Bug 59378 - sys-kernel/*: file offset pointer handling vulnerability
Bug#: 59378 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: carlo@gentoo.org
Component: Security
URL:  http://isec.pl/vulnerabilities/isec-0016-procleaks.txt
Summary: sys-kernel/*: file offset pointer handling vulnerability
Keywords:  
Status Whiteboard: A4 [kernel]
Opened: 2004-08-04 04:34 0000
Description:   Opened: 2004-08-04 04:34 0000 
There  are two different versions of the file handling API inside recent
Linux kernels: the old 32 bit and the new (LFS)  64  bit  API.  We  have
identified  numerous places, where invalid conversions from 64 bit sized
file offsets to 32 bit ones as well  as  insecure  access  to  the  file
offset member variable take place.

We  have  found that most of the /proc entries (like /proc/version) leak
about one page of unitialized kernel memory  and  can  be  exploited  to
obtain sensitive data.

Tested  and known to be vulnerable kernel versions are all <= 2.4.26 and
<= 2.6.7. All users are encouraged to patch all  vulnerable  systems  as
soon  as appropriate vendor patches are released. There is no hotfix for
this vulnerability.

Exploit included. That's fun! :(

------- Comment #1 From Thierry Carrez (RETIRED) 2004-08-04 08:15:08 0000 ------- 
CAN-2004-0415

------- Comment #2 From solar 2004-08-04 11:43:40 0000 ------- 
Patched in grsec-sources-2.4.26.2.0-r7.ebuild with 
http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/linux-2.4.26-CAN-2004-0415.patch

Note to other kernel maintainers. 
This patch is 80k and thus to large for ${FILESDIR} so please use the SRC_URI=

------- Comment #3 From Tim Yamin (RETIRED) 2004-08-04 12:26:32 0000 ------- 
Patches for 2.4.{19, 2[0123456]} as well as 2.6.7 are also there at
http://dev.gentoo.org/~plasmaroo/patches/kernel/misc/security/...

------- Comment #4 From Andrea Luzzardi 2004-08-04 13:01:44 0000 ------- 
hardened-sources patched (2.4.26-r4).

------- Comment #5 From Guillaume Destuynder (RETIRED) 2004-08-04 18:50:55 0000 ------- 
rsbac-(dev-)sources patched

------- Comment #6 From Tim Yamin (RETIRED) 2004-08-05 07:17:08 0000 ------- 
All done, everything should now be patched. The following sources remain, and
I'm adding their maintainers to the CC list:

gentoo-dev-sources: Adding gregkh...
hardened-dev-sources: hardened@gentoo.org is already on the list...
hppa-(dev-)sources: Adding GMSoft...
mips-sources: Adding `Kumba...
openmosix-sources: Adding cluster herd...
{ppc, pegasos(dev-)}-sources: Adding dholm...
sparc-sources: Adding Joker...
selinux-sources: Ading pebenito...

------- Comment #7 From Konstantin Arkhipov 2004-08-05 08:13:41 0000 ------- 
openmosix-sources patched

------- Comment #8 From Joshua Kinard 2004-08-05 22:04:37 0000 ------- 
mips-sources fixed.

------- Comment #9 From Greg Kroah-Hartman 2004-08-06 17:11:51 0000 ------- 
gentoo-dev-sources fixed in release 2.6.7-r12

------- Comment #10 From Brandon Hale (RETIRED) 2004-08-06 18:45:02 0000 ------- 
Fixed in hardened-dev-sources.

------- Comment #11 From David Holm (RETIRED) 2004-08-08 04:13:03 0000 ------- 
ppc-sources, pegasos-sources, and pegasos-dev-sources have been fixed.

------- Comment #12 From solar 2004-08-08 08:53:08 0000 ------- 
Removing hardened@ but leaving  pebenito@ on the list for selinux-sources

------- Comment #13 From Guy Martin 2004-08-09 16:33:22 0000 ------- 
Fixed on hppa.

------- Comment #14 From Gustavo Zacarias (RETIRED) 2004-08-12 05:48:26 0000 ------- 
sparc-sources-2.4.27 is out and stable courtesy of Joker, fixed.
Joker: i'm just removing sparc@ from this, feel free to remove yourself.

------- Comment #15 From Christian Birchinger 2004-08-12 09:25:01 0000 ------- 
sparc-sources-2.4.27 released

------- Comment #16 From Chris PeBenito 2004-08-13 20:11:30 0000 ------- 
selinux-src fixed

------- Comment #17 From Tim Yamin (RETIRED) 2004-08-26 04:49:59 0000 ------- 
GLSA 200408-24.