Bug#319629: marked as done ([CAN-2005-1768]: Race condition in ia32 compatability code for execve causes local DoS)
Your message dated Fri, 16 Dec 2005 21:30:23 -0800
with message-id <E1EnUeF-00008n-St@spohr.debian.org>
and subject line Bug#319629: fixed in kernel-source-2.4.27 2.4.27-10sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Jul 2005 15:42:26 +0000
>From micah@riseup.net Sat Jul 23 08:42:26 2005
Return-path: <micah@riseup.net>
Received: from buffy.riseup.net (mail.riseup.net) [69.90.134.155]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1DwM8w-0004Id-00; Sat, 23 Jul 2005 08:42:26 -0700
Received: from localhost (localhost [127.0.0.1])
by mail.riseup.net (Postfix) with ESMTP id CF64FA2C3C;
Sat, 23 Jul 2005 08:41:13 -0700 (PDT)
Received: from mail.riseup.net ([127.0.0.1])
by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 22508-07; Sat, 23 Jul 2005 08:41:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.riseup.net (Postfix) with ESMTP id 94B02A2BBB;
Sat, 23 Jul 2005 08:41:13 -0700 (PDT)
Received: by pond (Postfix, from userid 1000)
id 6E6534DF8E; Sat, 23 Jul 2005 10:42:24 -0500 (CDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Micah Anderson <micah@riseup.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2005-1768]: Race condition in ia32 compatability code for execve causes
local DoS
X-Mailer: reportbug 3.15
Date: Sat, 23 Jul 2005 10:42:24 -0500
Message-Id: <20050723154224.6E6534DF8E@pond>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: kernel-source-2.4.27
Version: 2.4.27-10
Severity: normal
Tags: security
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1768 reads:
Race condition in the ia32 compatibility code for the execve system
call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows
local users to cause a denial of service (kernel panic) and possibly
execute arbitrary code via a concurrent thread that increments a
pointer count after the nargs function has counted the pointers, but
before the count is copied from user space to kernel space, which
leads to a buffer overflow.
I looked in the pending Changelog for 2.4.27 and did not see this CAN
number listed. Please be sure to reference this CAN number in the
changelog when fixed, as you always do.
Additional reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112110120216116&w=2
Micah
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages kernel-source-2.4.27 depends on:
ii binutils 2.16.1-2 The GNU assembler, linker and bina
ii bzip2 1.0.2-7 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
Versions of packages kernel-source-2.4.27 recommends:
ii gcc 4:4.0.0-2 The GNU C compiler
ii libc6-dev [libc-dev] 2.3.2.ds1-22 GNU C Library: Development Librari
ii make 3.80-9 The GNU version of the "make" util
-- no debconf information
---------------------------------------
Received: (at 319629-close) by bugs.debian.org; 17 Dec 2005 05:31:50 +0000
>From katie@ftp-master.debian.org Fri Dec 16 21:31:50 2005
Return-path: <katie@ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EnUeF-00008n-St; Fri, 16 Dec 2005 21:30:23 -0800
From: Simon Horman <horms@debian.org>
To: 319629-close@bugs.debian.org
X-Katie: $Revision: 1.17 $
Subject: Bug#319629: fixed in kernel-source-2.4.27 2.4.27-10sarge1
Message-Id: <E1EnUeF-00008n-St@spohr.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Fri, 16 Dec 2005 21:30:23 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: kernel-source-2.4.27
Source-Version: 2.4.27-10sarge1
We believe that the bug you reported is fixed in the latest version of
kernel-source-2.4.27, which is due to be installed in the Debian FTP archive:
kernel-doc-2.4.27_2.4.27-10sarge1_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-doc-2.4.27_2.4.27-10sarge1_all.deb
kernel-patch-debian-2.4.27_2.4.27-10sarge1_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-patch-debian-2.4.27_2.4.27-10sarge1_all.deb
kernel-source-2.4.27_2.4.27-10sarge1.diff.gz
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10sarge1.diff.gz
kernel-source-2.4.27_2.4.27-10sarge1.dsc
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10sarge1.dsc
kernel-source-2.4.27_2.4.27-10sarge1_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-10sarge1_all.deb
kernel-tree-2.4.27_2.4.27-10sarge1_all.deb
to pool/main/k/kernel-source-2.4.27/kernel-tree-2.4.27_2.4.27-10sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 319629@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.4.27 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Aug 2005 15:45:20 +0900
Source: kernel-source-2.4.27
Binary: kernel-tree-2.4.27 kernel-source-2.4.27 kernel-patch-debian-2.4.27 kernel-doc-2.4.27
Architecture: source all
Version: 2.4.27-10sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description:
kernel-doc-2.4.27 - Linux kernel specific documentation for version 2.4.27
kernel-patch-debian-2.4.27 - Debian patches to Linux 2.4.27
kernel-source-2.4.27 - Linux kernel source for version 2.4.27 with Debian patches
kernel-tree-2.4.27 - Linux kernel source tree for building Debian kernel images
Closes: 311164 319629 320256 323318
Changes:
kernel-source-2.4.27 (2.4.27-10sarge1) stable-security; urgency=high
.
[ Simon Horman ]
* 184_arch-x86_64-ia32-ptrace32-oops.diff
[Security, x86_64] 32 bit ltrace oops when tracing 64 bit executable
http://lkml.org/lkml/2005/1/5/245
http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA
.
== Patches from 2.4.27-11 ==
.
[ Simon Horman ]
* 167_arch-ia64-x86_64_execve.diff:
Race condition in the ia32 compatibility code for the execve system call
See CAN-2005-1768. (closes: #319629).
.
* 168_fs_ext3_64bit_offset.diff:
Incorrect offset checks for ext3 xattr on 64 bit architectures
can lead to a local DoS.
See CAN-2005-0757. (closes: #311164).
.
* 169_arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
[Security, x86_64] This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
See CAN-2005-1762
.
* 169_arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
[Security, x86_64] Fix canonical checking for segment registers in ptrace
See CAN-2005-0756
.
# Excluded from Security Update
# * Makefile-gcc-3.3.dpatch, control
# Build with gcc-3.3, as gcc-4.0, now the dedault in unstable,
# fails to build this source. Upstream has stated that they
# have no intention making the 2.4 kernel compile with gcc-4
# (closes: #320256, #323318)
.
* 171_arch-ia64-x86_64-execve-overflow.diff
[Security, ia64, x86_64] Fix overflow in 32bit execve
See CAN-2005-1768
.
* 172_ppc32-time_offset-misuse.diff
[ppc32] stop misusing ntps time_offset value
.
# Excluded from Security Update
# * 173_tty_ldisc_ref-return-null-check.diff
# tty_ldisc_ref return null check
.
* 174_net-ipv4-netfilter-nat-mem.diff
[Security] Fix potential memory corruption in NAT code (aka memory NAT)
.
# Excluded from Security Update
# * 175-net-ipv6-netfilter-deadlock.diff
# Fix deadlock in ip6_queue
.
* 176_ipsec-array-overflow.diff
[Security] Fix possible overflow of sock->sk_policy
See CAN-2005-2456 (See: #321401)
.
# Excluded from Security Update
# * 177_rocket_c-fix-ldisc-ref-count.diff
# Fix ldisc ref count handling in rocketport driver
.
* 178_fs_ext2_ext3_xattr-sharing.diff
[Security] Xattr sharing bug
See http://lists.debian.org/debian-kernel/2005/08/msg00238.html
.
* 179_net-ipv4-netfilter-ip_recent-last_pkts.diff
[Security] Fixes remote DoS when using ipt_recent on a 64 bit machine.
(See: #322237)
.
* 181_arch-x86_64-kernel-stack-faults.diff
[Security, x86_64] Disable exception stack for stack faults
See CAN-2005-1767
.
* 182_linux-zlib-fixes.diff
[Security] Fix security bugs in the Linux zlib implementations.
See CAN-2005-2458, CAN-2005-2459
From 2.6.12.5
http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
http://bugs.gentoo.org/show_bug.cgi?id=94584
.
# Excluded from Security Update
# * zisofs.dpatch
# Check input buffer size in zisofs
# From 2.6.12.5
Files:
9f709ab218f6a0ce6e5886174f74c8cb 900 devel optional kernel-source-2.4.27_2.4.27-10sarge1.dsc
3b26bc94e734e3e9c7de8851e9e308b7 699494 devel optional kernel-source-2.4.27_2.4.27-10sarge1.diff.gz
2cfb0a84539c910e596abba17e7d8d48 650880 devel optional kernel-patch-debian-2.4.27_2.4.27-10sarge1_all.deb
3a2c82fcc546bee30fb522f28193f3e7 3577464 doc optional kernel-doc-2.4.27_2.4.27-10sarge1_all.deb
857f97955b1c7d145990f28581731fb7 31026166 devel optional kernel-source-2.4.27_2.4.27-10sarge1_all.deb
c346db9cb71c6e39328d49318a2f2ed4 24418 devel optional kernel-tree-2.4.27_2.4.27-10sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoOUFA8ACPgVBDpcRAqNkAJ0aj0eRUgtH4BqaEDsRSbte488iKwCcDi0Z
ccPuxUN3Emt1BqnY/GFzGpU=
=5XAz
-----END PGP SIGNATURE-----
Reply to: