147590 – Kernel: drivers/scsi/sg.c local DoS (CVE-2006-1528)

Bug 147590 - Kernel: drivers/scsi/sg.c local DoS (CVE-2006-1528)

Summary: Kernel: drivers/scsi/sg.c local DoS (CVE-2006-1528)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://kernel.org/pub/linux/kernel/v2...
Whiteboard:	[linux <2.4.33.1][linux >=2.6 <2.6.13]
Keywords:

Depends on:
Blocks:

Reported:	2006-09-14 10:45 UTC by Gustavo Zacarias (RETIRED)
Modified:	2009-07-13 12:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gustavo Zacarias (RETIRED) gentoo-dev

2006-09-14 10:45:35 UTC

From 2.4.33.3:
[SCTP] Fix sctp_primitive_ABORT() call in sctp_close()
Fix possible UDF deadlock and memory corruption (CVE-2006-4145)

From 2.4.33.2:
[SCTP] Local privilege elevation - CVE-2006-3745

From 2.4.33.1:
drivers/scsi/sg.c : fix CVE-2006-1528

2.4.33 fixed security bugs against 2.4.32 but iirc we've got those already fixed in previous patches.
sparc-sources-2.4.33.3 is already in the tree as ~sparc with the latest mojo.

Comment 1 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2006-10-27 13:01:47 UTC

First fix is DUPLICATE. Third is fixed by time window.

Comment 2 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2006-11-01 19:10:13 UTC

Note to self -- Add CC's.

Comment 3 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2006-12-15 08:16:26 UTC

xen-sources, systrace-sources, both of you need to bump this to 2.6.17.10.  Again,  due for hardmask on the 19th for 144820, date applies here.

Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2006-12-23 18:40:54 UTC

from http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.34

v2.4.34-rc4
Call init_timer() for ISDN PPP CCP reset state timer (CVE-2006-5749)

v2.4.34-rc3
Fix incorrect user space access locking in mincore() (CVE-2006-4814)

v2.4.34-rc2
[Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)

v2.4.34-pre2
drivers/scsi/sg.c : fix CVE-2006-1528
Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
[SCTP] Local privilege elevation - CVE-2006-3745

Comment 5 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-02-13 16:17:03 UTC

Xen, are you still vulnerable?

Comment 6 Andrew Ross (RETIRED) gentoo-dev

2007-02-14 08:23:33 UTC

(In reply to comment #0)

> [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()
> Fix possible UDF deadlock and memory corruption (CVE-2006-4145)

Fixed upstream in 2.6.16.28 (http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.28).

> [SCTP] Local privilege elevation - CVE-2006-3745

Fixed upstream in 2.6.16.28 (http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.28).

> drivers/scsi/sg.c : fix CVE-2006-1528
 
According to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1528, 2.6.16 was never affected by this.

Comment 7 Bjoern Tropf (RETIRED) gentoo-dev

2009-07-13 12:10:30 UTC

(In reply to comment #4)

CVE-2006-3745:
https://bugs.gentoo.org/show_bug.cgi?id=144820

CVE-2006-4145:
https://bugs.gentoo.org/show_bug.cgi?id=143538

CVE-2006-5749:
https://bugs.gentoo.org/show_bug.cgi?id=158809

CVE-2006-4814
https://bugs.gentoo.org/show_bug.cgi?id=170857

CVE-2006-6106:
https://bugs.gentoo.org/show_bug.cgi?id=158791

CVE-2006-1528: (this bug)
Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space.