SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Linux)  >   Linux Kernel Vendors:   kernel.org
Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications
SecurityTracker Alert ID:  1008594
SecurityTracker URL:  http://securitytracker.com/id/1008594
CVE Reference:   CVE-2003-0984   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jan 5 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.4.23 and prior 2.4.x kernels
Description:   A vulnerability was reported in the Linux 2.4 kernel in the real-time clock routines. A local user may be able to view leaked kernel data.

In December 2003, it was reported that real time clock routines in the Linux kernel do not properly initialize memory structures. As a result, a local user may be able to access the routines to view kernel stack data.

Impact:   A local user may be able to view some kernel data.
Solution:   Fixes are reportedly available (or pending) for various Linux kernel distributions. As the distributors release their fixes, separate Alerts will be issued [see the Message History].
Vendor URL:  www.kernel.org/ (Links to External Site)
Cause:   State error
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 5 2004 (Red Hat Issues Fix for Red Hat Linux) Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9.
Jan 5 2004 (EnGarde Issues Fix) Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications   (engarde-announce-admins@guardiandigital.com)
Guardian Digital has released a fix for EnGarde Secure Linux.
Jan 5 2004 (Conectiva Issues Fix) Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications   (Conectiva Updates <secure@conectiva.com.br>)
Conectiva has released a fix.
Jan 8 2004 (Mandrake Issues Fix) Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Jan 12 2004 (SmoothWall Issues Fix) Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications   (neuro@smoothwall.org)
A fix is available for SmoothWall Express.
May 12 2004 (Red Hat Issues Fix for RH Enterprise Linux) Linux Kernel Real-time Clock Routines May Leak Kernel Data to User Applications   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 3.



 Source Message Contents

Date:  Tue, 23 Dec 2003 14:18:02 -0500
Subject:  CAN-2003-0984


In SuSE-SA:2003:049 (http://www.suse.com/de/security/2003_049_kernel.html), SuSE reported 
a Linux 2.4 kernel vulnerability.

 > This update also fixes several other security issues in the kernel

 >     -	when reading the RTC, don't leak kernel stack data to user space


The CVE CAN-2003-0984 entry says:

 > Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly
 > initialize their structures, which could leak kernel data to user space.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC