-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: kernel Advisory ID: MDKSA-2005:022 Date: January 25th, 2005 Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1, Corporate Server 3.0, Multi Network Firewall 8.2 ______________________________________________________________________ Problem Description: A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory: - Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CAN-2004-0814) - Richard Hart found an integer underflow problem in the iptables firewall logging rules that can allow a remote attacker to crash the machine by using a specially crafted IP packet. This is only possible, however, if firewalling is enabled. The problem only affects 2.6 kernels and was fixed upstream in 2.6.8 (CAN-2004-0816) - Stefan Esser found several remote DoS confitions in the smbfs file system. This could be exploited by a hostile SMB server (or an attacker injecting packets into the network) to crash the client systems (CAN-2004-0883 and CAN-2004-0949) - Paul Starzetz and Georgi Guninski reported, independantly, that bad argument handling and bad integer arithmetics in the IPv4 sendmsg handling of control messages could lead to a local attacker crashing the machine. The fixes were done by Herbert Xu (CAN-2004-1016) - Rob Landley discovered a race condition in the handling of /proc/.../cmdline where, under rare circumstances, a user could read the environment variables of another process that was still spawning leading to the potential disclosure of sensitive information such as passwords (CAN-2004-1058) - Paul Starzetz reported that the missing serialization in unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by a local attacker to gain elevated (root) privileges (CAN-2004-1068) - Ross Kendall Axe discovered a possible kernel panic (DoS) while sending AF_UNIX network packets if certain SELinux-related kernel options were enabled. By default the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX options are not enabled (CAN-2004-1069) - Paul Starzetz of isec.pl discovered several issues with the error handling of the ELF loader routines in the kernel. The fixes were provided by Chris Wright (CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073) - It was discovered that hand-crafted a.out binaries could be used to trigger a local DoS condition in both the 2.4 and 2.6 kernels. The fixes were done by Chris Wright (CAN-2004-1074) - Paul Starzetz found bad handling in the IGMP code which could lead to a local attacker being able to crash the machine. The fix was done by Chris Wright (CAN-2004-1137) - Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions that could be used to overwrite kernel memory with attacker-supplied code resulting in privilege escalation (CAN-2004-1151) - Paul Starzetz found locally exploitable flaws in the binary format loader's uselib() function that could be abused to allow a local user to obtain root privileges (CAN-2004-1235) - Paul Starzetz found an exploitable flaw in the page fault handler when running on SMP machines (CAN-2005-0001) - A vulnerability in insert_vm_struct could allow a locla user to trigger BUG() when the user created a large vma that overlapped with arg pages during exec (CAN-2005-0003) - Paul Starzetz also found a number of vulnerabilities in the kernel binfmt_elf loader that could lead a local user to obtain elevated (root) privileges (isec-0017-binfmt_elf) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at: http://www.mandrakesoft.com/security/kernelupdate PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the latest module-init-tools package prior to upgrading their kernel. Likewise, MNF8.2 users will need to upgrade to the latest modutils package prior to upgrading their kernel. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0949 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1016 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1074 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0003 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 3d615b76ac136595a7458135e1f839c6 10.0/RPMS/kernel-2.4.25.13mdk-1-1mdk.i586.rpm 8872bc542fb173ebe7b3ab99d9fa0a78 10.0/RPMS/kernel-2.6.3.25mdk-1-1mdk.i586.rpm c2324dc5344bf65b4c32b7aaef8ce854 10.0/RPMS/kernel-enterprise-2.4.25.13mdk-1-1mdk.i586.rpm df49e87e645dff4a94552e15e8943c19 10.0/RPMS/kernel-enterprise-2.6.3.25mdk-1-1mdk.i586.rpm ca8d699e0e20a337a5eebf79ec85706a 10.0/RPMS/kernel-i686-up-4GB-2.4.25.13mdk-1-1mdk.i586.rpm e07ade9d7d022da3fba9e13257bb7f15 10.0/RPMS/kernel-i686-up-4GB-2.6.3.25mdk-1-1mdk.i586.rpm 916707e9d3fe3c8328db6c6e18473abe 10.0/RPMS/kernel-p3-smp-64GB-2.4.25.13mdk-1-1mdk.i586.rpm 3372a66fbafd98d091b1d3d577d50221 10.0/RPMS/kernel-p3-smp-64GB-2.6.3.25mdk-1-1mdk.i586.rpm f4684d50ded00cd05eaf47753b7564c8 10.0/RPMS/kernel-secure-2.6.3.25mdk-1-1mdk.i586.rpm 03688dfd221d3b4a6fda80ef5784bab6 10.0/RPMS/kernel-smp-2.4.25.13mdk-1-1mdk.i586.rpm 120a2b5101fcb5ade30f58c66faa8622 10.0/RPMS/kernel-smp-2.6.3.25mdk-1-1mdk.i586.rpm d865abbec938cee8c258bfed331e49b3 10.0/RPMS/kernel-source-2.4.25-13mdk.i586.rpm 6537b8b610d93a06a3b5e7fbed060d7d 10.0/RPMS/kernel-source-2.6.3-25mdk.i586.rpm 2b80606da918944b7d9a3947fe9261f4 10.0/RPMS/kernel-source-stripped-2.6.3-25mdk.i586.rpm 66014de2087370161cc488cbd2459caa 10.0/RPMS/module-init-tools-3.0-1.2.1.100mdk.i586.rpm 9b808108f4839905f98821a72e01ed9b 10.0/SRPMS/kernel-2.4.25.13mdk-1-1mdk.src.rpm cbd99bedcf3e86bbe76cfc7483d3655a 10.0/SRPMS/kernel-2.6.3.25mdk-1-1mdk.src.rpm 5ee85d63733b93e1629a9f5c44cb634c 10.0/SRPMS/module-init-tools-3.0-1.2.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: c8609f9d078f225fdc78047f338df99a amd64/10.0/RPMS/kernel-2.4.25.13mdk-1-1mdk.amd64.rpm b89b86305d44c25e7c79bff4a9f2ebe6 amd64/10.0/RPMS/kernel-2.6.3.25mdk-1-1mdk.amd64.rpm 0acfd0fcc2e4a792054970f796485a7b amd64/10.0/RPMS/kernel-secure-2.6.3.25mdk-1-1mdk.amd64.rpm 90400428327d20e8e6d7a3c6bbd95304 amd64/10.0/RPMS/kernel-smp-2.4.25.13mdk-1-1mdk.amd64.rpm a5723d6b9ac757d83eb46ea25de3f270 amd64/10.0/RPMS/kernel-smp-2.6.3.25mdk-1-1mdk.amd64.rpm 69e309596c73922539f7771a0a8473c6 amd64/10.0/RPMS/kernel-source-2.4.25-13mdk.amd64.rpm 4bf67528554bddac99214a873a16cb9f amd64/10.0/RPMS/kernel-source-2.6.3-25mdk.amd64.rpm 4628048ff5e631b48127cbbf1b7715b7 amd64/10.0/RPMS/kernel-source-stripped-2.6.3-25mdk.amd64.rpm 91593c8eb6877c70f16c274254cbad2b amd64/10.0/RPMS/module-init-tools-3.0-1.2.1.100mdk.amd64.rpm 9b808108f4839905f98821a72e01ed9b amd64/10.0/SRPMS/kernel-2.4.25.13mdk-1-1mdk.src.rpm cbd99bedcf3e86bbe76cfc7483d3655a amd64/10.0/SRPMS/kernel-2.6.3.25mdk-1-1mdk.src.rpm 5ee85d63733b93e1629a9f5c44cb634c amd64/10.0/SRPMS/module-init-tools-3.0-1.2.1.100mdk.src.rpm Mandrakelinux 10.1: 0f696c0c5320ec25d05ef5bd350f9985 10.1/RPMS/kernel-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm d1af1c436a5abba25b8f08775da71db7 10.1/RPMS/kernel-2.6.8.1.24mdk-1-1mdk.i586.rpm 0dcb79ef492718dee540f7d41e80058a 10.1/RPMS/kernel-enterprise-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm 40284c8cc69455994b3d4d1f4ca00f83 10.1/RPMS/kernel-enterprise-2.6.8.1.24mdk-1-1mdk.i586.rpm 9ea23249f97f8ee30cdac0e330112aab 10.1/RPMS/kernel-i586-up-1GB-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm 7b30e9fcc1726f729fb553cbe2c6e1c0 10.1/RPMS/kernel-i586-up-1GB-2.6.8.1.24mdk-1-1mdk.i586.rpm 871192ed017f9d5cf41182cf603ee186 10.1/RPMS/kernel-i686-up-64GB-2.6.8.1.24mdk-1-1mdk.i586.rpm c3cdd1c9aa5f109fc2c666496df04381 10.1/RPMS/kernel-secure-2.6.8.1.24mdk-1-1mdk.i586.rpm b9c94c3ddd5c96a6408cb2ae3c65cac4 10.1/RPMS/kernel-smp-2.4.28.0.rc1.5mdk-1-1mdk.i586.rpm d70bdcfaf79cf6209e9c7d4842f9c630 10.1/RPMS/kernel-smp-2.6.8.1.24mdk-1-1mdk.i586.rpm d6d6df17dbd538a472f1715ed5085069 10.1/RPMS/kernel-source-2.4-2.4.28-0.rc1.5mdk.i586.rpm 290f135dd67a321a54d1115a0e322114 10.1/RPMS/kernel-source-2.6-2.6.8.1-24mdk.i586.rpm a77254188fa582e1dc6507684b6350e0 10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-24mdk.i586.rpm ac1ff7f73b6ff5ef0d848835aa439f5b 10.1/SRPMS/kernel-2.4.28.0.rc1.5mdk-1-1mdk.src.rpm 7b0f95d89253bfab3456919d06e70039 10.1/SRPMS/kernel-2.6.8.1.24mdk-1-1mdk.src.rpm Mandrakelinux 10.1/X86_64: 960b9e64607f387c5bcd4a437981a6fa x86_64/10.1/RPMS/kernel-2.4.28.0.rc1.5mdk-1-1mdk.x86_64.rpm 04b7bd7f2fe22aa39f023a0a962b0aad x86_64/10.1/RPMS/kernel-2.6.8.1.24mdk-1-1mdk.x86_64.rpm 6bb79b4942fcaf55f503bdcbbf22f0b5 x86_64/10.1/RPMS/kernel-secure-2.6.8.1.24mdk-1-1mdk.x86_64.rpm 0d2340a40d9b712f0462f73297248700 x86_64/10.1/RPMS/kernel-smp-2.4.28.0.rc1.5mdk-1-1mdk.x86_64.rpm 10c716e96824f09ed8db7d8f83729b90 x86_64/10.1/RPMS/kernel-smp-2.6.8.1.24mdk-1-1mdk.x86_64.rpm 7b963dda4b2be54640f9ca9413c07b53 x86_64/10.1/RPMS/kernel-source-2.4-2.4.28-0.rc1.5mdk.x86_64.rpm 75c6e3ff75915b3d300a2c8cec0f9431 x86_64/10.1/RPMS/kernel-source-2.6-2.6.8.1-24mdk.x86_64.rpm 796c7f2163d63e46e129fb165ea21e25 x86_64/10.1/RPMS/kernel-source-stripped-2.6-2.6.8.1-24mdk.x86_64.rpm ac1ff7f73b6ff5ef0d848835aa439f5b x86_64/10.1/SRPMS/kernel-2.4.28.0.rc1.5mdk-1-1mdk.src.rpm 7b0f95d89253bfab3456919d06e70039 x86_64/10.1/SRPMS/kernel-2.6.8.1.24mdk-1-1mdk.src.rpm Corporate Server 2.1: b6169281f854088c070fa44ec931958d corporate/2.1/RPMS/kernel-2.4.19.48mdk-1-1mdk.i586.rpm 98dba27afd4cd5457d7f14159ed9ab5c corporate/2.1/RPMS/kernel-enterprise-2.4.19.48mdk-1-1mdk.i586.rpm 889972abd61cb4c36ed1dcbb47b3f60e corporate/2.1/RPMS/kernel-secure-2.4.19.48mdk-1-1mdk.i586.rpm 41ba99dbf81769dcb1ef6770a47de649 corporate/2.1/RPMS/kernel-smp-2.4.19.48mdk-1-1mdk.i586.rpm 6a16729a1b05c13884bd4922749c2ef3 corporate/2.1/RPMS/kernel-source-2.4.19-48mdk.i586.rpm ba431d79d61432149d88b19f7edbdaf7 corporate/2.1/SRPMS/kernel-2.4.19.48mdk-1-1mdk.src.rpm Corporate Server 2.1/x86_64: a3ee6a051ea79aadaefaaf67f19023d7 x86_64/corporate/2.1/RPMS/kernel-2.4.19.48mdk-1-1mdk.x86_64.rpm 33c6cac5db86011dc231686086b63798 x86_64/corporate/2.1/RPMS/kernel-secure-2.4.19.48mdk-1-1mdk.x86_64.rpm d39c2680a53cacf01e1c768c06239660 x86_64/corporate/2.1/RPMS/kernel-smp-2.4.19.48mdk-1-1mdk.x86_64.rpm 7c17e24855523fd5f5d6bf819a6f198b x86_64/corporate/2.1/RPMS/kernel-source-2.4.19-48mdk.x86_64.rpm ba431d79d61432149d88b19f7edbdaf7 x86_64/corporate/2.1/SRPMS/kernel-2.4.19.48mdk-1-1mdk.src.rpm Corporate Server 3.0: 3d615b76ac136595a7458135e1f839c6 corporate/3.0/RPMS/kernel-2.4.25.13mdk-1-1mdk.i586.rpm 8872bc542fb173ebe7b3ab99d9fa0a78 corporate/3.0/RPMS/kernel-2.6.3.25mdk-1-1mdk.i586.rpm c2324dc5344bf65b4c32b7aaef8ce854 corporate/3.0/RPMS/kernel-enterprise-2.4.25.13mdk-1-1mdk.i586.rpm df49e87e645dff4a94552e15e8943c19 corporate/3.0/RPMS/kernel-enterprise-2.6.3.25mdk-1-1mdk.i586.rpm ca8d699e0e20a337a5eebf79ec85706a corporate/3.0/RPMS/kernel-i686-up-4GB-2.4.25.13mdk-1-1mdk.i586.rpm e07ade9d7d022da3fba9e13257bb7f15 corporate/3.0/RPMS/kernel-i686-up-4GB-2.6.3.25mdk-1-1mdk.i586.rpm 916707e9d3fe3c8328db6c6e18473abe corporate/3.0/RPMS/kernel-p3-smp-64GB-2.4.25.13mdk-1-1mdk.i586.rpm 3372a66fbafd98d091b1d3d577d50221 corporate/3.0/RPMS/kernel-p3-smp-64GB-2.6.3.25mdk-1-1mdk.i586.rpm f4684d50ded00cd05eaf47753b7564c8 corporate/3.0/RPMS/kernel-secure-2.6.3.25mdk-1-1mdk.i586.rpm 03688dfd221d3b4a6fda80ef5784bab6 corporate/3.0/RPMS/kernel-smp-2.4.25.13mdk-1-1mdk.i586.rpm 120a2b5101fcb5ade30f58c66faa8622 corporate/3.0/RPMS/kernel-smp-2.6.3.25mdk-1-1mdk.i586.rpm d865abbec938cee8c258bfed331e49b3 corporate/3.0/RPMS/kernel-source-2.4.25-13mdk.i586.rpm 6537b8b610d93a06a3b5e7fbed060d7d corporate/3.0/RPMS/kernel-source-2.6.3-25mdk.i586.rpm 2b80606da918944b7d9a3947fe9261f4 corporate/3.0/RPMS/kernel-source-stripped-2.6.3-25mdk.i586.rpm 9b808108f4839905f98821a72e01ed9b corporate/3.0/SRPMS/kernel-2.4.25.13mdk-1-1mdk.src.rpm cbd99bedcf3e86bbe76cfc7483d3655a corporate/3.0/SRPMS/kernel-2.6.3.25mdk-1-1mdk.src.rpm Mandrakelinux 9.2: df22e4dffb539874c2ad36bc8893718b 9.2/RPMS/kernel-2.4.22.41mdk-1-1mdk.i586.rpm 58303975f994e50b440a46aa10b3c0a4 9.2/RPMS/kernel-enterprise-2.4.22.41mdk-1-1mdk.i586.rpm 6548386b7fab601d507950a3b658b454 9.2/RPMS/kernel-i686-up-4GB-2.4.22.41mdk-1-1mdk.i586.rpm a5eeba7c971e7fe09d4b42ef183b97f9 9.2/RPMS/kernel-p3-smp-64GB-2.4.22.41mdk-1-1mdk.i586.rpm c19bbca55e615a7eec5f26aebea3a675 9.2/RPMS/kernel-secure-2.4.22.41mdk-1-1mdk.i586.rpm a4b44486653dd2d4822ba26c2debb769 9.2/RPMS/kernel-smp-2.4.22.41mdk-1-1mdk.i586.rpm 941029c6b6e57f5083a48cbb2481a41e 9.2/RPMS/kernel-source-2.4.22-41mdk.i586.rpm 7a5a16618d1fb3c92a3b2c8abcb8f6e6 9.2/SRPMS/kernel-2.4.22.41mdk-1-1mdk.src.rpm Mandrakelinux 9.2/AMD64: b20216a4273d7c261e08e0aa4c7411ce amd64/9.2/RPMS/kernel-2.4.22.41mdk-1-1mdk.amd64.rpm adf9ba1fdd2b3be5de83f327fe35d932 amd64/9.2/RPMS/kernel-secure-2.4.22.41mdk-1-1mdk.amd64.rpm df3a1629ebbf44e8e57d5b6ba4c95149 amd64/9.2/RPMS/kernel-smp-2.4.22.41mdk-1-1mdk.amd64.rpm 17b4902f4d569c2f208fe4c455b20b6f amd64/9.2/RPMS/kernel-source-2.4.22-41mdk.amd64.rpm 7a5a16618d1fb3c92a3b2c8abcb8f6e6 amd64/9.2/SRPMS/kernel-2.4.22.41mdk-1-1mdk.src.rpm Multi Network Firewall 8.2: a08867762d937e0890a7efe79439c844 mnf8.2/RPMS/kernel-secure-2.4.19.48mdk-1-1mdk.i586.rpm 6fb3c0a0ab8d44e031f1c309f67b4dbc mnf8.2/RPMS/modutils-2.4.19-5mdk.i586.rpm ba431d79d61432149d88b19f7edbdaf7 mnf8.2/SRPMS/kernel-2.4.19.48mdk-1-1mdk.src.rpm 296ea31d1338fe4ca0c1eba4ff652376 mnf8.2/SRPMS/modutils-2.4.19-5mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB9yM0mqjQ0CJFipgRAhTaAJ99L7scGJzG+tx7VaL4vEjpy+mI9gCdGerG WjVONQcZFTuq07uHUzEGvTo= =Wjcp -----END PGP SIGNATURE-----