Vulnerabilities > CVE-2004-0133 - Unspecified vulnerability in Linux Kernel 2.4.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-029.NASL description A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow local privilege escalation. The previous fix, in MDKSA-2004:015 only partially corrected the problem; the full fix is included (CVE-2004-0003). A local root vulnerability was discovered in the isofs component of the Linux kernel by iDefense. This vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO filesystem, or attempting to access a file via a malformed symlink on such a filesystem (CVE-2004-0109). An information leak was discovered in the ext3 filesystem code by Solar Designer. It was discovered that when creating or writing to an ext3 filesystem, some amount of other in-memory data gets written to the device. The data is not the file last seen 2020-06-01 modified 2020-06-02 plugin id 14128 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14128 title Mandrake Linux Security Advisory : kernel (MDKSA-2004:029) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:029. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14128); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0003", "CVE-2004-0109", "CVE-2004-0133", "CVE-2004-0177", "CVE-2004-0178", "CVE-2004-0181"); script_xref(name:"MDKSA", value:"2004:029"); script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2004:029)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow local privilege escalation. The previous fix, in MDKSA-2004:015 only partially corrected the problem; the full fix is included (CVE-2004-0003). A local root vulnerability was discovered in the isofs component of the Linux kernel by iDefense. This vulnerability can be triggered by performing a directory listing on a maliciously constructed ISO filesystem, or attempting to access a file via a malformed symlink on such a filesystem (CVE-2004-0109). An information leak was discovered in the ext3 filesystem code by Solar Designer. It was discovered that when creating or writing to an ext3 filesystem, some amount of other in-memory data gets written to the device. The data is not the file's contents, not something on the same filesystem, or even anything that was previously in a file at all. To obtain this data, a user needs to read the raw device (CVE-2004-0177). The same vulnerability was also found in the XFS filesystem code (CVE-2004-0133) and the JFS filesystem code (CVE-2004-0181). Finally, a vulnerability in the OSS code for SoundBlaster 16 devices was discovered by Andreas Kies. It is possible for local users with access to the sound system to crash the machine (CVE-2004-0178). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesecure.net/en/kernelupdate.php" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.21.0.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.22.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.25.3mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.3.8mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.21.0.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.22.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.3mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.6.3.8mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.22.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.3mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.3.8mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.22.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.3mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.6.3.8mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.21.0.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.4.22.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-secure-2.6.3.8mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.21.0.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.22.29mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.3mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.3.8mdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-2.4.25.3mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-2.6.3.8mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.4.25.3mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.6.3.8mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.25.3mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.3.8mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.25.3mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.6.3.8mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-secure-2.6.3.8mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-smp-2.4.25.3mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-smp-2.6.3.8mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-source-2.4.25-3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-source-stripped-2.6.3-8mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-2.4.21.0.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-enterprise-2.4.21.0.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-secure-2.4.21.0.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-smp-2.4.21.0.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"kernel-source-2.4.21-0.29mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-2.4.22.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-enterprise-2.4.22.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.22.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.22.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-secure-2.4.22.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-smp-2.4.22.29mdk-1-1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"kernel-source-2.4.22-29mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2004-111.NASL description A memory leak was fixed in an error path in the do_fork() routine. This was unlikely to have caused problems in real world situations. The information leak fixed in the previous errata was also found to affect XFS and JFS. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2004-0133 and CVE-2004-0181 respectively. A vulnerability in the OSS code for SoundBlaster 16 devices was discovered by Andreas Kies. It is possible for local users with access to the sound system to crash the machine (CVE-2004-0178). An automated checked from http://www.coverity.com highlighted a range checking bug in the i810 DRM driver. This was fixed by Andrea Arcangeli and Chris Wright. Arjan van de Ven discovered the framebuffer code was doing direct userspace accesses instead of using correct interfaces to write to userspace. Brad Spengler found a signedness issue in the cpufreq proc handler which could lead to users being able to read arbitary regions of kernel memory. This was fixed by Dominik Brodowski. Shaun Colley found a potential buffer overrun in the panic() function. As this function does not ever return, it is unlikely that this is exploitable, but has been fixed nonetheless. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0394 to this issue. Paul Starzetz and Wojciech Purczynski found a lack of bounds checking in the MCAST_MSFILTER socket option which allows user code to write into kernel space, potentially giving the attacker full root priveledges. There has already been proof of concept code published exploiting this hole in a local denial-of-service manner. http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt has more information. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0424 to this issue. The previous security errata actually missed fixes for several important problems. This has been corrected in this update. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13692 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13692 title Fedora Core 1 : kernel-2.4.22-1.2188.nptl (2004-111) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-111. # include("compat.inc"); if (description) { script_id(13692); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0133", "CVE-2004-0178", "CVE-2004-0181", "CVE-2004-0228", "CVE-2004-0394", "CVE-2004-0427"); script_xref(name:"FEDORA", value:"2004-111"); script_name(english:"Fedora Core 1 : kernel-2.4.22-1.2188.nptl (2004-111)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "A memory leak was fixed in an error path in the do_fork() routine. This was unlikely to have caused problems in real world situations. The information leak fixed in the previous errata was also found to affect XFS and JFS. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2004-0133 and CVE-2004-0181 respectively. A vulnerability in the OSS code for SoundBlaster 16 devices was discovered by Andreas Kies. It is possible for local users with access to the sound system to crash the machine (CVE-2004-0178). An automated checked from http://www.coverity.com highlighted a range checking bug in the i810 DRM driver. This was fixed by Andrea Arcangeli and Chris Wright. Arjan van de Ven discovered the framebuffer code was doing direct userspace accesses instead of using correct interfaces to write to userspace. Brad Spengler found a signedness issue in the cpufreq proc handler which could lead to users being able to read arbitary regions of kernel memory. This was fixed by Dominik Brodowski. Shaun Colley found a potential buffer overrun in the panic() function. As this function does not ever return, it is unlikely that this is exploitable, but has been fixed nonetheless. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0394 to this issue. Paul Starzetz and Wojciech Purczynski found a lack of bounds checking in the MCAST_MSFILTER socket option which allows user code to write into kernel space, potentially giving the attacker full root priveledges. There has already been proof of concept code published exploiting this hole in a local denial-of-service manner. http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt has more information. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2004-0424 to this issue. The previous security errata actually missed fixes for several important problems. This has been corrected in this update. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://www.coverity.com" ); script_set_attribute( attribute:"see_also", value:"http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt" ); # https://lists.fedoraproject.org/pipermail/announce/2004-April/000109.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e64ee995" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"kernel-2.4.22-1.2188.nptl")) flag++; if (rpm_check(release:"FC1", cpu:"i386", reference:"kernel-BOOT-2.4.22-1.2188.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-debuginfo-2.4.22-1.2188.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-doc-2.4.22-1.2188.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-smp-2.4.22-1.2188.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-source-2.4.22-1.2188.nptl")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-debuginfo / kernel-doc / kernel-smp / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-101.NASL description iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that they could gain root privileges if that filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0109 to this issue. Solar Designer from OpenWall discovered a minor information leak in the ext3 filesystem code due to the lack of initialization of journal descriptor blocks. This flaw has only minor security implications and exploitation requires privileged access to the raw device. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0133 to this issue. These packages also contain an updated fix with additional checks for issues in the R128 Direct Render Infrastructure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0003 to this issue. Additionally, additional hardening of the mremap function was applied to prevent a potential local denial of service attack. The low latency patch applied in previous kernels has also been found to cause stability problems under certain conditions. It has been disabled in this update whilst further investigation occurs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 13685 published 2004-07-23 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13685 title Fedora Core 1 : kernel-2.4.22-1.2179.nptl (2004-101) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-101. # include("compat.inc"); if (description) { script_id(13685); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0109"); script_xref(name:"FEDORA", value:"2004-101"); script_name(english:"Fedora Core 1 : kernel-2.4.22-1.2179.nptl (2004-101)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that they could gain root privileges if that filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0109 to this issue. Solar Designer from OpenWall discovered a minor information leak in the ext3 filesystem code due to the lack of initialization of journal descriptor blocks. This flaw has only minor security implications and exploitation requires privileged access to the raw device. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0133 to this issue. These packages also contain an updated fix with additional checks for issues in the R128 Direct Render Infrastructure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0003 to this issue. Additionally, additional hardening of the mremap function was applied to prevent a potential local denial of service attack. The low latency patch applied in previous kernels has also been found to cause stability problems under certain conditions. It has been disabled in this update whilst further investigation occurs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-April/000102.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3e034338" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-BOOT"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"kernel-2.4.22-1.2179.nptl")) flag++; if (rpm_check(release:"FC1", cpu:"i386", reference:"kernel-BOOT-2.4.22-1.2179.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-debuginfo-2.4.22-1.2179.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-doc-2.4.22-1.2179.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-smp-2.4.22-1.2179.nptl")) flag++; if (rpm_check(release:"FC1", reference:"kernel-source-2.4.22-1.2179.nptl")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-debuginfo / kernel-doc / kernel-smp / etc"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200407-02.NASL description The remote host is affected by the vulnerability described in GLSA-200407-02 (Linux Kernel: Multiple vulnerabilities) Multiple flaws have been discovered in the Linux kernel. This advisory corrects the following issues: CAN-2004-0109: This vulnerability allows privilege escalation using ISO9660 file systems through a buffer overflow via a malformed file system containing a long symbolic link entry. This can allow arbitrary code execution at kernel level. CAN-2004-0133: The XFS file system in 2.4 series kernels has an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw block device. CAN-2004-0177: The ext3 file system in 2.4 series kernels does not properly initialize journal descriptor blocks, causing an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw device. CAN-2004-0181: The JFS file system in 2.4 series kernels has an information leak by which data in the memory can be written to the device hosting the file system, allowing users to obtain portions of kernel memory by reading the raw device. CAN-2004-0178: The OSS Sound Blaster [R] Driver has a Denial of Service vulnerability since it does not handle certain sample sizes properly. This allows local users to hang the kernel. CAN-2004-0228: Due to an integer signedness error in the CPUFreq /proc handler code in 2.6 series Linux kernels, local users can escalate their privileges. CAN-2004-0229: The framebuffer driver in 2.6 series kernel drivers does not use the fb_copy_cmap method of copying structures. The impact of this issue is unknown, however. CAN-2004-0394: A buffer overflow in the panic() function of 2.4 series Linux kernels exists, but it may not be exploitable under normal circumstances due to its functionality. CAN-2004-0427: The do_fork() function in both 2.4 and 2.6 series Linux kernels does not properly decrement the mm_count counter when an error occurs, triggering a memory leak that allows local users to cause a Denial of Service by exhausting other applications of memory; causing the kernel to panic or to kill services. CAN-2004-0495: Multiple vulnerabilities found by the Sparse source checker in the kernel allow local users to escalate their privileges or gain access to kernel memory. CAN-2004-0535: The e1000 NIC driver does not properly initialize memory structures before using them, allowing users to read kernel memory. CAN-2004-0554: 2.4 and 2.6 series kernels running on an x86 or an AMD64 architecture allow local users to cause a Denial of Service by a total system hang, due to an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions. Local DoS in PaX: If ASLR is enabled as a GRSecurity PaX feature, a Denial of Service can be achieved by putting the kernel into an infinite loop. Only 2.6 series GRSecurity kernels are affected by this issue. RSBAC 1.2.3 JAIL issues: A flaw in the RSBAC JAIL implementation allows suid/sgid files to be created inside the jail since the relevant module does not check the corresponding mode values. This can allow privilege escalation inside the jail. Only rsbac-(dev-)sources are affected by this issue. Impact : Arbitrary code with normal non-super-user privileges may be able to exploit any of these vulnerabilities; gaining kernel level access to memory structures and hardware devices. This may be used for further exploitation of the system, to leak sensitive data or to cause a Denial of Service on the affected kernel. Workaround : Although users may not be affected by certain vulnerabilities, all kernels are affected by the CAN-2004-0394, CAN-2004-0427 and CAN-2004-0554 issues which have no workaround. As a result, all users are urged to upgrade their kernels to patched versions. last seen 2020-06-01 modified 2020-06-02 plugin id 14535 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14535 title GLSA-200407-02 : Linux Kernel: Multiple vulnerabilities
References
- ftp://patches.sgi.com/support/free/security/advisories/20040405-01-U.asc
- http://marc.info/?l=bugtraq&m=108213675028441&w=2
- http://secunia.com/advisories/11362
- http://security.gentoo.org/glsa/glsa-200407-02.xml
- http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:029
- http://www.securityfocus.com/bid/10151
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15901