lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 14 Apr 2004 17:07:46 +0200 (CEST)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 480-1] New Linux 2.4.17 and 2.4.18 packages fix local root exploit (hppa)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 480-1                     security@...ian.org
http://www.debian.org/security/                             Martin Schulze
April 14th, 2004                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-image-2.4.17-hppa kernel-image-2.4.18-hppa
Vulnerability  : several vulnerabilities
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0003 CAN-2004-0010 CAN-2004-0109 CAN-2004-0177 CAN-2004-0178

Several serious problems have been discovered in the Linux kernel.
This update takes care of Linux 2.4.17 and 2.4.18 for the hppa
(PA-RISC) architecture.  The Common Vulnerabilities and Exposures
project identifies the following problems that will be fixed with this
update:

CAN-2004-0003

    A vulnerability has been discovered in the R128 drive in the Linux
    kernel which could potentially lead an attacker to gain
    unauthorised privileges.  Alan Cox and Thomas Biege developed a
    correction for this

CAN-2004-0010

    Arjan van de Ven discovered a stack-based buffer overflow in the
    ncp_lookup function for ncpfs in the Linux kernel, which could
    lead an attacker to gain unauthorised privileges.  Petr Vandrovec
    developed a correction for this.

CAN-2004-0109

    zen-parse discovered a buffer overflow vulnerability in the
    ISO9660 filesystem component of Linux kernel which could be abused
    by an attacker to gain unauthorised root access.  Sebastian
    Krahmer and Ernie Petrides developed a correction for this.

CAN-2004-0177

    Solar Designer discovered an information leak in the ext3 code of
    Linux.  In a worst case an attacker could read sensitive data such
    as cryptographic keys which would otherwise never hit disk media.
    Theodore Ts'o developed a correction for this.

CAN-2004-0178

    Andreas Kies discovered a denial of service condition in the Sound
    Blaster driver in Linux.  He also developed a correction for this.

These problems will also be fixed by upstream in Linux 2.4.26 and
future versions of 2.6.

For the stable distribution (woody) these problems have been fixed in
version 32.4 for Linux 2.4.17 and in version 62.3 for Linux 2.4.18.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your kernel packages immediately, either
with a Debian provided kernel or with a self compiled one.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.4.dsc
      Size/MD5 checksum:      713 d6e475210d87586fafc91e1d557a1a81
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-hppa_32.4.tar.gz
      Size/MD5 checksum: 29958654 8357b4f2946cd1256a0ddf51395aaa1b

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-hppa_62.3.dsc
      Size/MD5 checksum:      713 a7dd8816219af9d8af30e0dd5d4933ae
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-hppa_62.3.tar.gz
      Size/MD5 checksum: 30341920 73ebcb15f4e1245792af77ab2edc8133

  Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-source-2.4.17-hppa_32.4_all.deb
      Size/MD5 checksum: 24111814 32a7c5a4b9b7f56f76a3810ee1c671bd

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-source-2.4.18-hppa_62.3_all.deb
      Size/MD5 checksum: 24403622 c5600ecd5365f4699e3937328536d997

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-headers-2.4.17-hppa_32.4_hppa.deb
      Size/MD5 checksum:  3531374 1ace6b1a6f1575bb05cfa38eef8ae28e
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32_32.4_hppa.deb
      Size/MD5 checksum:  2738008 7460b70d3551740b099f47cc00f75a9a
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-32-smp_32.4_hppa.deb
      Size/MD5 checksum:  2870152 3012e161b10a40ef75b5ca7dc99f646a
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64_32.4_hppa.deb
      Size/MD5 checksum:  3024374 dc9b851d809cbe09e4d4db58c905c8a8
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.17-hppa/kernel-image-2.4.17-64-smp_32.4_hppa.deb
      Size/MD5 checksum:  3165848 b6b8cbf7f48fbf729c859350c7d09e11

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-headers-2.4.18-hppa_62.3_hppa.deb
      Size/MD5 checksum:  3545648 cdc19e048e49678e4f42bef608a24461
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-32_62.3_hppa.deb
      Size/MD5 checksum:  2763774 f51ec93fcb6101a2e3ecf4d9767237c8
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-32-smp_62.3_hppa.deb
      Size/MD5 checksum:  2903956 88e4ca002820f71fcc5101762f8b24e4
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-64_62.3_hppa.deb
      Size/MD5 checksum:  3061206 9ef449c857ec8a57c505fdee26b7a936
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-hppa/kernel-image-2.4.18-64-smp_62.3_hppa.deb
      Size/MD5 checksum:  3199070 e59926283c57ef868881e6cc1e501e6b


  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAfVO+W5ql+IAeqTIRAiSeAJ93ehL1LmbRBheMrhISXJb2IcMRSQCgna2i
QZMFDWSgY4WZsGOz8HAYDcg=
=pO1N
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists