On Wed, Jul 07, 2004 at 03:17:37PM +0200, Francesco P. Lovergine wrote: > On Wed, Jul 07, 2004 at 03:29:48AM -0700, William Lee Irwin III wrote: > > On Wed, Jul 07, 2004 at 11:44:06AM +0900, Horms wrote: > > > What needs to be done? > > > > Basically, update cvs to the current 2.4 in order to get security fixes > > from newer mainline 2.4, and send out packages. > > > > Just a comment: there's not a single CVE# reference in the changelog for the > whole year 2004. That's a bad habit, because it causes nightmare when > security patches need to be verified. What follows are issues to be > checked for 2.4.26 and 2.6.7, AFAIK.
I noticed this too and have been meaning to send a message very similar to what you have below. I have also gone through and determined which version of the 2.4 kernel each bug is fixed in. This might help our cause. You can see my efforts at http://www.ultramonkey.org/bugs/cve/ I believe most of the CAN-2003/2004 entries that are not in the changelog (which in the case of 2004, is all of them) by CAN number, are resolved in 2.4.26 and all of them are resolved in 2.4.27-rc3. I also very concerned that there have been no security updates for the woody kernel for quite some time. I am partucularly concerned about CAN-2004-0554, which you listed below. I have added some aditional information below that may be helpful. I have also added other CAN entries that I believe should be in the Changelog. I have only investigated the 2.4.26 debian kernel and the woody kernel. The former more thourougly than the latter. I have not looked at 2.6, but I believe most of these bugs do not apply to 2.6.7. Also, I only loked at that i386 debian package. * CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. (text:CAN-2003-0001) Resolved in: upstream: 2.4.21-pre5 woody: 2.4.18-7 sid/sarge: 2.4.20-5 * CAN-2003-0018: Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. This bug has been fixed by disabling O_DIRECT. characters used in serial links. (text:DSA-358-4) Resolved in: upstream: 2.4.21-pre4 woody: 2.4.18-11 sid/sarge: 2.4.21-1 * CAN-2003-0127: The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. (text:CAN-2003-0127) Resolved in: upstream: 2.4.21-rc2 woody: 2.4.18-8 sid/sarge: 2.4.20-6 * CAN-2003-0187: The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts. (text:CAN-2003-0187) Resolved in: upstream: 2.4.21-pre6 (Introduced in 2.4.20-pre6) woody: Not Vulnerable (<2.4.20-pre6) sid/sarge: 2.4.20-13 * CAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions. (text:CAN-2003-0244) Resolved in: upstream: 2.4.21-rc2 woody: 2.4.18-8 sid/sarge: 2.4.20-7 * CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. (text:CAN-2003-0246) Resolved in: upstream: 2.4.21-rc4 woody: 2.4.18-8 sid/sarge: 2.4.20-7 * CAN-2003-0247: Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops"). the kernel. (text:CAN-2003-0247) Resolved in: upstream: 2.4.21-rc4 woody: 2.4.18-8 sid/sarge: 2.4.20-8 * CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. (text:CAN-2003-0248) Resolved in: upstream: 2.4.22-pre10 woody: 2.4.18_2.4.18-8 sid/sarge: 2.4.20-8 * CAN-2003-0465: The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks. (text:CAN-2003-0465) Not sure about this, as it doesn't effect x86. * CAN-2003-0619: Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call. (text:DSA-358-4) Resolved in: upstream: 2.4.21-pre3 woody: 2.4.18-10 sid/sarge: 2.4.22-1 * CAN-2003-0643: The Linux Socket Filter implementation contains a bug which can lead to a local dos. Due to a unsigned->signed conversion and insufficient bounds checking it is possible to crash the kernel by accessing unmapped memory. The bug was introduced during the attempt to fix other signedness issues in 2.4.3-pre3. (text:Patrick McHardy, LKML) Resolved in: upstream: 2.4.22-pre10 woody: 2.4.18-11 sid/sarge: 2.4.21-4 * CAN-2003-0699: The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CAN-2003-0700. (text:CAN-2003-0699) Resolved in: upstream: 2.4.21-rc2 woody: Vulnerable sid/sarge: 2.4.21-1 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] * CAN-2003-0700: The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CAN-2003-0699 (text:CAN-2003-0700) Resolved in: upstream: 2.4.22-pre3 woody: Vulnerable sid/sarge: 2.4.21-4 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] * CAN-2003-0961: Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges. (text:CAN-2003-0961) Resolved in: upstream: 2.4.23-pre7 woody: 2.4.18-14.1 sid/sarge: 2.4.23-1 * CAN-2003-0984: Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. (text:CAN-2003-0985) Resolved in: upstream: 2.4.24-rc1 woody: Vulnerable sid/sarge: 2.4.24-1 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2003-0984.patch * CAN-2003-0985: The mremap system call (do_mremap) in Linux kernel 2.4 and 2.6 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. (text:CAN-2003-0985) Resolved in: upstream: 2.4.24-rc1 woody: 2.4.18_2.4.18-14.1 sid/sarge: 2.4.24-1 * CAN-2004-0003: A vulnerability has been discovered in the R128 DRI driver in the Linux kernel which could potentially lead an attacker to gain unauthorised privileges. Alan Cox and Thomas Biege developed a correction for this. (text:DSA-479-1) Resolved in: upstream: 2.4.26-rc4 woody: 2.4.18-14.3 sid/sarge: 2.4.25-2 * CAN-2004-0010: Arjan van de Ven discovered a stack-based buffer overflow in the ncp_lookup function for ncpfs in the Linux kernel, which could lead an attacker to gain unauthorised privileges. Petr Vandrovec developed a correction for this. (text:DSA-479-1) Resolved in: upstream: 2.4.25-pre7 woody: Vulnerable sid/sarge: 2.4.25-1 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0010.patch * CAN-2004-0075: The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Resolved in: upstream: 2.4.25-pre5 woody: Vulnerable sid/sarge: 2.4.25-1 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0075.patch * CAN-2004-0077: The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. (text:CAN-2004-0077) Resolved in: upstream: 2.4.26-pre3 woody: 2.4.18-14.2 sid/sarge: 2.4.24-3 * CAN-2004-0109: zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this. (text:DSA-479) Resolved in: upstream: 2.4.26-rc4 woody: 2.4.18-14.3 sid/sarge: 2.4.25-2 > * CAN-2004-0133: The XFS file system in 2.4 series kernels has an > information leak by which data in the memory can be written to the > device hosting the file system, allowing users to obtain portions of > kernel memory by reading the raw block device. Resolved in: upstream: 2.4.26-pre2 (XFS added in 2.4.25) woody: Not Vulnerable (<2.4.25) sid/sarge: 2.4.26_2.4.26-1 * CAN-2004-0177: Solar Designer discovered an information leak in the ext3 code of Linux. In a worst case an attacker could read sensitive data such as cryptographic keys which would otherwise never hit disk media. Theodore Ts'o developed a correction for this. (text: Debian Woody changelog) Resolved in: upstream: 2.4.26-pre4 woody: 2.4.18-14.3 sid/sarge: 2.4.26-1 * CAN-2004-0178: The OSS code for the Sound Blaster driver in Linux 2.4.x does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash). (text:CAN-2004-0178) Resolved in: upstream: 2.4.26-pre3 woody: 2.4.18-14.3 sid/sarge: 2.4.25-2 > * CAN-2004-0181: The JFS file system in 2.4 series kernels has an > information leak by which data in the memory can be written to the > device hosting the file system, allowing users to obtain portions of > kernel memory by reading the raw device. Resolved in: upstream: 2.4.26-pre5 woody: Vulnerable sid/sarge: 2.4.25-2 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0181.patch > * CAN-2004-0228: Due to an integer signedness error in the CPUFreq > /proc handler code in 2.6 series Linux kernels, local users can > escalate their privileges. This code is not present in 2.4 (as of 2.4.27-pre3). Resolved in: upstream: Not Vulnerable woody: Not Vulnerable sid/sarge: Not Vulnerable > * CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers > does not use the fb_copy_cmap method of copying structures. The > impact of this issue is unknown, however. This code is not present in 2.4 (as of 2.4.27-pre3). Resolved in: upstream: Not Vulnerable woody: Not Vulnerable sid/sarge: Not Vulnerable > * CAN-2004-0394: A buffer overflow in the panic() function of 2.4 > series Linux kernels exists, but it may not be exploitable under > normal circumstances due to its functionality. Resolved in: upstream: Vulnerable woody: Vulnerable sid/sarge: Vulnerable Fix: http://lkml.org/lkml/2002/6/24/142 Personally, while the patch seems harmless enough, it is hard, really hard, to see how this could be exploited. * CAN-2004-0424: Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or executee arbitrary code via the MCAST_MSFILTER socket option. (text:CAN-2004-0424) Resolved in: upstream: 2.4.26-pre3 woody: Not Vulnerable (< 2.4.22) sid/sarge: 2.4.26_2.4.26-1 > * CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series > Linux kernels does not properly decrement the mm_count counter when > an error occurs, triggering a memory leak that allows local users to > cause a Denial of Service by exhausting other applications of memory; > causing the kernel to panic or to kill services. Resolved in: upstream: 2.4.26-rc4 woody: None sid/sarge: 2.4.26_2.4.26-1 Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0427.patch > * CAN-2004-0495: Multiple vulnerabilities found by the Sparse source > checker in the kernel allow local users to escalate their privileges > or gain access to kernel memory. Resolved in: upstream: 2.4.27-rc1 woody: None sid/sarge: None Fix: http://www.ultramonkey.org/bugs/patch/linux-2.4.27-viro-sparse.patch (From RHEL 15.0.3.EL kernel SRPM, not all patched files are present in the debian or kernel.org kernels. But the patch for those files that are applied cleanly) * CAN-2004-0497: Missing check for fsuid in sys_chown(). fsuid is set by the privelaged sytem call sys_setfsuid(). fsuid was added for, and is generally only used by the Linux user space NFS daemons. Clients of this daemon can potentially expolit this vulnerability to make unauthorised changes to the ownership of files on a remote system. (text: Minoura Makoto and myself) Resolved in: upstream: 2.4.27-rc3 woody: None sid/sarge: None Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0497.patch > * CAN-2004-0535: The e1000 NIC driver does not properly initialize > memory structures before using them, allowing users to read kernel > memory. Resolved in: upstream: 2.4.27-rc3 woody: None sid/sarge: None Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www-test.ultramonkey.org/bugs/cve-patch/CAN-2004-0535.patch > > * CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an > AMD64 architecture allow local users to cause a Denial of Service by > a total system hang, due to an infinite loop that triggers a signal > handler with a certain sequence of fsave and frstor instructions. Resolved in: upstream: 2.4.27-pre6 woody: None sid/sarge: None Fix: http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0554.patch * CAN-2004-0587: Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux allows local users to cause a denial of service. (text:CAN-2004-587) Not present in debian or kernel.org 2.4 kernel. Resolved in: upstream: Not Vulnerable woody: Not Vulnerable sid/sarge: Not Vulnerable -- Horms
