which allows local users to cause a denial of service
> and possibly corrupt data by modifying PTE protections.
>
> CAN-2005-1763
>
> Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures
> allows local users to write bytes into kernel memory.
>
> CAN-2005-1762
>
> The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
> platform allows local users to cause a denial of service (kernel crash)
> via a "non-canonical" address.
>
> CAN-2005-0756
>
> ptrace 2.6.8.1 does not properly verify addresses on the amd64
> platform, which allows local users to cause a denial of service (kernel
> crash)
>
> CAN-2005-3108
>
> mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to
> cause a denial of service or an information leak via an iremap on a
> certain memory map that causes the iounmap to perform a lookup of a
> page that does not exist.
>
> CAN-2005-3106
>
> Race condition in Linux 2.6, when threads are sharing memory mapping
> via CLONE_VM (such as linuxthreads and vfork), might allow local users
> to cause a denial of service (deadlock) by triggering a core dump while
> waiting for a thread that has just performed an exec.
>
> CAN-2005-3107
>
> fs/exec.c in Linux 2.6, when one thread is tracing another thread that
> shares the same memory map, might allow local users to cause a denial
> of service (deadlock) by forcing a core dump when the traced thread is
> in the TASK_TRACED state.
>
> CAN-2005-3109
>
> The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to
> cause a denial of service (oops) by using hfsplus to mount a filesystem
> that is not hfsplus.
>
> CAN-2005-1265
>
> The mmap function in the Linux Kernel 2.6.10 can be used to create
> memory maps with a start address beyond the end address, which allows
> local users to cause a denial of service (kernel crash).
>
> CAN-2005-0757
>
> The xattr file system code, as backported in Red Hat Enterprise Linux 3
> on 64-bit systems, does not properly handle certain offsets, which
> allows local users to cause a denial of service (system crash) via
> certain actions on an ext3 file system with extended attributes
> enabled.
>
> CAN-2005-1765
>
> syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform,
> when running in 32-bit compatibility mode, allows local users to cause
> a denial of service (kernel hang) via crafted arguments.
>
> CAN-2005-1761
>
> Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users to
> cause a denial of service (kernel crash) via ptrace and the
> restore_sigcontext function.
>
> CAN-2005-2548
>
> vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a
> denial of service (kernel oops from null dereference) via certain UDP
> packets that lead to a function call with the wrong argument, as
> demonstrated using snmpwalk on snmpd.
>
> CAN-2004-2302
>
> Race condition in the sysfs_read_file and sysfs_write_file functions in
> Linux kernel before 2.6.10 allows local users to read kernel memory and
> cause a denial of service (crash) via large offsets in sysfs files.
>
> CAN-2005-1767
>
> traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment
> faults on an exception stack, which allows local users to cause a
> denial of service (oops and stack fault exception).
>
> CAN-2005-2458
>
> inflate.c in the zlib routines in the Linux kernel before 2.6.12.5
> allows remote attackers to cause a denial of service (kernel crash) via
> a compressed file with "improper tables".
>
> CAN-2005-2459
>
> The huft_build function in inflate.c in the zlib routines in the Linux
> kernel before 2.6.12.5 returns the wrong value, which allows remote
> attackers to cause a denial of service (kernel crash) via a certain
> compressed file that leads to a null pointer dereference, a different
> vulnerability than CAN-2005-2458.
>
> CAN-2005-2456
>
> Array index overflow in the xfrm_sk_policy_insert function in
> xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of
> service (oops or deadlock) and possibly execute arbitrary code via a
> p->dir value that is larger than XFRM_POLICY_OUT, which is used as an
> index in the sock->sk_policy array.
>
> CAN-2005-2872
>
> The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
> 2.6.12, when running on 64-bit processors such as AMD64, allows remote
> attackers to cause a denial of service (kernel panic) via certain
> attacks such as SSH brute force, which leads to memset calls using a
> length based on the u_int32_t type, acting on an array of unsigned long
> elements, a different vulnerability than CAN-2005-2873.
>
> CAN-2005-2801
>
> xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does
> not properly compare the name_index fields when sharing xattr blocks,
> which could prevent default ACLs from being applied.
--
Horms
Reply to: