194075 – sys-kernel/2.6.x CVE-2007{3731,3739,3740,4849}

Bug 194075 - sys-kernel/2.6.x CVE-2007{3731,3739,3740,4849}

Summary: sys-kernel/2.6.x CVE-2007{3731,3739,3740,4849}

Status:	RESOLVED DUPLICATE of bug 214184

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.debian.org/security/2007/d...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-09-28 11:43 UTC by Bernd Marienfeldt
Modified:	2008-03-21 23:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernd Marienfeldt 2007-09-28 11:43:24 UTC

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. 


Reproducible: Always

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-09-28 13:16:50 UTC

CVE-2007-4573:
  The IA32 system call emulation functionality in Linux kernel 2.4.x and
  2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not
  zero extend the eax register after the 32bit entry path to ptrace is
  used, which might allow local users to gain privileges by triggering
  an out-of-bounds access to the system call table using the %RAX register.

This is handled in bug 193386.

The others I don't know of:

CVE-2007-3731:
  The Linux kernel 2.6.20 and 2.6.21 does not properly handle an
  invalid LDT segment selector in %cs (the xcs field) during ptrace
  single-step operations, which allows local users to cause a denial
  of service (NULL dereference and OOPS) via certain code that makes
  ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to
  the TRACE_IRQS_ON function, and possibly related to the arch_ptrace
  function.

CVE-2007-3739:
  mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does
  not prevent stack expansion from entering into reserved kernel page
  memory, which allows local users to cause a denial of service (OOPS)
  via unspecified vectors.

CVE-2007-3740:
  The CIFS filesystem, when Unix extension support is enabled, does not
  honor the umask of a process, which allows local users to gain privileges.

CVE-2007-4849:
  JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly
  other Linux systems, when POSIX ACL support is enabled, does not
  properly store permissions during (1) inode creation or (2) ACL
  setting, which might allow local users to access restricted files
  or directories after a remount of a filesystem, related to "legacy
  modes" and an inconsistency between dentry permissions and inode
  permissions.

Comment 2 Mike Pagano gentoo-dev

2008-03-20 12:18:51 UTC

Not sure how we want to whiteboard this since we have some many vulnerabilities in one bug:

CVE-2007-3731
[linux < 2.6.22.19][genpatches < 2.6.23-1]

CVE-2007-3739
[linux < 2.6.16.56][linux < 2.6.19.3][linux < 2.6.20][genpatches < 2.6.20-1]

CVE-2007-3740
[linux < 2.6.22][genpatches < 2.6.22-1]

CVE-2007-4849
[linux < 2.6.23][linux < 2.6.22.9][linux <= 2.6.21.7][linux < 2.6.20.16][linux < 2.6.19.3][genpatches < 2.6.23-1]

Comment 3 unnamedrambler 2008-03-21 19:32:13 UTC

Considering the affected intervals vary from CVE to CVE I think we should split this into individual bugs

Comment 4 unnamedrambler 2008-03-21 23:35:18 UTC

split into:
bug 214184 
bug 214186
bug 214188 
bug 214189

Not sure how this bug should be changed..  resolve as invalid or something?

Comment 5 unnamedrambler 2008-03-21 23:59:20 UTC


*** This bug has been marked as a duplicate of bug 214184 ***