SUSE Linux Advisory: kernel

SUSE Security Announcement

Package:	Linux Kernel
Announcement-ID:	SuSE-SA:2004:001
Date:	Monday, Jan 5th 2004 20:27 MET
Affected products:	8.0, 8.1, 8.2, 9.0 SuSE Linux Enterprise Server 7, SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Firewall on CD/Admin host SuSE Linux Office Server SuSE Linux Desktop 1.0 SuSE Linux School Server
Vulnerability Type:	local system compromise
Severity (1-10):	6
SUSE default package:	yes
Cross References:

Content of this advisory:

security vulnerability resolved:
- incorrect bounds checking problem description, discussion,
  solution and upgrade information
pending vulnerabilities, solutions, workarounds:
- mc
- mod_gzip
- tripwire
- cvs
- irssi
- atftp
standard appendix (further information)

1) problem description, brief discussion, solution, upgrade
information

The do_mremap() function of the Linux Kernel is used to manage
(move, resize) Virtual Memory Areas (VMAs). By exploiting an
incorrect bounds check in do_mremap() during the remapping of
memory it is possible to create a VMA with the size of 0. In normal
operation do_mremap() leaves a memory hole of one page and creates
an additional VMA of two pages. In case of exploitation no hole is
created but the new VMA has a 0 bytes length. The Linux Kernel’s
memory management is corrupted from this point and can be abused by
local users to gain root privileges.

There is no temporary workaround for this bug.

Please note that on 8.1, the kernel-source package may not be
installable through rpm, because of a bug in RPM (update of the
kernel source RPM may take 30 minutes or more, or fail entirely).
Owing to this problem, the kernel source is not available as a
regular YOU update.

However, recognizing our obligation to publish the source along
with the binary packages, we are making the source available as a
compressed tar archive, downloadable from the normal FTP
locations

SPECIAL INSTALL INSTRUCTIONS:

The following paragraphs will guide you through the installation
process in a step-by-step fashion. The character sequence “****”
marks the beginning of a new paragraph. In some cases, you decide
if the paragraph is needed for you or not. Please read through all
of the steps down to the end. All of the commands that need to be
executed are required to be run as the superuser (root). Each step
relies on the steps before to complete successfully.

Step 1: Determine the needed kernel type

Please use the following command to find the kernel type that is
installed on your system:

rpm -qf /boot/vmlinuz

The following options are possible (disregarding the version and
build number following the name, separated by the “-”
character):

k_deflt	# default kernel, good for most systems.
k_i386	# kernel for older processors and chipsets
k_athlon	# kernel made specifically for AMD Athlon(tm) family processors
k_psmp	# kernel for Pentium-I dual processor systems
k_smp	# kernel for SMP systems (Pentium-II and above)
k_smp4G	# kernel for SMP systems which supports a maximum of 4G of RAM

Step 2: Download the package for your system
Please download the kernel RPM package for your distribution
with the name starting as indicated by Step 1. The list of all
kernel rpm packages is appended below. Note: The kernel-source
package does not contain any binary kernel in bootable form.
Instead, it contains the sources that the binary kernel rpm
packages are made from. It can be used by administrators who have
decided to build their own kernel. Since the kernel-source.rpm is
an installable (compiled) package that contains sources for the
linux kernel, it is not the source RPM for the kernel RPM binary
packages.

The kernel RPM binary packages for the distributions can be
found at these locations below ftp://ftp.suse.com/pub/suse/i386/update/.

8.0/images/
8.1/rpm/i586
8.2/rpm/i586
9.0/rpm/i586

After downloading the kernel RPM package for your system, you
should verify the authenticity of the kernel rpm package using the
methods as listed in section 3) of each SUSE Security
Announcement.
Step 3: Installing your kernel rpm package
Install the rpm package that you have downloaded in Steps 3 or 4
with the command

rpm -Uhv –nodeps –force <K_FILE.RPM>

where <K_FILE.RPM> is the name of the rpm package that you
downloaded.

Warning: After performing this step, your system will likely not
be able to boot if the following steps have not been fully
applied.

If you run SUSE LINUX 8.1 and haven’t applied the previous
kernel update (SUSE-SA:2003:034), AND use the freeswan package, you
also need to update the freeswan rpm as a dependency as offered by
YOU (Yast Online Update). The package can be downloaded from
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
Step 4: configuring and creating the initrd
The initrd is a ramdisk that is being loaded into the memory of
your system together with the kernel boot image by the bootloader.
The kernel uses the content of this ramdisk to execute commands
that must be run before the kernel can mount its actual root
filesystem. It is usually used to initialize scsi drivers or NIC
drivers for diskless operation.

The variable INITRD_MODULES in /etc/sysconfig/kernel determines
which kernel modules will be loaded in the initrd before the kernel
has mounted its actual root filesystem. The variable should contain
your scsi adapter (if any) or filesystem driver modules.

With the installation of the new kernel, the initrd has to be
re-packed with the update kernel modules. Please run the
command

mk_initrd

as root to create a new init ramdisk (initrd) for your system.
On SuSE Linux 8.1 and later, this is done automatically when the
RPM is installed.
Step 5: bootloader
If you have a 7.x system, you must now run the command

lilo

as root to initialize the lilo bootloader for your system. Then
proceed to the next step.

If you run a SUSE LINUX 8.x or a SLES8 system, there are two
options: Depending on your software configuration, you have the
lilo bootloader or the grub bootloader installed and initialized on
your system. The grub bootloader does not require any further
actions to be performed after the new kernel images have been moved
in place by the rpm Update command.
If you have a lilo bootloader installed and initialized, then the
lilo program must be run as root. Use the command

grep LOADER_TYPE /etc/sysconfig/bootloader

to find out which boot loader is configured. If it is lilo, then
you must run the lilo command as root. If grub is listed, then your
system does not require any bootloader initialization.

Warning: An improperly installed bootloader may render your
system unbootable.
Step 6: reboot
If all of the steps above have been successfully applied to your
system, then the new kernel including the kernel modules and the
initrd should be ready to boot. The system needs to be rebooted for
the changes to become active. Please make sure that all steps are
complete, then reboot using the command

shutdown -r now
or

init 6

Your system should now shut down and reboot with the new
kernel.

Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.

Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.

Missing packages will be published later.

Intel i386 Platform:

Opteron x86_64 Platform:

SuSE-9.0:

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-171.x86_64.rpm
3dd54a4105bad6c4f3084e70aaa45410
source rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-171.src.rpm
d88ca0142409a98a7e4e9f4f7b2e9bf8

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-171.x86_64.rpm
b97e9d91ef710b0b801536294d99ba1a
source rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-171.src.rpm
6221b0f5893499f5926c9dd529fceb5c

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-171.x86_64.rpm
1a27668dff4ae3c405f18399432a326e
source rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-171.src.rpm
301e1d8ac232d3a000f373a928deee5f

2) Pending vulnerabilities in SUSE Distributions and
Workarounds:

mc By using a special combination of links in archive-files it
is possible to execute arbitrary commands while mc tries to open it
in its VFS. The packages will be release as soon.
mod_gzip The apache module mod_gzip is vulnerable to remote
code execution while running in debug-mode. We do not ship this
module in debug-mode but future versions will include the fix.
Additionally the mod_gzip code was audited to fix more possible
security related bugs.
tripwire Tripwire is a file integrity checker. The tripwire
version on SuSE Linux 8.2 and 9.0 do crash when a requested file
does not exists. New packages will be available soon.
cvs The cvs server-side can be tricked to create files in the
root filesystem of the server by requesting malformed modules. The
permissions on the root filesystem normally prevent this
malfunction. New packages will be available soon.
irssi Under special circumstances the the irc-client irssi can
be crashed remotely by other irc-clients. New packages are
available on our FTP servers.
atftp A buffer overflow vulnerability discovered by Rick Patel
has been fixed in the atftpd (trivial file transfer protocol, UDP
oriented) daemon, contained in the atftp package. Update packages
for the affected SUSE Linux distributions 8.1 and 8.2 have been
published on our ftp server today. We explicitly thank Dirk
Mueller, KDE developer, for notifying SUSE Security about the
pending treatment of this incident. New packages are available on
our FTP servers.

3) standard appendix: authenticity verification, additional
information

Package authenticity verification:
SUSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:
1. md5sums as provided in the (cryptographically signed)
  announcement.
2. using the internal gpg signatures of the rpm package.
3. execute the command
  md5sum <name-of-the-file.rpm>
  after you downloaded the file from a SUSE ftp server or its
  mirrors. Then, compare the resulting md5sum with the one that is
  listed in the announcement. Since the announcement containing the
  checksums is cryptographically signed (usually using the key
  security@suse.de), the
  checksums show proof of the authenticity of the package. We
  disrecommend to subscribe to security lists which cause the email
  message containing the announcement to be modified so that the
  signature does not match after transport through the mailing list
  software. Downsides: You must be able to verify the authenticity of
  the announcement in the first place. If RPM packages are being
  rebuilt and a new version of a package is published on the ftp
  server, all md5 sums for the files are useless.
4. rpm package signatures provide an easy way to verify the
  authenticity of an rpm package. Use the command
  rpm -v –checksig <file.rpm>
  to verify the signature of the package, where <file.rpm> is
  the filename of the rpm package that you have downloaded. Of
  course, package authenticity verification can only target an
  un-installed rpm package file. Prerequisites:
  1. gpg is installed
  2. The package is signed using a certain key. The public part of
    this key must be installed by the gpg program in the directory
    ~/.gnupg/ under the user’s home directory who performs the
    signature verification (usually root). You can import the key that
    is used by SUSE in rpm packages for SUSE Linux by saving this
    announcement to a file (“announcement.txt”) and running the command
    (do “su -” to be root):
    gpg –batch; gpg < announcement.txt | gpg –import
    SUSE Linux distributions version 7.1 and thereafter install the key
    “build@suse.de” upon
    installation or upgrade, provided that the package gpg is
    installed. The file containing the public key is placed at the
    top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
    .
SUSE runs two security mailing lists to which any interested
party may subscribe:

suse-security@suse.com
general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list. To
subscribe, send an email to

<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
SUSE’s announce-only mailing list.
Only SUSE’s security announcements are sent to this list. To
subscribe, send an email to

<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:

<suse-security-info@suse.com>
or
<suse-security-faq@suse.com>
respectively.

SUSE’s security contact is <security@suse.com> or
<security@suse.de>.

The <security@suse.de> public key is
listed below.

The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.

Type	Bits/KeyID	Date	User ID
pub	2048R/3D25D3D9	1999-03-06	SuSE Security Team <security@suse.de>
pub	1024D/9C800ACA	2000-10-19	SuSE Package Signing Key <build@suse.de>

SUSE Linux Advisory: kernel

SPECIAL INSTALL INSTRUCTIONS:

Get the Free Newsletter!

Must Read

Mesa 25.1 Open-Source Graphics Stack Officially Released, This Is What’s New

Fwupd 2.0.9 Linux Firmware Updater Adds Support for Intel Arc ‘Battlemage’ GPUs

Raspberry Pi OS Gets New Printers App, Linux 6.12 LTS, and Wayland Improvements

4 Best Free and Open Source Graphical SSH Frontends

Best Free and Open Source Alternatives to Apple Siri

Our Brands