Vulnerabilities > CVE-2007-4571 - Unspecified vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
Vulnerable Configurations
Exploit-Db
| description | Linux Kernel 2.6.x ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability. CVE-2007-4571. Local exploit for linux platform |
| id | EDB-ID:30605 |
| last seen | 2016-02-03 |
| modified | 2007-09-21 |
| published | 2007-09-21 |
| reporter | Karimo_DM |
| source | https://www.exploit-db.com/download/30605/ |
| title | Linux Kernel 2.6.x - ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4472.NASL description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] last seen 2020-06-01 modified 2020-06-02 plugin id 59124 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59124 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4472) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(59124); script_version("1.3"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-4571", "CVE-2007-4573"); script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4472)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219]" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4571.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4573.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4472."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-debug-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-kdump-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.53-0.16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4487.NASL description This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving last seen 2020-06-01 modified 2020-06-02 plugin id 27298 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27298 title openSUSE 10 Security Update : kernel (kernel-4487) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kernel-4487. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27298); script_version ("1.14"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-2525", "CVE-2007-3105", "CVE-2007-3851", "CVE-2007-4571", "CVE-2007-4573"); script_name(english:"openSUSE 10 Security Update : kernel (kernel-4487)"); script_summary(english:"Check for the kernel-4487 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. Since this value can only be changed by a root user, exploitability is low. - CVE-2007-2525: A memory leak in the PPPoE driver can be abused by local users to cause a denial-of-service condition. - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. and the following non security bugs : - patches.arch/x86-fam10-mtrr: mtrr: fix size_or_mask and size_and_mask [#237736] - patches.fixes/usb_nokia6233_fix1.patch: usb: rndis_host: fix crash while probing a Nokia S60 mobile [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usbnet: init fault (oops) cleanup, whitespace fixes [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usb: unusual_devs.h entry for Nokia 6233 [#244459] - patches.fixes/bt_broadcom_reset.diff: quirky Broadcom device [#257303] - patches.arch/i386-compat-vdso: i386: allow debuggers to access the vsyscall page with compat vDSO [#258433] - - patches.fixes/anycast6-unbalanced-inet6_dev-refcnt.patch : Fix netdevice reference leak when reading from /proc/net/anycast6 [#285336] - - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-b etter: SCSI: throttle SG_DXFER_TO_FROM_DEV warning message better [#290117] - - patches.fixes/nf_conntrack_h323-out-of-bounds-index.diff : nf_conntrack_h323: add checking of out-of-range on choices' index values [#290611] - patches.fixes/ppc-fpu-corruption-fix.diff: ppc: fix corruption of fpu [#290622] - - patches.fixes/ppp-fix-osize-too-small-errors-when-decodi ng-m ppe.diff: ppp: Fix osize too small errors when decoding mppe [#291102] - patches.fixes/hugetlbfs-stack-grows-fix.patch: Don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.fixes/pwc_dos.patch: fix a disconnect method waiting for user space to close a file. A malicious user can stall khubd indefinitely long [#302063] [#302194] - patches.suse/kdb.add-unwind-info-to-kdb_call: Add unwind info to kdb_call() to fix build of KDB kernel on i386 [#305209] - Updated config files: enable KDB for kernel-debug on i386. [#305209]" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 264, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xenpae"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"kernel-bigsmp-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-default-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-kdump-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-source-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-syms-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-xen-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-xenpae-2.6.18.8-0.7") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-bigsmp / kernel-default / kernel-kdump / kernel-source / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4471.NASL description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] Fixes for S/390 : - IBM Patchcluster 17 [#330036] - Problem-ID: 38085 - zfcp: zfcp_scsi_eh_abort_handler or zfcp_scsi_eh_device_reset_handler hanging after CHPID off/on - Problem-ID: 38491 - zfcp: Error messages when LUN 0 is present - Problem-ID: 37390 - zcrypt: fix PCIXCC/CEX2C error recovery [#306056] - Problem-ID: 38500 - kernel: too few page cache pages in state volatile - Problem-ID: 38634 - qeth: crash during reboot after failing online setting - Problem-ID: 38927 - kernel: shared memory may not be volatile - Problem-ID: 39069 - cio: Disable channel path measurements on shutdown/reboot - Problem-ID: 27787 - qeth: recognize last seen 2020-06-01 modified 2020-06-02 plugin id 29488 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29488 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4471) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(29488); script_version ("1.17"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-4571", "CVE-2007-4573"); script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4471)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] Fixes for S/390 : - IBM Patchcluster 17 [#330036] - Problem-ID: 38085 - zfcp: zfcp_scsi_eh_abort_handler or zfcp_scsi_eh_device_reset_handler hanging after CHPID off/on - Problem-ID: 38491 - zfcp: Error messages when LUN 0 is present - Problem-ID: 37390 - zcrypt: fix PCIXCC/CEX2C error recovery [#306056] - Problem-ID: 38500 - kernel: too few page cache pages in state volatile - Problem-ID: 38634 - qeth: crash during reboot after failing online setting - Problem-ID: 38927 - kernel: shared memory may not be volatile - Problem-ID: 39069 - cio: Disable channel path measurements on shutdown/reboot - Problem-ID: 27787 - qeth: recognize 'exclusively used'-RC from Hydra3 - Problem-ID: 38330 - qeth: make qeth driver loadable without ipv6 module For further description of the named Problem-IDs, please look to http://www-128.ibm.com/developerworks/linux/linux390/oct ober 2005_recommended.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4571.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4573.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4471."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-bigsmp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-default-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-smp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-source-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-syms-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-xen-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"i586", reference:"kernel-xenpae-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-bigsmp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-debug-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-default-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-kdump-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-smp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-source-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-syms-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-xen-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"i586", reference:"kernel-xenpae-2.6.16.53-0.16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0993.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Red Hat would like to credit Vasily Averin, Chris Evans, and Neil Kettle for reporting the security issues corrected by this update. last seen 2020-06-01 modified 2020-06-02 plugin id 28363 published 2007-11-30 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28363 title RHEL 5 : kernel (RHSA-2007:0993) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0993. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(28363); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2007-4571", "CVE-2007-4997", "CVE-2007-5494"); script_bugtraq_id(25807, 26337); script_xref(name:"RHSA", value:"2007:0993"); script_name(english:"RHEL 5 : kernel (RHSA-2007:0993)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Red Hat would like to credit Vasily Averin, Chris Evans, and Neil Kettle for reporting the security issues corrected by this update." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-4571" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-4997" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2007-5494" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2007:0993" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/09/26"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2007-4571", "CVE-2007-4997", "CVE-2007-5494"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2007:0993"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2007:0993"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-PAE-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-PAE-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-debug-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-debug-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-debug-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-debug-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-debug-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-debug-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", reference:"kernel-doc-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"kernel-headers-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"kernel-headers-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-headers-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-xen-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-xen-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i686", reference:"kernel-xen-devel-2.6.18-53.1.4.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"kernel-xen-devel-2.6.18-53.1.4.el5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc"); } }NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4503.NASL description This kernel update fixes the following security problems : - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. and the following non security bugs : - supported.conf: Mark 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.fixes/sky2-tx-sum-resume.patch: sky2: fix transmit state on resume [#297132] [#326376] - patches.suse/reiserfs-add-reiserfs_error.diff: patches.suse/reiserfs-use-reiserfs_error.diff: patches.suse/reiserfs-buffer-info-for-balance.diff: Fix reiserfs_error() with NULL superblock calls [#299604] - patches.fixes/acpi_disable_C_states_in_suspend.patch: ACPI: disable lower idle C-states across suspend/resume [#302482] - kernel-syms.rpm: move the copies of the Modules.alias files from /lib/modules/... to /usr/src/linux-obj/... to avoid a file conflict between kernel-syms and other kernel-$flavor packages. The Modules.alias files in kernel-syms.rpm are intended for future use - [#307291] - patches.fixes/jffs2-fix-ACL-vs-mode-handling: Fix ACL vs. mode handling. [#310520] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race-on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - Update config files: Enabled CONFIG_DVB_PLUTO2 for i386 since it last seen 2020-06-01 modified 2020-06-02 plugin id 27299 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27299 title openSUSE 10 Security Update : kernel (kernel-4503) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kernel-4503. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27299); script_version ("1.11"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-4571", "CVE-2007-4573"); script_name(english:"openSUSE 10 Security Update : kernel (kernel-4503)"); script_summary(english:"Check for the kernel-4503 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. and the following non security bugs : - supported.conf: Mark 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.fixes/sky2-tx-sum-resume.patch: sky2: fix transmit state on resume [#297132] [#326376] - patches.suse/reiserfs-add-reiserfs_error.diff: patches.suse/reiserfs-use-reiserfs_error.diff: patches.suse/reiserfs-buffer-info-for-balance.diff: Fix reiserfs_error() with NULL superblock calls [#299604] - patches.fixes/acpi_disable_C_states_in_suspend.patch: ACPI: disable lower idle C-states across suspend/resume [#302482] - kernel-syms.rpm: move the copies of the Modules.alias files from /lib/modules/... to /usr/src/linux-obj/... to avoid a file conflict between kernel-syms and other kernel-$flavor packages. The Modules.alias files in kernel-syms.rpm are intended for future use - [#307291] - patches.fixes/jffs2-fix-ACL-vs-mode-handling: Fix ACL vs. mode handling. [#310520] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race-on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - Update config files: Enabled CONFIG_DVB_PLUTO2 for i386 since it's enabled everywhere else. [#327790] - patches.drivers/libata-pata_ali-fix-garbage-PCI-rev-value: p ata_ali: fix garbage PCI rev value in ali_init_chipset() [#328422] - patches.apparmor/apparmor-lsm-fix.diff: apparmor_file_mmap function parameters mismatch [#328423] - patches.drivers/libata-HPA-off-by-one-horkage: Fix HPA handling regression [#329584]" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xenpae"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"kernel-bigsmp-2.6.22.9-0.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"kernel-default-2.6.22.9-0.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"kernel-source-2.6.22.9-0.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"kernel-syms-2.6.22.9-0.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"kernel-xen-2.6.22.9-0.4") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"kernel-xenpae-2.6.22.9-0.4") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-bigsmp / kernel-default / kernel-source / kernel-syms / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2007-714.NASL description Update to Linux 2.6.22.8 and 2.6.22.9: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.9 CVE-2007-4571 The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. Additional fixes: Revert to the old RTC driver (#265721, #284191) Disable NCQ for additional SATA drives. libata pata_sis: DMA fixes (#202291) libata sata_sil24: IRQ clearing race fixes net driver r8169: fix hanging (#252955, #292161) qdisc sfq: fix oops with 2 packet queue (#219895) ACPI: disable processor C-states suring suspend ACPI: silence noisy message Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 26934 published 2007-10-09 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26934 title Fedora Core 6 : kernel-2.6.22.9-61.fc6 (2007-714) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-714. # include("compat.inc"); if (description) { script_id(26934); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:26"); script_cve_id("CVE-2007-4571"); script_xref(name:"FEDORA", value:"2007-714"); script_name(english:"Fedora Core 6 : kernel-2.6.22.9-61.fc6 (2007-714)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to Linux 2.6.22.8 and 2.6.22.9: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.9 CVE-2007-4571 The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. Additional fixes: Revert to the old RTC driver (#265721, #284191) Disable NCQ for additional SATA drives. libata pata_sis: DMA fixes (#202291) libata sata_sil24: IRQ clearing race fixes net driver r8169: fix hanging (#252955, #292161) qdisc sfq: fix oops with 2 packet queue (#219895) ACPI: disable processor C-states suring suspend ACPI: silence noisy message Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e313ee37" ); # http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.9 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9f7a5610" ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-October/004053.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?60d2b4d9" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-PAE-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-debuginfo-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:6"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 6.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC6", reference:"kernel-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debug-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debug-debuginfo-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debug-devel-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-debuginfo-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", cpu:"i386", reference:"kernel-PAE-devel-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debug-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debug-debuginfo-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debug-devel-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debuginfo-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-debuginfo-common-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-devel-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-doc-2.6.22.9-61.fc6")) flag++; if (rpm_check(release:"FC6", reference:"kernel-headers-2.6.22.9-61.fc6")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-PAE / kernel-PAE-debug / kernel-PAE-debug-debuginfo / etc"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0939.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 37953 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37953 title CentOS 4 : kernel (CESA-2007:0939) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0993.NASL description From Red Hat Security Advisory 2007:0993 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Red Hat would like to credit Vasily Averin, Chris Evans, and Neil Kettle for reporting the security issues corrected by this update. last seen 2020-06-01 modified 2020-06-02 plugin id 67595 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67595 title Oracle Linux 5 : kernel (ELSA-2007-0993) NASL family Scientific Linux Local Security Checks NASL id SL_20071129_KERNEL_ON_SL5_X.NASL description These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. last seen 2020-06-01 modified 2020-06-02 plugin id 60318 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60318 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0939.NASL description From Red Hat Security Advisory 2007:0939 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 67580 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67580 title Oracle Linux 4 : kernel (ELSA-2007-0939) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-618-1.NASL description It was discovered that the ALSA /proc interface did not write the correct number of bytes when reporting memory allocations. A local attacker might be able to access sensitive kernel memory, leading to a loss of privacy. (CVE-2007-4571) Multiple buffer overflows were discovered in the handling of CIFS filesystems. A malicious CIFS server could cause a client system crash or possibly execute arbitrary code with kernel privileges. (CVE-2007-5904) It was discovered that PowerPC kernels did not correctly handle reporting certain system details. By requesting a specific set of information, a local attacker could cause a system crash resulting in a denial of service. (CVE-2007-6694) It was discovered that some device driver fault handlers did not correctly verify memory ranges. A local attacker could exploit this to access sensitive kernel memory, possibly leading to a loss of privacy. (CVE-2008-0007) It was discovered that CPU resource limits could be bypassed. A malicious local user could exploit this to avoid administratively imposed resource limits. (CVE-2008-1294) A race condition was discovered between dnotify fcntl() and close() in the kernel. If a local attacker performed malicious dnotify requests, they could cause memory consumption leading to a denial of service, or possibly send arbitrary signals to any process. (CVE-2008-1375) On SMP systems, a race condition existed in fcntl(). Local attackers could perform malicious locks, causing system crashes and leading to a denial of service. (CVE-2008-1669). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33255 published 2008-06-24 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33255 title Ubuntu 6.06 LTS / 7.04 / 7.10 : linux-source-2.6.15/20/22 vulnerabilities (USN-618-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1479.NASL description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2878 Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an last seen 2020-06-01 modified 2020-06-02 plugin id 30126 published 2008-01-30 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/30126 title Debian DSA-1479-1 : linux-2.6 - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4473.NASL description This kernel update fixes the following security problems : - CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes. last seen 2020-06-01 modified 2020-06-02 plugin id 27297 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27297 title openSUSE 10 Security Update : kernel (kernel-4473) NASL family Fedora Local Security Checks NASL id FEDORA_2007-2349.NASL description Update to Linux 2.6.22.8 and 2.6.22.9: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.9 CVE-2007-4571 The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. Additional fixes: Revert to the old RTC driver (#265721, #284191) Disable NCQ for additional SATA drives. libata pata_sis: DMA fixes (#247768) libata sata_sil24: IRQ clearing race fixes net driver r8169: fix hanging (#252955, #292161) qdisc sfq: fix oops with 2 packet queue (#219895) ACPI: disable processor C-states suring suspend ACPI: silence noisy message Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27768 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27768 title Fedora 7 : kernel-2.6.22.9-91.fc7 (2007-2349) NASL family Scientific Linux Local Security Checks NASL id SL_20071101_KERNEL_ON_SL4_X.NASL description - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) - A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) - A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) - A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) - A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 60280 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60280 title Scientific Linux Security Update : kernel on SL4.x i386/x86_64 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1505.NASL description Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571 ). last seen 2020-06-01 modified 2020-06-02 plugin id 31149 published 2008-02-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31149 title Debian DSA-1505-1 : alsa-driver - kernel memory leak NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0939.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option last seen 2020-06-01 modified 2020-06-02 plugin id 27616 published 2007-11-02 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27616 title RHEL 4 : kernel (RHSA-2007:0939)
Oval
| accepted | 2013-04-29T04:18:10.641-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9053 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
| title | The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. | ||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:83980 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-83980 title Linux Kernel 2.6.x ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability bulletinFamily exploit description BUGTRAQ ID: 25807 CVE(CAN) ID: CVE-2007-4571 Linux Kernel是开放源码操作系统Linux所使用的内核。 Linux系统的ALSA声卡驱动实现上存在漏洞,本地攻击者可能利用此漏洞获取内核内存中的敏感信息。 Linux Kernel在处理多个/proc/driver/snd-page-alloc文件的读操作时存在安全漏洞,sound/core/memalloc.c文件中如下定义了读操作的系统调用snd_mem_proc_read: 484 static int snd_mem_proc_read(char *page, char **start, off_t off, 485 int count, int *eof, void *data) 486 { 487 int len = 0; ... 494 len += snprintf(page + len, count - len, 495 "pages : %li bytes (%li pages per %likB)\n", 496 pages * PAGE_SIZE, pages, PAGE_SIZE / 1024); ... 508 return len; 509 } 在494行调用了snprintf以生成proc文件系统项的输出,如果提供了计数值1,snprintf就会仅向目标缓冲区写入单个字节,但如果有足够空间的话,函数就会返回应写入的字节数。没有设置过*eof值,也没有使用过*ppos值。 fs/proc/generic.c文件中定义了从proc_file_read调用的这个函数: 51 static ssize_t 52 proc_file_read(struct file *file, char __user *buf, size_t nbytes, 53 loff_t *ppos) 54 { ... 136 n = dp->read_proc(page, &start, *ppos, 137 count, &eof, dp->data); ... 155 n -= *ppos; 156 if (n <= 0) 157 break; 158 if (n > count) 159 n = count; 160 start = page + *ppos; ... 186 n -= copy_to_user(buf, start < page ? page : start, n); ... 193 *ppos += start < page ? (unsigned long)start : n; 在136行从对snd_proc_mem_read函数的调用返回了值n。由于返回值(在单个设备的情况下大约为41)大于所请求的读大小(1),在158行n值被设置为count,之后*ppos递增,从start(计算为page + *ppos)将n字节拷贝到了用户域。 在之后的用户域读操作中,如果*ppos大于0的话,proc_file_read函数就会拷贝过snd_mem_proc_read写入的页面,导致泄露内核内存。 Linux kernel < 2.6.22.8 临时解决方法: * 卸载snd_page_alloc模块 * 修改/etc/fstab中的加载参数限制对/proc文件系统的访问 厂商补丁: Linux ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.22.8.tar.bz2" target="_blank">http://kernel.org/pub/linux/kernel/v2.6/linux-2.6.22.8.tar.bz2</a> id SSV:2251 last seen 2017-11-19 modified 2007-09-27 published 2007-09-27 reporter Root title Linux Kernel ALSA驱动snd-page-alloc本地Proc文件信息泄露漏洞
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-10-18 |
| organization | Red Hat |
| statement | This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3. |
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8
- https://issues.rpath.com/browse/RPL-1761
- http://support.avaya.com/elmodocs2/security/ASA-2007-474.htm
- https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00436.html
- https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00083.html
- http://www.redhat.com/support/errata/RHSA-2007-0939.html
- http://www.redhat.com/support/errata/RHSA-2007-0993.html
- http://www.novell.com/linux/security/advisories/2007_53_kernel.html
- http://www.securityfocus.com/bid/25807
- http://www.securitytracker.com/id?1018734
- http://secunia.com/advisories/26918
- http://secunia.com/advisories/26989
- http://secunia.com/advisories/26980
- http://secunia.com/advisories/27101
- http://secunia.com/advisories/27436
- http://secunia.com/advisories/27227
- http://secunia.com/advisories/27747
- http://secunia.com/advisories/27824
- http://www.debian.org/security/2008/dsa-1479
- http://secunia.com/advisories/28626
- http://www.debian.org/security/2008/dsa-1505
- http://secunia.com/advisories/29054
- http://secunia.com/advisories/30769
- http://www.ubuntu.com/usn/usn-618-1
- http://www.vupen.com/english/advisories/2007/3272
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36780
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9053
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ccec6e2c4a74adf76ed4e2478091a311b1806212