Vulnerabilities > CVE-2005-0749 - Local Denial of Service vulnerability in Linux Kernel Elf Binary Loading

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
linux
nessus

Summary

The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.

Vulnerable Configurations

Part Description Count
OS
Linux
534

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-111.NASL
    descriptionMultiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following have been fixed in the 2.4 kernels : Colin Percival discovered a vulnerability in Intel
    last seen2020-06-01
    modified2020-06-02
    plugin id18599
    published2005-07-01
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18599
    titleMandrake Linux Security Advisory : kernel-2.4 (MDKSA-2005:111)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:111. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18599);
      script_version ("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2005-0109", "CVE-2005-0209", "CVE-2005-0384", "CVE-2005-0400", "CVE-2005-0530", "CVE-2005-0531", "CVE-2005-0749", "CVE-2005-0750", "CVE-2005-0767", "CVE-2005-1263");
      script_xref(name:"MDKSA", value:"2005:111");
    
      script_name(english:"Mandrake Linux Security Advisory : kernel-2.4 (MDKSA-2005:111)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities in the Linux kernel have been discovered and
    fixed in this update. The following have been fixed in the 2.4 
    kernels :
    
    Colin Percival discovered a vulnerability in Intel's Hyper-Threading
    technology could allow a local user to use a malicious thread to
    create covert channels, monitor the execution of other threads, and
    obtain sensitive information such as cryptographic keys via a timing
    attack on memory cache misses. This has been corrected by disabling HT
    support in all kernels (CVE-2005-0109).
    
    When forwarding fragmented packets, a hardware assisted checksum could
    only be used once which could lead to a Denial of Service attack or
    crash by remote users (CVE-2005-0209).
    
    A flaw in the Linux PPP driver was found where on systems allowing
    remote users to connect to a server via PPP, a remote client could
    cause a crash, resulting in a Denial of Service (CVE-2005-0384).
    
    An information leak in the ext2 filesystem code was found where when a
    new directory is created, the ext2 block written to disk is not
    initialized (CVE-2005-0400).
    
    A signedness error in the copy_from_read_buf function in n_tty.c
    allows local users to read kernel memory via a negative argument
    (CVE-2005-0530).
    
    George Guninski discovered a buffer overflow in the ATM driver where
    the atm_get_addr() function does not validate its arguments
    sufficiently which could allow a local attacker to overwrite large
    portions of kernel memory by supplying a negative length argument.
    This could potentially lead to the execution of arbitrary code
    (CVE-2005-0531).
    
    A flaw when freeing a pointer in load_elf_library was found that could
    be abused by a local user to potentially crash the machine causing a
    Denial of Service (CVE-2005-0749).
    
    A problem with the Bluetooth kernel stack in kernels 2.4.6 through
    2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker
    to gain root access or crash the machine (CVE-2005-0750).
    
    A race condition in the Radeon DRI driver allows a local user with DRI
    privileges to execute arbitrary code as root (CVE-2005-0767).
    
    Paul Starzetz found an integer overflow in the ELF binary format
    loader's code dump function in kernels prior to and including
    2.4.31-pre1 and 2.6.12-rc4. By creating and executing a specially
    crafted ELF executable, a local attacker could exploit this to execute
    arbitrary code with root and kernel privileges (CVE-2005-1263)."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(20);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.25.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.4.28.0.rc1.6mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.25.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-enterprise-2.4.28.0.rc1.6mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.4.28.0.rc1.6mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.4.25.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-p3-smp-64GB-2.4.25.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.25.14mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.4.28.0.rc1.6mdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/06/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", reference:"kernel-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-enterprise-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"kernel-p3-smp-64GB-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-smp-2.4.25.14mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"kernel-source-2.4.25-14mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", reference:"kernel-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-enterprise-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"kernel-i586-up-1GB-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-smp-2.4.28.0.rc1.6mdk-1-1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"kernel-source-2.4-2.4.28-0.rc1.6mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-529.NASL
    descriptionUpdated kernel packages that fix a number of security issues as well as other bugs are now available for Red Hat Enterprise Linux 2.1 (32 bit architectures) This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is a kernel maintenance update to Red Hat Enterprise Linux 2.1. The following security issues were corrected : A flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-1263 to this issue. A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) The Direct Rendering Manager (DRM) driver did not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) or possibly modify the video output. (CVE-2004-1056) A flaw in the moxa serial driver could allow a local user to perform privileged operations such as replacing the firmware. (CVE-2005-0504) The following bug fixes were also made : - Fix a race condition that can cause a panic in __get_lease() - Fix a race condition that can cause a panic when reading /proc/mdstat - Fix incorrect ide accounting - Prevent non-root users from reloading moxa driver firmware - Fix a NULL pointer dereference bug in rpciod - Fix legacy-usb handoff for certain IBM platforms - Fix a bug that caused busy inodes after unmount - Provide an additional fix for a memory leak in scsi_scan_single. - Fix a potential kswapd/dquot deadlock. - Fix a potential local DoS in shmemfs. - Fix a random poolsize vulnerability. Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine configurations as listed in this erratum.
    last seen2020-06-01
    modified2020-06-02
    plugin id19543
    published2005-08-30
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19543
    titleRHEL 2.1 : kernel (RHSA-2005:529)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:529. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19543);
      script_version ("1.30");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2004-1056", "CVE-2005-0504", "CVE-2005-0749", "CVE-2005-1263");
      script_xref(name:"RHSA", value:"2005:529");
    
      script_name(english:"RHEL 2.1 : kernel (RHSA-2005:529)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kernel packages that fix a number of security issues as well
    as other bugs are now available for Red Hat Enterprise Linux 2.1 (32
    bit architectures)
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    The Linux kernel handles the basic functions of the operating system.
    
    This is a kernel maintenance update to Red Hat Enterprise Linux 2.1.
    
    The following security issues were corrected :
    
    A flaw between execve() syscall handling and core dumping of
    ELF-format executables allowed local unprivileged users to cause a
    denial of service (system crash) or possibly gain privileges. The
    Common Vulnerabilities and Exposures project has assigned the name
    CVE-2005-1263 to this issue.
    
    A flaw when freeing a pointer in load_elf_library was discovered. A
    local user could potentially use this flaw to cause a denial of
    service (crash). (CVE-2005-0749)
    
    The Direct Rendering Manager (DRM) driver did not properly check the
    DMA lock, which could allow remote attackers or local users to cause a
    denial of service (X Server crash) or possibly modify the video
    output. (CVE-2004-1056)
    
    A flaw in the moxa serial driver could allow a local user to perform
    privileged operations such as replacing the firmware. (CVE-2005-0504)
    
    The following bug fixes were also made :
    
      - Fix a race condition that can cause a panic in
        __get_lease() - Fix a race condition that can cause a
        panic when reading /proc/mdstat - Fix incorrect ide
        accounting - Prevent non-root users from reloading moxa
        driver firmware - Fix a NULL pointer dereference bug in
        rpciod - Fix legacy-usb handoff for certain IBM
        platforms - Fix a bug that caused busy inodes after
        unmount - Provide an additional fix for a memory leak in
        scsi_scan_single. - Fix a potential kswapd/dquot
        deadlock. - Fix a potential local DoS in shmemfs. - Fix
        a random poolsize vulnerability.
    
    Red Hat Enterprise Linux 2.1 users are advised to upgrade their
    kernels to the packages associated with their machine configurations
    as listed in this erratum."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-1056"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0749"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-1263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:529"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-BOOT");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-enterprise");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-summit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/08/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CAN-2005-1263", "CVE-2004-1056", "CVE-2005-0504", "CVE-2005-0749", "CVE-2005-1263");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2005:529");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:529";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-BOOT-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-debug-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-doc-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-enterprise-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-headers-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-smp-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kernel-source-2.4.9-e.65")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i686", reference:"kernel-summit-2.4.9-e.65")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-BOOT / kernel-debug / kernel-doc / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-366.NASL
    descriptionUpdated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 9 August 2005] The advisory text has been updated to show that this update fixed the security issue named CVE-2005-0210 but not CVE-2005-0209. The issue CVE-2005-0209 was actually fixed by RHSA-2005:420. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CVE-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CVE-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CVE-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CVE-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CVE-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CVE-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CVE-2005-0529, CVE-2005-0530, CVE-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CVE-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CVE-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CVE-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that
    last seen2020-06-01
    modified2020-06-02
    plugin id18095
    published2005-04-19
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18095
    titleRHEL 4 : kernel (RHSA-2005:366)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-366.NASL
    descriptionUpdated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 9 August 2005] The advisory text has been updated to show that this update fixed the security issue named CVE-2005-0210 but not CVE-2005-0209. The issue CVE-2005-0209 was actually fixed by RHSA-2005:420. No changes have been made to the packages associated with this advisory. The Linux kernel handles the basic functions of the operating system. A flaw in the fib_seq_start function was discovered. A local user could use this flaw to cause a denial of service (system crash) via /proc/net/route. (CVE-2005-1041) A flaw in the tmpfs file system was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0977) An integer overflow flaw was found when writing to a sysfs file. A local user could use this flaw to overwrite kernel memory, causing a denial of service (system crash) or arbitrary code execution. (CVE-2005-0867) Keith Owens reported a flaw in the Itanium unw_unwind_to_user function. A local user could use this flaw to cause a denial of service (system crash) on Itanium architectures. (CVE-2005-0135) A flaw in the NFS client O_DIRECT error case handling was discovered. A local user could use this flaw to cause a denial of service (system crash). (CVE-2005-0207) A small memory leak when defragmenting local packets was discovered that affected the Linux 2.6 kernel netfilter subsystem. A local user could send a large number of carefully crafted fragments leading to memory exhaustion (CVE-2005-0210) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw was discovered in the ext2 file system code. When a new directory is created, the ext2 block written to disk is not initialized, which could lead to an information leak if a disk image is made available to unprivileged users. (CVE-2005-0400) A flaw in fragment queuing was discovered that affected the Linux kernel netfilter subsystem. On systems configured to filter or process network packets (e.g. firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know or guess some aspects of the firewall ruleset on the target system. (CVE-2005-0449) A number of flaws were found in the Linux 2.6 kernel. A local user could use these flaws to read kernel memory or cause a denial of service (crash). (CVE-2005-0529, CVE-2005-0530, CVE-2005-0531) An integer overflow in sys_epoll_wait in eventpoll.c was discovered. A local user could use this flaw to overwrite low kernel memory. This memory is usually unused, not usually resulting in a security consequence. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On systems where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) A race condition was discovered that affected the Radeon DRI driver. A local user who has DRI privileges on a Radeon graphics card may be able to use this flaw to gain root privileges. (CVE-2005-0767) Multiple range checking flaws were discovered in the iso9660 file system handler. An attacker could create a malicious file system image which would cause a denial or service or potentially execute arbitrary code if mounted. (CVE-2005-0815) A flaw was discovered when setting line discipline on a serial tty. A local user may be able to use this flaw to inject mouse movements or keystrokes when another user is logged in. (CVE-2005-0839) Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please note that
    last seen2020-06-01
    modified2020-06-02
    plugin id21928
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21928
    titleCentOS 3 / 4 : kernel (CESA-2005:366)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-293.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. The following security issues were fixed : The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CVE-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CVE-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CVE-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CVE-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CVE-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CVE-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CVE-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()
    last seen2020-06-01
    modified2020-06-02
    plugin id18128
    published2005-04-25
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18128
    titleRHEL 3 : kernel (RHSA-2005:293)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-103-1.NASL
    descriptionMathieu Lafon discovered an information leak in the ext2 file system driver. When a new directory was created, the ext2 block written to disk was not initialized, so that previous memory contents (which could contain sensitive data like passwords) became visible on the raw device. This is particularly important if the target device is removable and thus can be read by users other than root. (CAN-2005-0400) Yichen Xie discovered a Denial of Service vulnerability in the ELF loader. A specially crafted ELF library or executable could cause an attempt to free an invalid pointer, which lead to a kernel crash. (CAN-2005-0749) Ilja van Sprundel discovered that the bluez_sock_create() function did not check its
    last seen2020-06-01
    modified2020-06-02
    plugin id20489
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20489
    titleUbuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-103-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-262.NASL
    description - Sun Mar 27 2005 Dave Jones <davej at redhat.com> - Catch up with all recent security issues. - CVE-2005-0210 : dst leak - CVE-2005-0384 : ppp dos - CVE-2005-0531 : Sign handling issues. - CVE-2005-0400 : EXT2 information leak. - CVE-2005-0449 : Remote oops. - CVE-2005-0736 : Epoll overflow - CVE-2005-0749 : ELF loader may kfree wrong memory. - CVE-2005-0750 : Missing range checking in bluetooth - CVE-2005-0767 : drm race in radeon - CVE-2005-0815 : Corrupt isofs images could cause oops. - Tue Mar 22 2005 Dave Jones <davej at redhat.com> - Fix swapped parameters to memset in ieee802.11 code. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18324
    published2005-05-19
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18324
    titleFedora Core 2 : kernel-2.6.10-1.771_FC2 (2005-262)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-313.NASL
    descriptionThis update rebases the kernel to the latest upstream stable release, which fixes a number of security issues. Notably : - CVE-2005-0210 : dst leak - CVE-2005-0384 : ppp dos - CVE-2005-0531 : Sign handling issues. - CVE-2005-0400 : EXT2 information leak. - CVE-2005-0449 : Remote oops. - CVE-2005-0736 : Epoll overflow - CVE-2005-0749 : ELF loader may kfree wrong memory. - CVE-2005-0750 : Missing range checking in bluetooth - CVE-2005-0767 : drm race in radeon - CVE-2005-0815 : Corrupt isofs images could cause oops Additionally, a large number of improvements have come from the 2.6.10 -> 2.6.11 transition. This update requires you are running the latest udev package, and also (if you are using SELinux) the latest selinux policy packages. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id19648
    published2005-09-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19648
    titleFedora Core 3 : kernel-2.6.11-1.14_FC3 (2005-313)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-293.NASL
    descriptionUpdated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. The following security issues were fixed : The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CVE-2004-0075) The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CVE-2004-0177) The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CVE-2004-0814) A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CVE-2004-1058) A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CVE-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update. Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function. A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0135) A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CVE-2005-0137) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CVE-2005-0204) A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CVE-2005-0384) A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CVE-2005-0403) A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CVE-2005-0449) Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CVE-2005-0736) A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CVE-2005-0749) A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CVE-2005-0750) In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()
    last seen2020-06-01
    modified2020-06-02
    plugin id21923
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21923
    titleCentOS 3 : kernel (CESA-2005:293)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_029.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:029 (kernel). The Linux kernel is the core component of the Linux system. This update fixes various security as well as non-security problems discovered since the last round of kernel updates. The following security problems have been fixed: - when creating directories on ext2 filesystems the kernel did not zero initialize the memory allocated. Therefore potentially sensitive information could be exposed to users (CVE-2005-0400). All SUSE LINUX based products are affected. - local users can crash the kernel via a crafted ELF library or executable, which causes a free of an invalid pointer (CVE-2005-0749). All SUSE LINUX based products are affected. - local users could gain root access via a bluetooth socket (CVE-2005-0750). The fix for this problem was missing in SUSE LINUX 9.3 only. - local users could gain root access by causing a core dump of specially crafted ELF executables (CVE-2005-1263). The problem is believed to be not exploitable on any SUSE LINUX based product. The patch is included nevertheless. - on the x86-64 platform various bugs allowed local users to crash the kernel or CPU (CVE-2005-0756, CVE-2005-1762, CVE-2005-1764, CVE-2005-1765) All SUSE LINUX based products on the x86-64 architecture are affected. - an overflow in the x86-64 ptrace code allowed local users to write a few bytes into kernel memory pages they normally shouldn
    last seen2019-10-28
    modified2005-06-10
    plugin id18462
    published2005-06-10
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18462
    titleSUSE-SA:2005:029: kernel
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-110.NASL
    descriptionMultiple vulnerabilities in the Linux kernel have been discovered and fixed in this update. The following CVE names have been fixed in the LE2005 kernel : Colin Percival discovered a vulnerability in Intel
    last seen2020-06-01
    modified2020-06-02
    plugin id18598
    published2005-07-01
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18598
    titleMandrake Linux Security Advisory : kernel (MDKSA-2005:110)

Oval

accepted2013-04-29T04:07:19.355-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionThe load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.
familyunix
idoval:org.mitre.oval:def:10640
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.
version26

Redhat

advisories
  • rhsa
    idRHSA-2005:293
  • rhsa
    idRHSA-2005:366
  • rhsa
    idRHSA-2005:529
  • rhsa
    idRHSA-2005:551
rpms
  • kernel-0:2.4.21-27.0.4.EL
  • kernel-BOOT-0:2.4.21-27.0.4.EL
  • kernel-debuginfo-0:2.4.21-27.0.4.EL
  • kernel-doc-0:2.4.21-27.0.4.EL
  • kernel-hugemem-0:2.4.21-27.0.4.EL
  • kernel-hugemem-unsupported-0:2.4.21-27.0.4.EL
  • kernel-smp-0:2.4.21-27.0.4.EL
  • kernel-smp-unsupported-0:2.4.21-27.0.4.EL
  • kernel-source-0:2.4.21-27.0.4.EL
  • kernel-unsupported-0:2.4.21-27.0.4.EL
  • kernel-0:2.6.9-5.0.5.EL
  • kernel-debuginfo-0:2.6.9-5.0.5.EL
  • kernel-devel-0:2.6.9-5.0.5.EL
  • kernel-doc-0:2.6.9-5.0.5.EL
  • kernel-hugemem-0:2.6.9-5.0.5.EL
  • kernel-hugemem-devel-0:2.6.9-5.0.5.EL
  • kernel-smp-0:2.6.9-5.0.5.EL
  • kernel-smp-devel-0:2.6.9-5.0.5.EL