summaryrefslogtreecommitdiff
blob: 33a29bcddb82de73158fc6a9aa97829ccc13717f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

<glsa id="200407-16">
  <title>Linux Kernel: Multiple DoS and permission vulnerabilities</title>
  <synopsis>
    Multiple permission vulnerabilities have been found in the Linux kernel,
    allowing an attacker to change the group IDs of files mounted on a remote
    filesystem (CAN-2004-0497), as well as an issue in 2.6 series kernels which
    allows /proc permissions to be bypassed. A context sharing vulnerability in
    vserver-sources is also handled by this advisory as well as CAN-2004-0447,
    CAN-2004-0496 and CAN-2004-0565. Patched, or updated versions of these
    kernels have been released and details are included along with this
    advisory.
  </synopsis>
  <product type="ebuild">Kernel</product>
  <announced>July 22, 2004</announced>
  <revised>October 29, 2004: 02</revised>
  <bug>56171</bug>
  <bug>56479</bug>
  <access>local</access>
  <affected>
    <package name="sys-kernel/aa-sources" auto="no" arch="*">
      <unaffected range="rge">2.4.23-r2</unaffected>
      <unaffected range="ge">2.6.5-r5</unaffected>
      <vulnerable range="lt">2.6.5-r5</vulnerable>
    </package>
    <package name="sys-kernel/alpha-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.21-r9</unaffected>
      <vulnerable range="lt">2.4.21-r9</vulnerable>
    </package>
    <package name="sys-kernel/ck-sources" auto="no" arch="*">
      <unaffected range="rge">2.4.26-r1</unaffected>
      <unaffected range="ge">2.6.7-r5</unaffected>
      <vulnerable range="lt">2.6.7-r5</vulnerable>
    </package>
    <package name="sys-kernel/compaq-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.9.32.7-r8</unaffected>
      <vulnerable range="lt">2.4.9.32.7-r8</vulnerable>
    </package>
    <package name="sys-kernel/development-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.8_rc1</unaffected>
      <vulnerable range="lt">2.6.8_rc1</vulnerable>
    </package>
    <package name="sys-kernel/gentoo-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r8</unaffected>
      <vulnerable range="lt">2.6.7-r8</vulnerable>
    </package>
    <package name="sys-kernel/gentoo-sources" auto="yes" arch="*">
      <unaffected range="rge">2.4.19-r18</unaffected>
      <unaffected range="rge">2.4.20-r21</unaffected>
      <unaffected range="rge">2.4.22-r13</unaffected>
      <unaffected range="rge">2.4.25-r6</unaffected>
      <unaffected range="ge">2.4.26-r5</unaffected>
      <vulnerable range="lt">2.4.26-r5</vulnerable>
    </package>
    <package name="sys-kernel/grsec-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26.2.0-r6</unaffected>
      <vulnerable range="lt">2.4.26.2.0-r6</vulnerable>
    </package>
    <package name="sys-kernel/gs-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.25_pre7-r8</unaffected>
      <vulnerable range="lt">2.4.25_pre7-r8</vulnerable>
    </package>
    <package name="sys-kernel/hardened-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r2</unaffected>
      <vulnerable range="lt">2.6.7-r2</vulnerable>
    </package>
    <package name="sys-kernel/hardened-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26-r3</unaffected>
      <vulnerable range="lt">2.4.26-r3</vulnerable>
    </package>
    <package name="sys-kernel/hppa-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7_p1-r2</unaffected>
      <vulnerable range="lt">2.6.7_p1-r2</vulnerable>
    </package>
    <package name="sys-kernel/hppa-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26_p6-r1</unaffected>
      <vulnerable range="lt">2.4.26_p6-r1</vulnerable>
    </package>
    <package name="sys-kernel/ia64-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.24-r7</unaffected>
      <vulnerable range="lt">2.4.24-r7</vulnerable>
    </package>
    <package name="sys-kernel/mm-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r6</unaffected>
      <vulnerable range="lt">2.6.7-r6</vulnerable>
    </package>
    <package name="sys-kernel/openmosix-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.22-r11</unaffected>
      <vulnerable range="lt">2.4.22-r11</vulnerable>
    </package>
    <package name="sys-kernel/pac-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.23-r9</unaffected>
      <vulnerable range="lt">2.4.23-r9</vulnerable>
    </package>
    <package name="sys-kernel/planet-ccrma-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.21-r11</unaffected>
      <vulnerable range="lt">2.4.21-r11</vulnerable>
    </package>
    <package name="sys-kernel/pegasos-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r2</unaffected>
      <vulnerable range="lt">2.6.7-r2</vulnerable>
    </package>
    <package name="sys-kernel/pegasos-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26-r3</unaffected>
      <vulnerable range="lt">2.4.26-r3</vulnerable>
    </package>
    <package name="sys-kernel/ppc-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26-r3</unaffected>
      <vulnerable range="lt">2.4.26-r3</vulnerable>
    </package>
    <package name="sys-kernel/rsbac-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26-r3</unaffected>
      <vulnerable range="lt">2.4.26-r3</vulnerable>
    </package>
    <package name="sys-kernel/rsbac-dev-sources" auto="yes" arch="*">
      <unaffected range="ge">2.6.7-r2</unaffected>
      <vulnerable range="lt">2.6.7-r2</vulnerable>
    </package>
    <package name="sys-kernel/selinux-sources" auto="no" arch="*">
      <unaffected range="ge">2.4.26-r2</unaffected>
      <vulnerable range="lt">2.4.26-r2</vulnerable>
    </package>
    <package name="sys-kernel/sparc-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26-r3</unaffected>
      <vulnerable range="lt">2.4.26-r3</vulnerable>
    </package>
    <package name="sys-kernel/uclinux-sources" auto="yes" arch="*">
      <unaffected range="rge">2.4.26_p0-r3</unaffected>
      <unaffected range="ge">2.6.7_p0-r2</unaffected>
      <vulnerable range="lt">2.6.7_p0-r2</vulnerable>
    </package>
    <package name="sys-kernel/usermode-sources" auto="yes" arch="*">
      <unaffected range="rge">2.4.24-r6</unaffected>
      <unaffected range="rge">2.4.26-r3</unaffected>
      <unaffected range="ge">2.6.6-r4</unaffected>
      <vulnerable range="lt">2.6.6-r4</vulnerable>
    </package>
    <package name="sys-kernel/vserver-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.26.1.28-r1</unaffected>
      <vulnerable range="lt">2.4.26.1.28-r1</vulnerable>
    </package>
    <package name="sys-kernel/win4lin-sources" auto="yes" arch="*">
      <unaffected range="rge">2.4.26-r3</unaffected>
      <unaffected range="ge">2.6.7-r2</unaffected>
      <vulnerable range="lt">2.6.7-r2</vulnerable>
    </package>
    <package name="sys-kernel/wolk-sources" auto="yes" arch="*">
      <unaffected range="rge">4.9-r10</unaffected>
      <unaffected range="rge">4.11-r7</unaffected>
      <unaffected range="ge">4.14-r4</unaffected>
      <vulnerable range="lt">4.14-r4</vulnerable>
    </package>
    <package name="sys-kernel/xbox-sources" auto="yes" arch="*">
      <unaffected range="rge">2.4.26-r3</unaffected>
      <unaffected range="ge">2.6.7-r2</unaffected>
      <vulnerable range="lt">2.6.7-r2</vulnerable>
    </package>
    <package name="sys-kernel/mips-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.27</unaffected>
      <vulnerable range="lt">2.4.27</vulnerable>
    </package>
    <package name="sys-kernel/vanilla-sources" auto="yes" arch="*">
      <unaffected range="ge">2.4.27</unaffected>
      <vulnerable range="le">2.4.26</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    The Linux kernel is responsible for managing the core aspects of a
    GNU/Linux system, providing an interface for core system applications as
    well as providing the essential structure and capability to access hardware
    that is needed for a running system.
    </p>
  </background>
  <description>
    <p>
    The Linux kernel allows a local attacker to mount a remote file system on a
    vulnerable Linux host and modify files' group IDs. On 2.4 series kernels
    this vulnerability only affects shared NFS file systems. This vulnerability
    has been assigned CAN-2004-0497 by the Common Vulnerabilities and Exposures
    project.
    </p>
    <p>
    Also, a flaw in the handling of /proc attributes has been found in 2.6
    series kernels; allowing the unauthorized modification of /proc entries,
    especially those which rely solely on file permissions for security to
    vital kernel parameters.
    </p>
    <p>
    An issue specific to the VServer Linux sources has been found, by which
    /proc related changes in one virtual context are applied to other contexts
    as well, including the host system.
    </p>
    <p>
    CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms which
    can cause unknown behaviour and CAN-2004-0565 resolves a floating point
    information leak on IA64 platforms by which registers of other processes
    can be read by a local user.
    </p>
    <p>
    Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in 2.6
    series Linux kernels older than 2.6.7 which were found by the Sparse source
    code checking tool.
    </p>
  </description>
  <impact type="high">
    <p>
    Bad Group IDs can possibly cause a Denial of Service on parts of a host if
    the changed files normally require a special GID to properly operate. By
    exploiting this vulnerability, users in the original file group would also
    be blocked from accessing the changed files.
    </p>
    <p>
    The /proc attribute vulnerability allows local users with previously no
    permissions to certain /proc entries to exploit the vulnerability and then
    gain read, write and execute access to entries.
    </p>
    <p>
    These new privileges can be used to cause unknown behaviour ranging from
    reduced system performance to a Denial of Service by manipulating various
    kernel options which are usually reserved for the superuser. This flaw
    might also be used for opening restrictions set through /proc entries,
    allowing further attacks to take place through another possibly unexpected
    attack vector.
    </p>
    <p>
    The VServer issue can also be used to induce similar unexpected behaviour
    to other VServer contexts, including the host. By successful exploitation,
    a Denial of Service for other contexts can be caused allowing only root to
    read certain /proc entries. Such a change would also be replicated to other
    contexts, forbidding normal users on those contexts to read /proc entries
    which could contain details needed by daemons running as a non-root user,
    for example.
    </p>
    <p>
    Additionally, this vulnerability allows an attacker to read information
    from another context, possibly hosting a different server, gaining critical
    information such as what processes are running. This may be used for
    furthering the exploitation of either context.
    </p>
    <p>
    CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of
    Service vulnerabilities with unknown impacts - these vulnerabilities can be
    used to possibly elevate privileges or access reserved kernel memory which
    can be used for further exploitation of the system.
    </p>
    <p>
    CAN-2004-0565 allows FPU register values of other processes to be read by a
    local user setting the MFH bit during a floating point operation - since no
    check was in place to ensure that the FPH bit was owned by the requesting
    process, but only an MFH bit check, an attacker can simply set the MFH bit
    and access FPU registers of processes running as other users, possibly
    those running as root.
    </p>
  </impact>
  <workaround>
    <p>
    2.4 users may not be affected by CAN-2004-0497 if they do not use remote
    network filesystems and do not have support for any such filesystems in
    their kernel configuration. All 2.6 users are affected by the /proc
    attribute issue and the only known workaround is to disable /proc support.
    The VServer flaw applies only to vserver-sources, and no workaround is
    currently known for the issue. There is no known fix to CAN-2004-0447,
    CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a
    patched version.
    </p>
    <p>
    As a result, all users affected by any of these vulnerabilities should
    upgrade their kernels to ensure the integrity of their systems.
    </p>
  </workaround>
  <resolution>
    <p>
    Users are encouraged to upgrade to the latest available sources for their
    system:
    </p>
    <code>
    # emerge sync
    # emerge -pv your-favorite-sources
    # emerge your-favorite-sources

    # # Follow usual procedure for compiling and installing a kernel.
    # # If you use genkernel, run genkernel as you would do normally.</code>
  </resolution>
  <references>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0447">CAN-2004-0447</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0496">CAN-2004-0496</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0497">CAN-2004-0497</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0565">CAN-2004-0565</uri>
    <uri link="http://www.securityfocus.com/archive/1/367977">VServer /proc Context Vulnerability</uri>
  </references>
  <metadata tag="submitter">
    plasmaroo
  </metadata>
</glsa>