Package: kernel-source-2.6.8 Version: 2.6.8-14 Severity: normal Tags: security patch
Hello, CAN-2004-1190 reads: SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not properly check commands sent to CD devices that have been opened read-only, which could allow local users to conduct unauthorized write activities to modify the firmware of associated SCSI devices. The Suse Advisory is here: http://www.novell.com/linux/security/advisories/2004_42_kernel.html It unfortunately doesn't provide much detail, so I have been in contact with the Suse security team to track down what this is, and how they fixed it. Apparantly there was a patched introduced in 2.6.8 to avoid firmware overwrites happening with read-only opened /dev/cdrom devices. Some burner programs opened those devices with O_RDONLY but then started to burn or blank the CDs, but the more severe problem is that unpriviledged users could destroy the firmware of SCSI related devices, rendering the devices completely useless. Although the fix was put into 2.6.8, it was found afterwards that these were not a complete solution to the security problem, so there were bug fixes done in later patches. Version 2.6.10 is completely fixed, but there are some missing patches from 2.6.8 that leave this unfixed in our 2.6.8, as far as I can determine. According to the Suse security people, the details in the chagelog at this location show what needs to be patched: http://linux.bkbits.net:8080/linux-2.6/hist/drivers/block/scsi_ioctl.c along with the thread on this subject here: http://groups-beta.google.com/group/linux.kernel/browse_frm/thread/5cfe44b11c8a99c5/ed58b3d4b1cfa39b?q=scsi_ioctl+firmware#ed58b3d4b1cfa39b Taking these two, I've compared our kernel-source-2.6.8 tree and found that the following patches should be applied: http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/[EMAIL PROTECTED]/drivers/block/scsi_ioctl.c http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/[EMAIL PROTECTED]/drivers/block/scsi_ioctl.c http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/[EMAIL PROTECTED]/drivers/block/scsi_ioctl.c http://linux.bkbits.net:8080/linux-2.6/diffs/drivers/block/[EMAIL PROTECTED]/drivers/block/scsi_ioctl.c I should note that I do not fully understand this issue, I simply have done the legwork to determine that these patches have not been applied to kernel-source-2.6.8 and that according to Suse, the last relevant patch for this issue is the 1.61 revision patch (the last one in the list of four above). N.B.: There is one changeset in the bkbits.net site from 10 weeks ago, that has the changelog entry, "fix exploitable hole" -- according to Suse, this is misleading and incorrect (and is not included in the patches above). Micah -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (300, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-k7 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages kernel-source-2.6.8 depends on: ii binutils 2.15-5 The GNU assembler, linker and bina ii bzip2 1.0.2-5 high-quality block-sorting file co ii coreutils [fileutils] 5.2.1-2 The GNU core utilities ii fileutils 5.2.1-2 The GNU file management utilities -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]