(Slackware Issues Fix) Linux Kernel do_mremap() Fails to Check do_munmap() Return Values, Allowing a Local User to Gain Root Privileges
|
|
SecurityTracker Alert ID: 1009109
|
|
CVE Reference: CAN-2004-0077
(Links to External Site)
|
Date: Feb 18 2004
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): Slackware 9.1
|
Description: Another vulnerability was reported in the Linux kernel do_mremap() function. A local user can execute arbitrary code with root privileges.
Paul Starzetz discovered and reported that there is a missing return value check within the mremap(2) system call.
When resizing
or moving virtual memory areas, the function reportedly does not test the return value of the do_munmap() function. Cases where
the function fails (for example, due to the number of virtual memory areas being exceeded by the calling process) will not be properly
detected, according to the report. As a result, the kernel may move memory belonging to one process into memory space that is allocated
to another process.
Some other calls to the do_munmap() function are also not checked, the report said.
A local user can gain
root privileges on the target system.
The original advisory is available at:
http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
|
Impact: A local user can gain root privileges on the target system.
|
Solution: Slackware has released a fix for Slackware 9.1. The vendor reports that the kernels in Slackware 8.1 and 9.0 that were updated in
January 2004 are not vulnerable to this new flaw, as the patch that fixed CAN-2003-0985 also fixes this new flaw.
Users running
Slackware 9.1 or -current should upgrade to a new kernel. After installing the new kernel, users are reminded to run 'lilo'.
Updated
packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-ide-2.4.24-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slac
kware-9.1/patches/packages/kernel-source-2.4.24-noarch-2.tgz
An alternate kernel may be installed. Those are found in this directory:
ftp://ftp.slackware.com/pub/sla
ckware/slackware-9.1/patches/kernels/
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-ide-2.4.24-i
486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-2.4.24-noarch-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/
bootdisks/
ftp://ftp.slackware.com/pub/slackware/slackware-current/kernels/
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Slackware)
|
Reported By: Slackware Security Team <security@slackware.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 18 Feb 2004 04:37:55 -0800 (PST)
From: Slackware Security Team <security@slackware.com>
Subject: [slackware-security] Kernel security update (SSA:2004-049-01)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] Kernel security update (SSA:2004-049-01)
New kernels are available for Slackware 9.1 and -current to fix
a bounds-checking problem in the kernel's mremap() call which
could be used by a local attacker to gain root privileges.
Please note that this is not the same issue as CAN-2003-0985
which was fixed in early January.
The kernels in Slackware 8.1 and 9.0 that were updated in
January are not vulnerable to this new issue because the patch
from Solar Designer that was used to fix the CAN-2003-0985 bugs
also happened to fix the problem that was discovered later.
Sites running Slackware 9.1 or -current should upgrade to a
new kernel. After installing the new kernel, be sure to run
'lilo'.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Feb 18 03:44:42 PST 2004
patches/kernels/: Recompiled to fix another bounds-checking error in
the kernel mremap() code. (this is not the same issue that was fixed
on Jan 6) This bug could be used by a local attacker to gain root
privileges. Sites should upgrade to a new kernel. After installing
the new kernel, be sure to run 'lilo'.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
Thanks to Paul Starzetz for finding and researching this issue.
(* Security fix *)
patches/packages/kernel-ide-2.4.24-i486-2.tgz: Patched, recompiled.
(* Security fix *)
patches/packages/kernel-source-2.4.24-noarch-2.tgz: Patched the kernel
source with a fix for the mremap() problem from Solar Designer, and
updated the Speakup driver (not pre-applied).
(* Security fix *)
+--------------------------+
WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+
Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-ide-2.4.24-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-source-2.4.24-noarch-2.tg
z
An alternate kernel may be installed. Those are found in this directory:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/kernels/
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-ide-2.4.24-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-2.4.24-noarch-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/bootdisks/
ftp://ftp.slackware.com/pub/slackware/slackware-current/kernels/
MD5 SIGNATURES:
+-------------+
MD5 signatures may be downloaded from our FTP server:
Slackware 9.1 packages:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/CHECKSUMS.md5
To verify authenticity, this file has been signed with the Slackware
GPG key (use 'gpg --verify'):
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/CHECKSUMS.md5.asc
Slackware -current packages:
ftp://ftp.slackware.com/pub/slackware/slackware-current/CHECKSUMS.md5
ftp://ftp.slackware.com/pub/slackware/slackware-current/CHECKSUMS.md5.asc
INSTALLATION INSTRUCTIONS:
+------------------------+
Use upgradepkg to install the new kernel package.
After installing the kernel-ide package you will need to run lilo ('lilo' at
a command prompt) or create a new system boot disk ('makebootdisk'), and
reboot.
If desired, a kernel from the kernels/ directory may be used instead. For
example, to use the kernel in kernels/scsi.s/, you would copy it to the
boot directory like this:
cd kernels/scsi.s
cp bzImage /boot/vmlinuz-scsi.s-2.4.24
Create a symbolic link:
ln -sf /boot/vmlinuz-scsi.s-2.4.24 /boot/vmlinuz
Then, run 'lilo' or create a new system boot disk and reboot.
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAM1gqakRjwEAQIjMRAsidAJwO3KmM+Jtccw5zPLovpCcnpxqH3ACbBJy6
kzvkk6HtdbiQ1o2hjlOiUlI=
=ydJs
-----END PGP SIGNATURE-----
|
|
