source: http://secunia.com/advisories/13308/ Affected: 2.4.x + 2.6.x Description: Two vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain knowledge of potentially sensitive information. 1) An unspecified error can be exploited via a specially crafted a.out binary to cause a DoS. 2) A race condition within the memory management can be exploited to disclose the content of random physical memory pages. Original Advisory: http://www.suse.de/de/security/2004_01_sr.html Reproducible: Always Steps to Reproduce:
Created attachment 45056 [details, diff] 2.6 Patch (a.out) Patch by Chris Wright to fix CAN-2004-1074 (issue #1 mentioned in this bug)
Ok, do we have a patch for issue #2 or has SuSE finally released their kernel updates...?
Created attachment 45071 [details, diff] 2.4 Patch (a.out)
It sounds to me like #2 is just a dupe of bug 72317. (see also: http://www.suse.de/de/security/2004_42_kernel.html)
All done, the following externally maintained sources need maintainer magic: grsec-sources - Solar, I think you've fixed this? Confirm please. gentoo-dev-sources - Adding dsd... hardened(-dev)-sources - Adding hardened herd... hppa(-dev)-sources - Adding GMSoft... mips-sources - Adding Kumba... openmosix-sources - Adding cluster herd... pegasos-dev-sources - Adding dholm... rsbac(-dev)-sources - Adding kang... sparc-sources - Adding Joker...
This 2.6 patch should also be applied after attachment 45056 [details, diff] http://linux.bkbits.net:8080/linux-2.6/cset@1.2055.1.182?nav=index.html|src/|src/fs|related/fs/exec.c
Created attachment 45171 [details, diff] 2.6.7 version of the 2nd vma fix 2.6.7 version of the patch mentioned in comment 6
sparc-sources-2.4.28-r1 released
grsec-sources-2.4.28 has not had any additional security patches added to it yet. uptime is only 5 days and not looking forward to patching kernel again. debating dropping grsec-sources all together.
mips-sources fixed.
Created attachment 45193 [details, diff] 2.6.8 version of the 2nd vma fix 2.6.8 version of the patch mentioned in comment 6
Well I went to patch grsec sources this morn but I see that somebody has totally fsked it up. That would be you dsd. Please fix what you broke.
Fixed in ~arch hardened-sources-2.4.28
gentoo-dev-sources done
pegasos-dev-sources fixed
oM-sources: fixed in ~x86.
~x86 hardened-dev-sources fixed
Done on hppa(-dev)-sources.
|- rsbac-dev-sources: done in r10 |- rsbac-sources: done in r1
grsec is done.
All kernels appear to be done at this point.. Removing extra CC: people
Created attachment 46349 [details, diff] 2.4.28 VMA Patch
~x86 hardened-sources-2.4.28-r1 updated for VMA patch
Created attachment 46830 [details, diff] 2.4.28 VMA Patch (Requires a.out patch)
Created attachment 46831 [details, diff] 2.4.28 VMA Patch (Use with GRSecurity-enabled kernels; requires a.out patch)
Created attachment 46836 [details, diff] 2.6.9 VMA Patch
Ok, all patched - the following externally maintained sources need to make sure they also have the VMA patches for both 2.4 and 2.6 applied. *NOTE* If you already have done this (for both branches if applicable), please state so on this bug. Thanks! grsec-sources -- Adding tocharian... hppa(-dev)-sources -- Adding GMSoft... mips-sources -- Adding `Kumba... openmosix-sources -- Adding cluster herd... pegasos-dev-sources -- Adding dholm... rsbac(-dev)-sources -- Adding kang... sparc-sources -- Adding Joker...
Fixed sparc-sources-2.4.28-r3 released.
pegasos-dev-sources should be fixed
grsec-sources-2.4.28.2.0.2-r3 has updated VMA patch
done in oM6-sources
2.4 is dropped on hppa and I've added 2.6.10-pa1 which doesn't seems affected by this problem.
rsbac-sources: all fixed/updated (old -dev also, so)
All kernels fixed, closing bug; notifications are being migrated away from GLSAs for kernels, more news coming soon so stay tuned :-]
A little heads-up : Committed to 2.6 : http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmg "This is the issue covered by CAN-2004-1074 where a improperly formed binary can cause an oops. Since this got fixed separately for 64 bit binaries and a number of distros (like RedHat) will have fixed one but not the other it deserves it's own CVE name (split due to version), CAN-2005-0003." I don't understand everything :) Please doublecheck we're OK :)
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=3b5390826a85bad36012fe78c3052794ae418e54