Re: Three more security problems in the 2.6 kernel

[Moritz Muehlenhoff <jmm@inutil.org>]

Horms wrote:
> > I found three more security related reports/patches on linux-kernel.
> 
> As mentioned elsewhere, the first (request_key_auth memleek) is CAN-2005-3119.
> Can we get CAN numbers for the other two?

Here they are:

> > From: Dave Jones <davej@redhat.com>
> > 
> > Please consider for next 2.6.13, it is a minor security issue allowing
> > users to turn on drm debugging when they shouldn't...

======================================================
Candidate: CAN-2005-3179
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3179
Reference: CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=d7067d7d1f92cba14963a430cfbd53098cbbc8fd
Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=107893

drm.c in Linux kernel 2.6.13 and earlier creates a debug file in sysfs
with world-readable and world-writable permissions, which allows local
users to enable DRM debugging and obtain sensitive information.


> > From: Pavel Roskin <proski@gnu.org>
> > 
> > The orinoco driver can send uninitialized data exposing random pieces of
> > the system memory.  This happens because data is not padded with zeroes
> > when its length needs to be increased.

======================================================
Candidate: CAN-2005-3180
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3180
Reference: CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=feecb2ffde28639e60ede769c6f817dc536c677b

The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does
not properly clear memory from a previously used packet whose length
is increased, which allows remote attackers to obtain sensitive
information.

Cheers,
        Moritz