Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. Reproducible: Always
CVE-2007-4573: The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This is handled in bug 193386. The others I don't know of: CVE-2007-3731: The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid LDT segment selector in %cs (the xcs field) during ptrace single-step operations, which allows local users to cause a denial of service (NULL dereference and OOPS) via certain code that makes ptrace PTRACE_SETREGS and PTRACE_SINGLESTEP requests, related to the TRACE_IRQS_ON function, and possibly related to the arch_ptrace function. CVE-2007-3739: mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does not prevent stack expansion from entering into reserved kernel page memory, which allows local users to cause a denial of service (OOPS) via unspecified vectors. CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. CVE-2007-4849: JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly other Linux systems, when POSIX ACL support is enabled, does not properly store permissions during (1) inode creation or (2) ACL setting, which might allow local users to access restricted files or directories after a remount of a filesystem, related to "legacy modes" and an inconsistency between dentry permissions and inode permissions.
Not sure how we want to whiteboard this since we have some many vulnerabilities in one bug: CVE-2007-3731 [linux < 2.6.22.19][genpatches < 2.6.23-1] CVE-2007-3739 [linux < 2.6.16.56][linux < 2.6.19.3][linux < 2.6.20][genpatches < 2.6.20-1] CVE-2007-3740 [linux < 2.6.22][genpatches < 2.6.22-1] CVE-2007-4849 [linux < 2.6.23][linux < 2.6.22.9][linux <= 2.6.21.7][linux < 2.6.20.16][linux < 2.6.19.3][genpatches < 2.6.23-1]
Considering the affected intervals vary from CVE to CVE I think we should split this into individual bugs
split into: bug 214184 bug 214186 bug 214188 bug 214189 Not sure how this bug should be changed.. resolve as invalid or something?
*** This bug has been marked as a duplicate of bug 214184 ***