[ Thanks to SOT Linux
Security Team for this link. ]
---------------------------------------------------------------- SOT Linux Security Advisory Subject: Updated kernel package for SOT Linux 2002 Advisory ID: SLSA-2003:19 Date: Wednesday, April 23, 2003 Product: SOT Linux 2002 ---------------------------------------------------------------- 1. Problem description A bug was found in the kernel module loader code could allow a local user to gain root privileges. When a process requests a feature which is in a module, the kernel spawns a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe") The problem is that before the euid change the child process can be attached to with ptrace(). The user can insert any code into a process which will be run with the superuser privileges. It's a local root vulnerability. It's exploitable only if: 1. the kernel is built with modules and kernel module loader enabled 2. /proc/sys/kernel/modprobe contains the path to some valid executable 3. ptrace() calls are not blocked As a temporary workaround can be disabled kernel module loading. Please be sure, that all needed kernel modules are loaded before use of this workaround. To use it, as root execute: echo /foo/bar/file > /proc/sys/kernel/modprobe You can add this line to /etc/rc.d/rc.local to automate this process. echo "echo /foo/bar/file > /proc/sys/kernel/modprobe" >> /etc/rc.d/rc.local Updated kernel packages is available for SOT Linux 2002. All SOT Linux 2002 users are advised to update kernel package. 2. Updated packages SOT Linux 2002 Desktop: i386: ftp://ftp.sot.com/updates/2002/Desktop/i386/kernel-desktop-2.4.12-50.i386.rpm SRPMS: ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/kernel-2.4.12-50.src.rpm SOT Linux 2002 Server: i386: ftp://ftp.sot.com/updates/2002/Server/i386/kernel-server-2.4.12-50.i386.rpm ftp://ftp.sot.com/updates/2002/Server/i386/kernel-source-2.4.12-50.i386.rpm SRPMS: ftp://ftp.sot.com/updates/2002/Server/SRPMS/kernel-2.4.12-50.src.rpm 3. Upgrading package Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages. If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux Update the package with the following command: rpm -Uvh <filename> 4. Verification All packages are PGP signed by SOT for security. You can verify each package with the following command: rpm --checksig <filename> If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below. Package Name MD5 sum ---------------------------------------------------------------- /Desktop/i386/kernel-desktop-2.4.12-50.i386.rpm 36a438f249f92b20c9e644e376dceece /Desktop/SRPMS/kernel-2.4.12-50.src.rpm 6e0b0b2e24636c07a3892a97c44a1d57 /Server/i386/kernel-server-2.4.12-50.i386.rpm 57f411a8829880fab3ce5ef796519556 /Server/i386/kernel-source-2.4.12-50.i386.rpm 99a61856a469012fa3d465e23234022d /Server/SRPMS/kernel-2.4.12-50.src.rpm 6e0b0b2e24636c07a3892a97c44a1d57 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0127 http://www.kernel.org/ Copyright(c) 2001-2003 SOT ---------------------------------------------------------------- SOT Linux Security Advisory Subject: Updated samba package for SOT Linux 2002 Advisory ID: SLSA-2003:18 Date: Wednesday, April 23, 2003 Product: SOT Linux 2002 ---------------------------------------------------------------- 1. Problem description Multiple vulnerabilities were discovered in samba package: CAN-2003-0201 Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. CAN-2003-0196 Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CAN-2003-0201. CAN-2003-0085 Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. SOT Linux 2002 samba users are advised to update the packages. 2. Updated packages SOT Linux 2002 Desktop: i386: ftp://ftp.sot.com/updates/2002/Desktop/i386/samba-2.2.8a-3.i386.rpm ftp://ftp.sot.com/updates/2002/Desktop/i386/samba-common-2.2.8a-3.i386.rpm ftp://ftp.sot.com/updates/2002/Desktop/i386/samba-client-2.2.8a-3.i386.rpm SRPMS: ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/samba-2.2.8a-3.src.rpm SOT Linux 2002 Server: i386: ftp://ftp.sot.com/updates/2002/Server/i386/samba-2.2.8a-3.i386.rpm ftp://ftp.sot.com/updates/2002/Server/i386/samba-common-2.2.8a-3.i386.rpm ftp://ftp.sot.com/updates/2002/Server/i386/samba-swat-2.2.8a-3.i386.rpm ftp://ftp.sot.com/updates/2002/Server/i386/samba-client-2.2.8a-3.i386.rpm SRPMS: ftp://ftp.sot.com/updates/2002/Server/SRPMS/samba-2.2.8a-3.src.rpm 3. Upgrading package Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages. If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux Update the package with the following command: rpm -Uvh <filename> 4. Verification All packages are PGP signed by SOT for security. You can verify each package with the following command: rpm --checksig <filename> If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below. Package Name MD5 sum ---------------------------------------------------------------- /Desktop/i386/samba-2.2.8a-3.i386.rpm caa373a3790e3e4cbdb55025997759e6 /Desktop/i386/samba-common-2.2.8a-3.i386.rpm e09a2048808d81ef6d9111c9b4d7f83f /Desktop/i386/samba-client-2.2.8a-3.i386.rpm 5b7bd5482faaca71097292b37f2083c8 /Desktop/SRPMS/samba-2.2.8a-3.src.rpm 0be8706461e5ea918ed6fae49bc74e7f /Server/i386/samba-2.2.8a-3.i386.rpm caa373a3790e3e4cbdb55025997759e6 /Server/i386/samba-common-2.2.8a-3.i386.rpm e09a2048808d81ef6d9111c9b4d7f83f /Server/i386/samba-client-2.2.8a-3.i386.rpm 5b7bd5482faaca71097292b37f2083c8 /Server/i386/samba-swat-2.2.8a-3.i386.rpm 4eda3c4d0fa074105fc77723c50e1c07 /Server/SRPMS/samba-2.2.8a-3.src.rpm 0be8706461e5ea918ed6fae49bc74e7f 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 http://www.digitaldefense.net/labs/advisories/DDI-1013.txt http://www.samba.org/ Copyright(c) 2001-2003 SOT