Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Fedora Legacy Advisory: kernel

Oct 19, 2004, 15:14 (0 Talkback[s])

Fedora Legacy Update Advisory

Synopsis: Updated kernel resolves security vulnerabilities
Advisory ID: FLSA:1804
Issue date: 2004-10-18
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=3D1804
CVE Names: CAN-2004-0619, CAN-2004-0497, CAN-2004-0587, CAN-2004-0658, CAN-2004-0415, CAN-2004-0427, CAN-2004-0495, CAN-2004-0535, CAN-2004-0554, CAN-2004-0228, CAN-2004-0178, CAN-2004-0181, CAN-2004-0394, CAN-2004-0003, CAN-2004-0109, CAN-2004-0133



1. Topic:

Updated kernel packages that fix security vulnerabilities which may allow local users to gain root privileges are now available. These packages also resolve other minor issues.

2. Relevent releases/architectures:

Red Hat Linux 7.3 - i386, i586, i686, athlon Red Hat Linux 9 - i386, i586, i686, athlon

3. Problem description:

The Linux kernel handles the basic functions of the operating system.

iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that they could gain root privileges if that filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0109 to this issue. This issue is addressed in the Red Hat 7.3 packages referenced in this advisory, having been previously fixed for Red Hat 9.

These packages also contain an updated fix with additional checks for issues in the R128 Direct Render Infrastructure. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0003 to this issue. This issue was addressed in the Red Hat 7.3 packages referenced in this advisory, having been previously fixed for Red Hat 9.

A bug in the SoundBlaster 16 code which did not properly handle certain sample sizes has been fixed. This flaw could be used by local users to crash a system. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0178 to this issue.

Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0415 to this issue.

During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0497 to this issue.

A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0554 to this issue.

Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. These flaws could lead to privilege escalation or access to kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0495 to these issues.

Integer overflow in the Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0619 to this issue. This driver has been removed =66rom this release.

Integer overflow in the IEEE 1394 (Firewire) driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0658 to this issue.

The do_fork function in Linux 2.4.x before 2.4.26 had a bug which could trigger a memory leak leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0427 to this issue.

An integer signedness error in the cpufreq proc handle allowed local users to gain privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0228 to this issue.

The JFS file system code in Linux 2.4.x had an information leak in which in-memory data is written to the device for the JFS file system, which allowed local users to obtain sensitive information by reading the raw device. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0181 to this issue.

The XFS file system code in Linux 2.4.x had an information leak in which in-memory data is written to the device for the XFS file system, which allowed local users to obtain sensitive information by reading the raw device. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2004-0133 to this issue.

In addition, these packages correct further minor issues:

An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535).

Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587).

Potential buffer overflow in the panic() function (CAN-2004-0394).

All users are advised to upgrade to these errata packages, which contain backported security patches that correct these issues.

Fedora Legacy would like to thank all those who reported the various issues discussed here.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To install kernel packages manually, use "rpm -ivh <package>" and modify system settings to boot the kernel you have installed. To do this, edit /boot/grub/grub.conf and change the default entry to "default=3D0" (or, if you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and run lilo)

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/download for directions on how to configure yum and apt-get.

Note that this may not automatically pull the new kernel in if you have configured apt/yum to ignore kernels. If so, follow the manual instructions above.

5. Bug IDs fixed:

https://bugzilla.fedora.us/show_bug.cgi?id=3D1804 - CAN-2004-0619,0497,0587,0658,0415 Kernel fixes
https://bugzilla.fedora.us/show_bug.cgi?id=3D1484 - various security - related fixes for the kernel

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm

i568:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i586.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm

i686:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm

athlon:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.athlon.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-39.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-39.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm

i586:
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i586.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm

i686:
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm

athlon:
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.athlon.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm

7. Verification:

SHA1 sum Package Name


d5122c56d20371d25921a789f20b4a429f0ed0ee 7.3/updates/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm 8a1c65a280190c3fc5102bb5a37db4a6d38dc38c 7.3/updates/i386/kernel-2.4.20-37.7.legacy.athlon.rpm b7a9696838f7c981fa9dc7f016c626f068d77f32 7.3/updates/i386/kernel-2.4.20-37.7.legacy.i386.rpm b01d2fc73b95e89a67b9490b7f7c4261be0b2d92 7.3/updates/i386/kernel-2.4.20-37.7.legacy.i586.rpm 2c64ea0f6f088eeb2a47eed62f20fce086695f1f 7.3/updates/i386/kernel-2.4.20-37.7.legacy.i686.rpm e76f2bbdb94c0baa2d8c81df33f1f001b4eb6515 7.3/updates/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm 302b9f0ae8e4b8dc975b0243ada68287508d85e9 7.3/updates/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm c63c54ec6da4d10a21cd768d9596edb463dab3f3 7.3/updates/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm ca0abce4704e89972b4d55edc615d1ac77c9038a 7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm e151c2fe55bfb2ecc802ccbc82b176b6e6e32e27 7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm 8cddf2b85c8e0aa6442d111a4190c2b2ebc65d45 7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm 40595f8d08b8b631742cfb891168a96de36364f0 7.3/updates/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm 4fdcc24dba64ef30ce49b170f6bbd3be98a129d8 9/updates/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm f93b63bc5a40f24351a2d7855aaa66aacf6b1349 9/updates/i386/kernel-2.4.20-37.9.legacy.athlon.rpm 15c94e731201db0ad89b41d9b2c35e7f85d6f517 9/updates/i386/kernel-2.4.20-37.9.legacy.i386.rpm 5ee67818d1902c1e7ef919e1986c4c6f5cb58b6c 9/updates/i386/kernel-2.4.20-37.9.legacy.i586.rpm 4a61fc7fd41a7d35cfcc25178ec5cb659ed3f6fe 9/updates/i386/kernel-2.4.20-37.9.legacy.i686.rpm 790eef91cb194f60ab6c9ec5b0c4f08365b02022 9/updates/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm dd464f337d30580cd60b279d3b28f1ff972b718c 9/updates/i386/kernel-BOOT-2.4.20-37.9.legacy.i386.rpm 6283845b3af07cf065902f3e75312a3ef7b5c90a 9/updates/i386/kernel-doc-2.4.20-37.9.legacy.i386.rpm 25f86ab0bb3cfb9e1cf03e71af16c3d58e3db12b 9/updates/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm c3f2461bd36aba58139e3cb29e34ecf9e97f6daf 9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm d03acba749f539607b3068670d8d2b12e7a98c02 9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm 65079b01af9d60ca90b6650690634aa5d0c79cfa 9/updates/i386/kernel-source-2.4.20-37.9.legacy.i386.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

https://bugzilla.fedora.us/show_bug.cgi?id=3D1484
https://bugzilla.fedora.us/show_bug.cgi?id=3D1804

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More project details at http://www.fedoralegacy.org

10. Special Notes:

If you use lilo, you will have to edit your lilo.conf file and shorten the label of this kernel. The label is too long for lilo, but not for grub.

This update removes support for the Broadcom 5820 cryptonet hardware. If you need support for this device, you will need to make special arrangements before applying this update.