(Debian Issues Fix for powerpc/apus) Linux Kernel do_mremap() Fails to Check do_munmap() Return Values, Allowing a Local User to Gain Root Privileges
|
|
SecurityTracker Alert ID: 1009119
|
|
CVE Reference: CAN-2004-0077
(Links to External Site)
|
Date: Feb 18 2004
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): Debian 3.0
|
Description: Another vulnerability was reported in the Linux kernel do_mremap() function. A local user can execute arbitrary code with root privileges.
Paul Starzetz discovered and reported that there is a missing return value check within the mremap(2) system call.
When resizing
or moving virtual memory areas, the function reportedly does not test the return value of the do_munmap() function. Cases where
the function fails (for example, due to the number of virtual memory areas being exceeded by the calling process) will not be properly
detected, according to the report. As a result, the kernel may move memory belonging to one process into memory space that is allocated
to another process.
Some other calls to the do_munmap() function are also not checked, the report said.
A local user can gain
root privileges on the target system.
The original advisory is available at:
http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
|
Impact: A local user can gain root privileges on the target system.
|
Solution: Debian has released a fix for the stable distribution (woody) in version 2.4.17-4 of powerpc/apus images.
Debian GNU/Linux 3.0
alias woody:
Source archives:
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody2.dsc
Size/MD5 checksum: 690 f4f41d8b5ce68462139eadff5e340b2f
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1wo
ody2.diff.gz
Size/MD5 checksum: 38791 17b8f97671d0f1be7c595123bcf0c86c
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.
4.17_2.4.17.orig.tar.gz
Size/MD5 checksum: 29445154 d5de2a4dc49e32c37e557ef856d5d132
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus
/kernel-patch-2.4.17-apus_2.4.17-4.dsc
Size/MD5 checksum: 667 beff21e365dba9487c3d1009e6bb8ce7
http://security.debian.org/pool/updates/main/k/kernel-patc
h-2.4.17-apus/kernel-patch-2.4.17-apus_2.4.17-4.tar.gz
Size/MD5 checksum: 489649 3feef2fdda2cb1385e12fb18b33c3787
Architecture independent components:
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-doc-2.4.17_2.4.17-1woody2_all.deb
Size/MD5 checksum: 1719904 4299b7aeebc01ede7eb5a2f2f5ba0b45
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1wo
ody2_all.deb
Size/MD5 checksum: 23878388 15202df8a94f2aa17f09382f520021fc
PowerPC architecture:
http://security.debian.org/pool/updates/main/k/kernel-p
atch-2.4.17-apus/kernel-headers-2.4.17-apus_2.4.17-4_powerpc.deb
Size/MD5 checksum: 3365696 0f03db43dd1c83a6c02cbd474ae54685
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-2.4.17-apus_2.4.17-4_powerpc.deb
Size/MD5 checksum: 2210948 1f12b255f6644f144e3426fa5865b27e
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-apus_2.4.17-4_power
pc.deb
Size/MD5 checksum: 4078 6a495ea4088b900129c60dd769f7da8d
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.1
7-apus_2.4.17-4_powerpc.deb
Size/MD5 checksum: 490346 41eebb692f46cfcb118818048de6d6ad
|
Vendor URL: www.kernel.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Debian)
|
Reported By: joey@infodrom.org (Martin Schulze)
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 18 Feb 2004 15:04:22 +0100 (CET)
From: joey@infodrom.org (Martin Schulze)
Subject: [SECURITY] [DSA 440-1] New Linux 2.4.17 packages fix several local root exploits (powerpc/apus)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 440-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
February 18th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : kernel-source-2.4.17, kernel-patch-2.4.17-apus
Vulnerability : several vulnerabilities
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2003-0961 CAN-2003-0985 CAN-2004-0077
Several local root exploits have been discovered recently in the Linux
kernel. This security advisory updates the PowerPC/Apus kernel for
Debian GNU/Linux. The Common Vulnerabilities and Exposures project
identifies the following problems that are fixed with this update:
CAN-2003-0961:
An integer overflow in brk() system call (do_brk() function) for
Linux allows a local attacker to gain root privileges. Fixed
upstream in Linux 2.4.23.
CAN-2003-0985:
Paul Starzetz discovered a flaw in bounds checking in mremap() in
the Linux kernel (present in version 2.4.x and 2.6.x) which may
allow a local attacker to gain root privileges. Version 2.2 is not
affected by this bug. Fixed upstream in Linux 2.4.24.
CAN-2004-0077:
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a
critical security vulnerability in the memory management code of
Linux inside the mremap(2) system call. Due to missing function
return value check of internal functions a local attacker can gain
root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.
For the stable distribution (woody) these problems have been fixed in
version 2.4.17-4 of powerpc/apus images.
Other architectures will probably mentioned in a separate advisory or
are not affected (m68k).
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your Linux kernel packages immediately.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1
woody2.dsc
Size/MD5 checksum: 690 f4f41d8b5ce68462139eadff5e340b2f
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1
woody2.diff.gz
Size/MD5 checksum: 38791 17b8f97671d0f1be7c595123bcf0c86c
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17.o
rig.tar.gz
Size/MD5 checksum: 29445154 d5de2a4dc49e32c37e557ef856d5d132
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_
2.4.17-4.dsc
Size/MD5 checksum: 667 beff21e365dba9487c3d1009e6bb8ce7
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_
2.4.17-4.tar.gz
Size/MD5 checksum: 489649 3feef2fdda2cb1385e12fb18b33c3787
Architecture independent components:
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-doc-2.4.17_2.4.17-1woo
dy2_all.deb
Size/MD5 checksum: 1719904 4299b7aeebc01ede7eb5a2f2f5ba0b45
http://security.debian.org/pool/updates/main/k/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1
woody2_all.deb
Size/MD5 checksum: 23878388 15202df8a94f2aa17f09382f520021fc
PowerPC architecture:
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-headers-2.4.17-apu
s_2.4.17-4_powerpc.deb
Size/MD5 checksum: 3365696 0f03db43dd1c83a6c02cbd474ae54685
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-2.4.17-apus_
2.4.17-4_powerpc.deb
Size/MD5 checksum: 2210948 1f12b255f6644f144e3426fa5865b27e
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-image-apus_2.4.17-
4_powerpc.deb
Size/MD5 checksum: 4078 6a495ea4088b900129c60dd769f7da8d
http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-apus/kernel-patch-2.4.17-apus_
2.4.17-4_powerpc.deb
Size/MD5 checksum: 490346 41eebb692f46cfcb118818048de6d6ad
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAM3DlW5ql+IAeqTIRAqpmAJ4n6NdLtH1qfxsUT+nf41cmUCelegCdGkEV
HytLLKoXe2SHa9h5reVs61I=
=C8hr
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
