---

Fedora Legacy Advisory: kernel


Fedora Legacy Update Advisory

Synopsis: Updated kernel resolves security vulnerabilities
Advisory ID: FLSA:1804
Issue date: 2004-10-18
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=3D1804

CVE Names: CAN-2004-0619, CAN-2004-0497, CAN-2004-0587,
CAN-2004-0658, CAN-2004-0415, CAN-2004-0427, CAN-2004-0495,
CAN-2004-0535, CAN-2004-0554, CAN-2004-0228, CAN-2004-0178,
CAN-2004-0181, CAN-2004-0394, CAN-2004-0003, CAN-2004-0109,
CAN-2004-0133



1. Topic:

Updated kernel packages that fix security vulnerabilities which
may allow local users to gain root privileges are now available.
These packages also resolve other minor issues.

2. Relevent releases/architectures:

Red Hat Linux 7.3 – i386, i586, i686, athlon Red Hat Linux 9 –
i386, i586, i686, athlon

3. Problem description:

The Linux kernel handles the basic functions of the operating
system.

iDefense reported a buffer overflow flaw in the ISO9660
filesystem code. An attacker could create a malicious filesystem in
such a way that they could gain root privileges if that filesystem
is mounted. The Common Vulnerabilities and Exposures project
(cve.mitre.org/) has assigned
the name CAN-2004-0109 to this issue. This issue is addressed in
the Red Hat 7.3 packages referenced in this advisory, having been
previously fixed for Red Hat 9.

These packages also contain an updated fix with additional
checks for issues in the R128 Direct Render Infrastructure. The
Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0003 to this issue. This issue was addressed in the Red
Hat 7.3 packages referenced in this advisory, having been
previously fixed for Red Hat 9.

A bug in the SoundBlaster 16 code which did not properly handle
certain sample sizes has been fixed. This flaw could be used by
local users to crash a system. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0178 to this issue.

Paul Starzetz discovered flaws in the Linux kernel when handling
file offset pointers. These consist of invalid conversions of 64 to
32-bit file offset pointers and possible race conditions. A local
unprivileged user could make use of these flaws to access large
portions of kernel memory. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0415 to this issue.

During an audit of the Linux kernel, SUSE discovered a flaw that
allowed a user to make unauthorized changes to the group ID of
files in certain circumstances. In the 2.4 kernel, as shipped with
Red Hat Enterprise Linux, the only way this could happen is through
the kernel nfs server. A user on a system that mounted a remote
file system from a vulnerable machine may be able to make
unauthorized changes to the group ID of exported files. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0497 to this issue.

A flaw was found in Linux kernel versions 2.4 and 2.6 for x86
and x86_64 that allowed local users to cause a denial of service
(system crash) by triggering a signal handler with a certain
sequence of fsave and frstor instructions. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0554 to this issue.

Enhancements were committed to the 2.6 kernel by Al Viro which
enabled the Sparse source code checking tool to check for a certain
class of kernel bugs. A subset of these fixes also applies to
various drivers in the 2.4 kernel. These flaws could lead to
privilege escalation or access to kernel memory. The Common
Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0495 to these issues.

Integer overflow in the Linux Broadcom 5820 cryptonet driver
allows local users to cause a denial of service (crash) and
possibly execute arbitrary code. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0619 to this issue. This driver has been removed =66rom
this release.

Integer overflow in the IEEE 1394 (Firewire) driver allows local
users to cause a denial of service (crash) and possibly execute
arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org/) has assigned
the name CAN-2004-0658 to this issue.

The do_fork function in Linux 2.4.x before 2.4.26 had a bug
which could trigger a memory leak leading to a denial of service.
The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0427 to this issue.

An integer signedness error in the cpufreq proc handle allowed
local users to gain privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2004-0228 to this issue.

The JFS file system code in Linux 2.4.x had an information leak
in which in-memory data is written to the device for the JFS file
system, which allowed local users to obtain sensitive information
by reading the raw device. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0181 to this issue.

The XFS file system code in Linux 2.4.x had an information leak
in which in-memory data is written to the device for the XFS file
system, which allowed local users to obtain sensitive information
by reading the raw device. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2004-0133 to this issue.

In addition, these packages correct further minor issues:

An bug in the e1000 network driver. This bug could be used by
local users to leak small amounts of kernel memory
(CAN-2004-0535).

Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode
(CAN-2004-0587).

Potential buffer overflow in the panic() function
(CAN-2004-0394).

All users are advised to upgrade to these errata packages, which
contain backported security patches that correct these issues.

Fedora Legacy would like to thank all those who reported the
various issues discussed here.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To install kernel packages manually, use “rpm -ivh
<package>” and modify system settings to boot the kernel you
have installed. To do this, edit /boot/grub/grub.conf and change
the default entry to “default=3D0” (or, if you have chosen to use
LILO as your boot loader, edit /etc/lilo.conf and run lilo)

Please note that this update is also available via yum and apt.
Many people find this an easier way to apply updates. To use yum
issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that
you have yum or apt-get configured for obtaining Fedora Legacy
content. Please visit http://www.fedoralegacy.org/download
for directions on how to configure yum and apt-get.

Note that this may not automatically pull the new kernel in if
you have configured apt/yum to ignore kernels. If so, follow the
manual instructions above.

5. Bug IDs fixed:

https://bugzilla.fedora.us/show_bug.cgi?id=3D1804
– CAN-2004-0619,0497,0587,0658,0415 Kernel fixes
https://bugzilla.fedora.us/show_bug.cgi?id=3D1484
– various security – related fixes for the kernel

6. RPMs required:

Red Hat Linux 7.3:

SRPM:

http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm

i568:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i586.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm

i686:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.i686.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm

athlon:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-2.4.20-37.7.legacy.athlon.rpm


http://download.fedoralegacy.org/redhat/7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm

Red Hat Linux 9:

SRPM:

http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm

i386:

http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-BOOT-2.4.20-39.7.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-doc-2.4.20-39.7.legacy.i386.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-source-2.4.20-39.7.legacy.i386.rpm

i586:

http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i586.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm

i686:

http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.i686.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm

athlon:

http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-2.4.20-37.9.legacy.athlon.rpm


http://download.fedoralegacy.org/redhat/9/updates/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm

7. Verification:

SHA1 sum Package Name


d5122c56d20371d25921a789f20b4a429f0ed0ee
7.3/updates/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm
8a1c65a280190c3fc5102bb5a37db4a6d38dc38c
7.3/updates/i386/kernel-2.4.20-37.7.legacy.athlon.rpm
b7a9696838f7c981fa9dc7f016c626f068d77f32
7.3/updates/i386/kernel-2.4.20-37.7.legacy.i386.rpm
b01d2fc73b95e89a67b9490b7f7c4261be0b2d92
7.3/updates/i386/kernel-2.4.20-37.7.legacy.i586.rpm
2c64ea0f6f088eeb2a47eed62f20fce086695f1f
7.3/updates/i386/kernel-2.4.20-37.7.legacy.i686.rpm
e76f2bbdb94c0baa2d8c81df33f1f001b4eb6515
7.3/updates/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm
302b9f0ae8e4b8dc975b0243ada68287508d85e9
7.3/updates/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm
c63c54ec6da4d10a21cd768d9596edb463dab3f3
7.3/updates/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm
ca0abce4704e89972b4d55edc615d1ac77c9038a
7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm
e151c2fe55bfb2ecc802ccbc82b176b6e6e32e27
7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm
8cddf2b85c8e0aa6442d111a4190c2b2ebc65d45
7.3/updates/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm
40595f8d08b8b631742cfb891168a96de36364f0
7.3/updates/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm
4fdcc24dba64ef30ce49b170f6bbd3be98a129d8
9/updates/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm
f93b63bc5a40f24351a2d7855aaa66aacf6b1349
9/updates/i386/kernel-2.4.20-37.9.legacy.athlon.rpm
15c94e731201db0ad89b41d9b2c35e7f85d6f517
9/updates/i386/kernel-2.4.20-37.9.legacy.i386.rpm
5ee67818d1902c1e7ef919e1986c4c6f5cb58b6c
9/updates/i386/kernel-2.4.20-37.9.legacy.i586.rpm
4a61fc7fd41a7d35cfcc25178ec5cb659ed3f6fe
9/updates/i386/kernel-2.4.20-37.9.legacy.i686.rpm
790eef91cb194f60ab6c9ec5b0c4f08365b02022
9/updates/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm
dd464f337d30580cd60b279d3b28f1ff972b718c
9/updates/i386/kernel-BOOT-2.4.20-37.9.legacy.i386.rpm
6283845b3af07cf065902f3e75312a3ef7b5c90a
9/updates/i386/kernel-doc-2.4.20-37.9.legacy.i386.rpm
25f86ab0bb3cfb9e1cf03e71af16c3d58e3db12b
9/updates/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm
c3f2461bd36aba58139e3cb29e34ecf9e97f6daf
9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm
d03acba749f539607b3068670d8d2b12e7a98c02
9/updates/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm
65079b01af9d60ca90b6650690634aa5d0c79cfa
9/updates/i386/kernel-source-2.4.20-37.9.legacy.i386.rpm

These packages are GPG signed by Fedora Legacy for security. Our
key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm –checksig -v <filename>

If you only wish to verify that each package has not been
corrupted or tampered with, examine only the sha1sum with the
following command:

sha1sum <filename>

8. References:

https://bugzilla.fedora.us/show_bug.cgi?id=3D1484

https://bugzilla.fedora.us/show_bug.cgi?id=3D1804

9. Contact:

The Fedora Legacy security contact is <[email protected]>.
More project details at http://www.fedoralegacy.org

10. Special Notes:

If you use lilo, you will have to edit your lilo.conf file and
shorten the label of this kernel. The label is too long for lilo,
but not for grub.

This update removes support for the Broadcom 5820 cryptonet
hardware. If you need support for this device, you will need to
make special arrangements before applying this update.