[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041118231205.GB9460@box79162.elkhouse.de>
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-30-1] Linux kernel vulnerabilities
===========================================================
Ubuntu Security Notice USN-30-1 November 18, 2004
linux-source-2.6.8.1 vulnerabilities
CAN-2004-0883, CAN-2004-0949, and others
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
linux-image-2.6.8.1-3-386
linux-image-2.6.8.1-3-686
linux-image-2.6.8.1-3-686-smp
linux-image-2.6.8.1-3-amd64-generic
linux-image-2.6.8.1-3-amd64-k8
linux-image-2.6.8.1-3-amd64-k8-smp
linux-image-2.6.8.1-3-amd64-xeon
linux-image-2.6.8.1-3-k7
linux-image-2.6.8.1-3-k7-smp
linux-image-2.6.8.1-3-power3
linux-image-2.6.8.1-3-power3-smp
linux-image-2.6.8.1-3-power4
linux-image-2.6.8.1-3-power4-smp
linux-image-2.6.8.1-3-powerpc
linux-image-2.6.8.1-3-powerpc-smp
The problem can be corrected by upgrading the affected package to
version 2.6.8.1-16.1. You need to reboot the computer after doing a
standard system upgrade to effect the necessary changes.
Details follow:
CAN-2004-0883, CAN-2004-0949:
During an audit of the smb file system implementation within Linux,
several vulnerabilities were discovered ranging from out of bounds
read accesses to kernel level buffer overflows.
To exploit any of these vulnerabilities, an attacker needs control
over the answers of the connected Samba server. This could be
achieved by man-in-the-middle attacks or by taking over the Samba
server with e. g. the recently disclosed vulnerability in Samba 3.x
(see CAN-2004-0882).
While any of these vulnerabilities can be easily used as remote denial
of service exploits against Linux systems, it is unclear if it is
possible for a skilled local or remote attacker to use any of the
possible buffer overflows for arbitrary code execution in kernel
space. So these bugs may theoretically lead to privilege escalation
and total compromise of the whole system.
http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt:
Several flaws have been found in the Linux ELF binary loader's
handling of setuid binaries. Nowadays ELF is the standard format for
Linux executables and libraries. setuid binaries are programs that
have the "setuid" file permission bit set; they allow to execute a
program under a user id different from the calling user and are
mostly used to allow executing a program with root privileges to
normal users.
The vulnerabilities that were fixed in these updated kernel packages
could lead Denial of Service attacks. They also might lead to
execution of arbitrary code and privilege escalation on some
platforms if an attacker is able to run setuid programs under some
special system conditions (like very little remaining memory).
Another flaw could allow an attacker to read supposedly unreadable,
but executable suid binaries. The attacker can then use this to seek
faults within the executable.
http://marc.theaimsgroup.com/?l=linux-kernel&m=109776571411003&w=2:
Bernard Gagnon discovered a memory leak in the mmap raw packet
socket implementation. When a client application (in ELF format)
core dumps, a region of memory stays allocated as a ring buffer.
This could be exploited by a malicious user who repeatedly crashes
certain types of applications until the memory is exhausted, thus
causing a Denial of Service.
Reverted 486 emulation patch:
Ubuntu kernels for the i386 platforms are compiled using the i486
instruction set for performance reasons. Former Ubuntu kernels
contained code which emulated the missing instructions on real 386
processors. However, several actual and potential security flaws
have been discovered in the code, and it was found to be
unsupportable. It might be possible to exploit these vulnerabilities
also on i486 and higher processors.
Therefore support for real i386 processors has ceased. This updated
kernel will only run on i486 and newer processors.
Other architectures supported by Ubuntu (amd64, powerpc) are not
affected.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.1.diff.gz
Size/MD5: 3083854 6c6205802319f9774bacae96e0215e9b
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.1.dsc
Size/MD5: 2119 bd3ecefdb8236a927ca0af02b575dc2d
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1.orig.tar.gz
Size/MD5: 44728688 79730a3ad4773ba65fab65515369df84
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-doc-2.6.8.1_2.6.8.1-16.1_all.deb
Size/MD5: 6158782 88fdd5612e0c91ea71e97640a0fb7b9a
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-patch-debian-2.6.8.1_2.6.8.1-16.1_all.deb
Size/MD5: 1438690 7a1c68e4b85dd8b00faaf559a343d925
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-source-2.6.8.1_2.6.8.1-16.1_all.deb
Size/MD5: 36716930 7b97d784e561b7cde26191882b6764b6
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-tree-2.6.8.1_2.6.8.1-16.1_all.deb
Size/MD5: 305728 74735830ea74efa3d062eb48d945a629
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-generic_2.6.8.1-16.1_amd64.deb
Size/MD5: 246130 a3b83c36daa55bd5da928aa9f0eeaa73
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-k8-smp_2.6.8.1-16.1_amd64.deb
Size/MD5: 241556 c52eb545c7d02dfb3daed6963d63de23
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-k8_2.6.8.1-16.1_amd64.deb
Size/MD5: 245240 dcaee9f4c01adc03b6412a1572ee0bbd
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-amd64-xeon_2.6.8.1-16.1_amd64.deb
Size/MD5: 239834 cd9d74ff5e7f7f788c6a61776392c6e7
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3_2.6.8.1-16.1_amd64.deb
Size/MD5: 3176044 b5ccdb3732f81d90e4514ec88272b655
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-generic_2.6.8.1-16.1_amd64.deb
Size/MD5: 14349546 a2ca8332e99848a722832debbc54656f
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-k8-smp_2.6.8.1-16.1_amd64.deb
Size/MD5: 14824052 194df314c04b0dff5533447ee3e60813
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-k8_2.6.8.1-16.1_amd64.deb
Size/MD5: 14858776 77f4c1b4c34097b54b2fcee760ea0060
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-amd64-xeon_2.6.8.1-16.1_amd64.deb
Size/MD5: 14677266 55505fd066b07f357d635bb1afc3d782
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-386_2.6.8.1-16.1_i386.deb
Size/MD5: 274702 f41d70a42ee38c74d49ef24f5c1d46cc
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-686-smp_2.6.8.1-16.1_i386.deb
Size/MD5: 269116 fcf51ea7fa6358593a95ce16c0e6b566
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-686_2.6.8.1-16.1_i386.deb
Size/MD5: 272350 8e3d25985b2f7578bcd0f792681a6d59
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-k7-smp_2.6.8.1-16.1_i386.deb
Size/MD5: 269372 f590ae7dd326f071c7ea478c8ea942bb
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-k7_2.6.8.1-16.1_i386.deb
Size/MD5: 272512 b0127d780e15371c4ad80c43f3aaaa74
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3_2.6.8.1-16.1_i386.deb
Size/MD5: 3216814 4eaa3e0d0a82754264b5f38b5f4b1647
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-386_2.6.8.1-16.1_i386.deb
Size/MD5: 15495148 2ac9ddfda9c306b52edd9f96769ee043
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-686-smp_2.6.8.1-16.1_i386.deb
Size/MD5: 16341528 f71d56afae0ced2a45eb7625cf022077
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-686_2.6.8.1-16.1_i386.deb
Size/MD5: 16504398 5a7638e3f39fb22de05a2fd1a7ccbf4b
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-k7-smp_2.6.8.1-16.1_i386.deb
Size/MD5: 16444912 3bd7f0ce55842a1b8f4f3edf69bbc697
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-k7_2.6.8.1-16.1_i386.deb
Size/MD5: 16573874 2219c9c8ca315eaba1b03bb578c14076
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power3-smp_2.6.8.1-16.1_powerpc.deb
Size/MD5: 210954 ac4d9d11672d6a2e0552d652f1269ff4
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power3_2.6.8.1-16.1_powerpc.deb
Size/MD5: 211752 e016ad7c0e83124384a8c9147fa88e80
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power4-smp_2.6.8.1-16.1_powerpc.deb
Size/MD5: 210808 a1d0ad910a32770e4966c4b7e7dc2a74
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-power4_2.6.8.1-16.1_powerpc.deb
Size/MD5: 211446 05ce6bd870c4fb39c5d679b0ba8ba2d7
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-powerpc-smp_2.6.8.1-16.1_powerpc.deb
Size/MD5: 211396 f927cb7855cea529445b8f2708ca2ac0
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3-powerpc_2.6.8.1-16.1_powerpc.deb
Size/MD5: 213070 0a0a0612917b8a47521f80ccfb8b3b24
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-headers-2.6.8.1-3_2.6.8.1-16.1_powerpc.deb
Size/MD5: 3294420 034e87b6d1147de130a0a57e18f86461
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power3-smp_2.6.8.1-16.1_powerpc.deb
Size/MD5: 16362792 3fad8b328bf30241e429c0d144818747
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power3_2.6.8.1-16.1_powerpc.deb
Size/MD5: 15938436 150a04e8bbc4a6d17a18153748f090dc
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power4-smp_2.6.8.1-16.1_powerpc.deb
Size/MD5: 16344302 07c06af308187dc284ba32aa76962d46
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-power4_2.6.8.1-16.1_powerpc.deb
Size/MD5: 15917192 702c4de81e48ff65c5c434379d2eb770
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-powerpc-smp_2.6.8.1-16.1_powerpc.deb
Size/MD5: 16284782 242eced9657e4929022631395d122025
http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-image-2.6.8.1-3-powerpc_2.6.8.1-16.1_powerpc.deb
Size/MD5: 15966616 b412f10fcdcb6e6ade95d7a7203bf7ba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041119/24e1472f/attachment.bin
Powered by blists - more mailing lists