Re: Bug #266882 still not fixed

To: debian-kernel@lists.debian.org, security@debian.org
Subject: Re: Bug #266882 still not fixed
From: Tomasz Malesinski <tmal@mimuw.edu.pl>
Date: Fri, 7 Jan 2005 15:36:06 +0100
Message-id: <[🔎] 20050107143606.GA27501@duch.mimuw.edu.pl>
In-reply-to: <[🔎] 20050103232541.GO19668@alcor.net>
References: <20041214235923.GA9803@duch.mimuw.edu.pl> <20041215022758.GA21641@verge.net.au> <[🔎] 20050103232541.GO19668@alcor.net>

On Mon, Jan 03, 2005 at 03:25:41PM -0800, Matt Zimmerman wrote:
> On Wed, Dec 15, 2004 at 11:27:58AM +0900, Horms wrote:
> 
> > On Wed, Dec 15, 2004 at 12:59:24AM +0100, Tomasz Malesinski wrote:
> > > Why hasn't the bug #266882 (CAN-2004-0554 i387.h in kernel: asm
> > > volatile("fnclex ; fwait");) has not been fixed in 2.4.18 for so long?
> > 
> > That and a host of others. Security-Team, Is there ever going to be a 
> > new kernel for Woody?
> 
> Any patches that you can provide would be gratefully received.  The kernel
> has a huge number of vulnerabilities, and more are discovered all the time.
> Since the resources of the security team are limited, this work needs to be
> distributed to package maintainers wherever possible.

The bug #266882 (CAN-2004-0554) is discussed at:

http://linuxreviews.org/news/2004/06/11_kernel_crash/

There is an exploit code and a link to the patch:

http://linux.bkbits.net:8080/linux-2.4/gnupatch@40cdf6f8V7sOe5n96HA5Q7r9uDRvJQ

which apllies cleanly and fixes the issue in 2.4.18 Debian kernel.

I was also looking for the fix of the bug CAN-2004-1016. It is fixed
in the upstream by the following patches:

http://linux.bkbits.net:8080/linux-2.4/gnupatch@41b76e94BsJKm8jhVtyDat9ZM1dXXg
http://linux.bkbits.net:8080/linux-2.4/gnupatch@41b77314ZtyUzWzZFzaCRGoQc6hKcw

I have applied them to 2.4.18 sources. They applied almost cleanly,
with some offsets and some hunks ignored due to the fact that some
architectures appeared after 2.4.18 and the architecture-specific
files for mips64 in 2.4.18 does not contain the vulnerable code.

With that patch the kernel was immune to the exploit included in the
original advisory (http://isec.pl/vulnerabilities/isec-0019-scm.txt).

Another issue is described at:

http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt

Most of the bugs mentioned there is fixed in the upstream by the patch:

http://linux.bkbits.net:8080/linux-2.6/gnupatch@41925edcVccsXZXObG444GFvEJ94GQ

Applying it to 2.4.18 required little manual intervention. The patch
however does not seem to fix the 5th bug in the advisory, which is
also exploited by the code included there. I am not even sure whether
this is fixed in the upstream at all (I have not tested the latest
kernels, though).

Would backported patches be useful to the Security Team or would they
only increase the traffic on the mailing lists? As I said, the patch
command had almost no problems applying patches from the BitKeeper.

Tomasz Malesinski

Reply to:

References:
- Re: Bug #266882 still not fixed
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Bug#285017: kernel-image-2.4.27-1-686: upgrading from v2 to v6 slows down my modem
Next by Date: Bug#289155: CAN-2004-1235: uselib() privilege escalation
Previous by thread: Re: Bug #266882 still not fixed
Next by thread: Bug#277298: Dell hwclock Patch worked for me
Index(es):
- Date
- Thread