Fedora Legacy Test Update Notification: Kernel

Dominic Hargreaves dom at earth.li
Wed Sep 29 10:54:09 UTC 2004 

---------------------------------------------------------------------
Fedora Test Update Notification
FEDORALEGACY-2004-1804
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1804
2004-09-29
---------------------------------------------------------------------
 
Name        : kernel
Version 7.3 : 2.4.20-37.7.legacy
Version 9   : 2.4.20-37.9.legacy
Summary     : The Linux kernel (the core of the Linux operating system)
Description :
The kernel package contains the Linux kernel (vmlinuz), the core of your 
Red Hat Linux operating system.  The kernel handles the basic functions of 
the operating system:  memory allocation, process allocation, device input 
and output, etc.
 
---------------------------------------------------------------------
Update Information:
 
iDefense reported a buffer overflow flaw in the ISO9660 filesystem code.
An attacker could create a malicious filesystem in such a way that they
could gain root privileges if that filesystem is mounted. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0109 to this issue. This issue is addressed in the Red Hat 7.3
packages referenced in this advisory, having been previously fixed for Red
Hat 9.

These packages also contain an updated fix with additional checks for
issues in the R128 Direct Render Infrastructure. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0003 to this issue. This issue was addressed in the Red Hat 7.3
packages referenced in this advisory, having been previously fixed for Red
Hat 9.

A bug in the SoundBlaster 16 code which did not properly handle certain
sample sizes has been fixed. This flaw could be used by local users to
crash a system. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0178 to this issue.

Paul Starzetz discovered flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0415 to this issue.

During an audit of the Linux kernel, SUSE discovered a flaw that allowed
a user to make unauthorized changes to the group ID of files in certain
circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise
Linux, the only way this could happen is through the kernel nfs server. A
user on a system that mounted a remote file system from a vulnerable
machine may be able to make unauthorized changes to the group ID of
exported files. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0497 to this issue.

A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64
that allowed local users to cause a denial of service (system crash) by
triggering a signal handler with a certain sequence of fsave and frstor
instructions. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0554 to this issue.

Enhancements were committed to the 2.6 kernel by Al Viro which enabled the
Sparse source code checking tool to check for a certain class of kernel
bugs. A subset of these fixes also applies to various drivers in the 2.4
kernel. These flaws could lead to privilege escalation or access to kernel
memory. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0495 to these issues.

Integer overflow in the Linux Broadcom 5820 cryptonet driver allows local
users to cause a denial of service (crash) and possibly execute arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0619 to this issue. This driver has been removed
from this release.

Integer overflow in the IEEE 1394 (Firewire) driver allows local users to
cause a denial of service (crash) and possibly execute arbitrary code.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0658 to this issue.

The do_fork function in Linux 2.4.x before 2.4.26 had a bug which could
trigger a memory leak leading to a denial of service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0427 to this issue.

An integer signedness error in the cpufreq proc handle allowed local users
to gain privileges. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0228 to this issue.

The JFS file system code in Linux 2.4.x had an information leak in which
in-memory data is written to the device for the JFS file system, which
allowed local users to obtain sensitive information by reading the raw
device. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0181 to this issue.

The XFS file system code in Linux 2.4.x had an information leak in which
in-memory data is written to the device for the XFS file system, which
allowed local users to obtain sensitive information by reading the raw
device. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0133 to this issue.

In addition, these packages correct further minor issues:

An bug in the e1000 network driver. This bug could be used by local users
to leak small amounts of kernel memory (CAN-2004-0535).

Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587).

Potential buffer overflow in the panic() function (CAN-2004-0394).

---------------------------------------------------------------------
Changelog:
 
* Fri Aug 06 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>

- fix linux-2.4.21-file-offset-fixes.patch to work with older gcc
-  versions e.g. on RH73 (Michal Jaegermann <michal at harddata.com>)
- 
- include various patches from RHEL which we didn't have yet:
-  argument size checks in proc_tty.c, binfmt_elf.c, socket.c,
-  char/vt.c, cdrom/cdu31a.c, arch/i386/kernel/mtrr.c ; type
-  check/ATIME fix in af_unix.c ; return checking in
-  char/consolemap.c ; sanity check in isdn/pcbit/capi.c ; extra
-  checks and type fixes in isdn/isdn_ppp.c, isdn/isdn_common.c ;
-  eflasg fix in arch/i386/kernel/traps.c.  (Michal Jaegermann
-  <michal at harddata.com>)
- 
- add usb sparse patch (CAN-2004-0685) (mjc at redhat.com)
-  see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921
- 
- nfs patch from Trond to allow us to serve clients which use
-  cookies != 8 bytes, OSX 10.3 uses 30 FreeBSD uses 20...
-  See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125996
-  http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif

* Thu Aug 05 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>

- add in updated fix for e1000, qla /proc permissions fix
- fix possible races/overflows in file offset handling (Alexander Viro)

* Fri Jul 02 2004 Jon Peatfield <jp107 at damtp.cam.ac.uk>

- loosely based on fc1 changes by Dave Jones <davej at redhat.com>
- add patch to fix missing checks in fchown() (CAN-2004-0497)
- Drop Broadcom 5820 driver due to code quality concerns.

* Fri Jun 18 2004 Dominic Hargreaves <dom at earth.li>

- Fix memory leak in kernel/fork.c. (CAN-2004-0427)
- Numerous userspace pointer reference bugs found with the sparse
  tool by Al Viro. (CAN-2004-0495)
- Fix e1000 driver information leak. (CAN-2004-0535)

* Tue Jun 15 2004 Dominic Hargreaves <dom at earth.li>

- Fix local DoS in "clear_cpu()" macro. (CAN-2004-0554)

* Thu May 13 2004 Dominic Hargreaves <dom at earth.li>

- Fix information leak in cpufreq userspace ioctl. (CAN-2004-0228)
- Fix for C1 Halt Disconnect problem on nForce2 systems.

* Wed May 05 2004 Dominic Hargreaves <dom at earth.li>

- Fix potential local denial of service in sb16 driver (CAN-2004-0178)
- Fix information leak in JFS (CAN-2004-0181)
- Add range checking to i810_dma() in DRM driver.
- Make ioctl(FBIOGETCMAP) use copy_to_user() rather than memcpy()
- Fix possible buffer overflow in panic() (CAN-2004-0394)

* Tue Apr 13 2004 Dave Jones <davej at redhat.com>

- Yet another additional r128 DRM check. (CAN-2004-0003)
- Bounds checking in ISO9660 filesystem. (CAN-2004-0109)
- Fix Information leak in EXT3 (CAN-2004-0133)
- Fix local DoS in mremap()

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/redhat/

8a1c65a280190c3fc5102bb5a37db4a6d38dc38c
7.3/updates-testing/i386/kernel-2.4.20-37.7.legacy.athlon.rpm
b7a9696838f7c981fa9dc7f016c626f068d77f32
7.3/updates-testing/i386/kernel-2.4.20-37.7.legacy.i386.rpm
b01d2fc73b95e89a67b9490b7f7c4261be0b2d92
7.3/updates-testing/i386/kernel-2.4.20-37.7.legacy.i586.rpm
2c64ea0f6f088eeb2a47eed62f20fce086695f1f
7.3/updates-testing/i386/kernel-2.4.20-37.7.legacy.i686.rpm
e76f2bbdb94c0baa2d8c81df33f1f001b4eb6515
7.3/updates-testing/i386/kernel-bigmem-2.4.20-37.7.legacy.i686.rpm
302b9f0ae8e4b8dc975b0243ada68287508d85e9
7.3/updates-testing/i386/kernel-BOOT-2.4.20-37.7.legacy.i386.rpm
c63c54ec6da4d10a21cd768d9596edb463dab3f3
7.3/updates-testing/i386/kernel-doc-2.4.20-37.7.legacy.i386.rpm
ca0abce4704e89972b4d55edc615d1ac77c9038a
7.3/updates-testing/i386/kernel-smp-2.4.20-37.7.legacy.athlon.rpm
e151c2fe55bfb2ecc802ccbc82b176b6e6e32e27
7.3/updates-testing/i386/kernel-smp-2.4.20-37.7.legacy.i586.rpm
8cddf2b85c8e0aa6442d111a4190c2b2ebc65d45
7.3/updates-testing/i386/kernel-smp-2.4.20-37.7.legacy.i686.rpm
40595f8d08b8b631742cfb891168a96de36364f0
7.3/updates-testing/i386/kernel-source-2.4.20-37.7.legacy.i386.rpm
d5122c56d20371d25921a789f20b4a429f0ed0ee
7.3/updates-testing/SRPMS/kernel-2.4.20-37.7.legacy.src.rpm

f93b63bc5a40f24351a2d7855aaa66aacf6b1349
9/updates-testing/i386/kernel-2.4.20-37.9.legacy.athlon.rpm
15c94e731201db0ad89b41d9b2c35e7f85d6f517
9/updates-testing/i386/kernel-2.4.20-37.9.legacy.i386.rpm
5ee67818d1902c1e7ef919e1986c4c6f5cb58b6c
9/updates-testing/i386/kernel-2.4.20-37.9.legacy.i586.rpm
4a61fc7fd41a7d35cfcc25178ec5cb659ed3f6fe
9/updates-testing/i386/kernel-2.4.20-37.9.legacy.i686.rpm
790eef91cb194f60ab6c9ec5b0c4f08365b02022
9/updates-testing/i386/kernel-bigmem-2.4.20-37.9.legacy.i686.rpm
dd464f337d30580cd60b279d3b28f1ff972b718c
9/updates-testing/i386/kernel-BOOT-2.4.20-37.9.legacy.i386.rpm
6283845b3af07cf065902f3e75312a3ef7b5c90a
9/updates-testing/i386/kernel-doc-2.4.20-37.9.legacy.i386.rpm
25f86ab0bb3cfb9e1cf03e71af16c3d58e3db12b
9/updates-testing/i386/kernel-smp-2.4.20-37.9.legacy.athlon.rpm
c3f2461bd36aba58139e3cb29e34ecf9e97f6daf
9/updates-testing/i386/kernel-smp-2.4.20-37.9.legacy.i586.rpm
d03acba749f539607b3068670d8d2b12e7a98c02
9/updates-testing/i386/kernel-smp-2.4.20-37.9.legacy.i686.rpm
65079b01af9d60ca90b6650690634aa5d0c79cfa
9/updates-testing/i386/kernel-source-2.4.20-37.9.legacy.i386.rpm
4fdcc24dba64ef30ce49b170f6bbd3be98a129d8
9/updates-testing/SRPMS/kernel-2.4.20-37.9.legacy.src.rpm

 
Please note that this update is also available via yum and apt through the 
updates-testing channel.  Many people find this an easier way to apply 
updates.
---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20040929/ec2c7d35/attachment.sig>

More information about the fedora-legacy-list mailing list