Vulnerabilities > CVE-2007-4573 - Permissions, Privileges, and Access Controls vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Exploit-Db
| description | Linux Kernel 2.6.x Ptrace Local Privilege Escalation Vulnerability. CVE-2007-4573. Local exploit for linux platform |
| id | EDB-ID:30604 |
| last seen | 2016-02-03 |
| modified | 2007-09-21 |
| published | 2007-09-21 |
| reporter | Wojciech Purczynski |
| source | https://www.exploit-db.com/download/30604/ |
| title | Linux Kernel 2.6.x - Ptrace Local Privilege Escalation Vulnerability |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4472.NASL description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] last seen 2020-06-01 modified 2020-06-02 plugin id 59124 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59124 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4472) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(59124); script_version("1.3"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-4571", "CVE-2007-4573"); script_name(english:"SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4472)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219]" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4571.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-4573.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 4472."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLED10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-debug-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-default-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-kdump-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-smp-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-source-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-syms-2.6.16.53-0.16")) flag++; if (rpm_check(release:"SLES10", sp:1, cpu:"x86_64", reference:"kernel-xen-2.6.16.53-0.16")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4487.NASL description This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving last seen 2020-06-01 modified 2020-06-02 plugin id 27298 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27298 title openSUSE 10 Security Update : kernel (kernel-4487) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kernel-4487. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27298); script_version ("1.14"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-2525", "CVE-2007-3105", "CVE-2007-3851", "CVE-2007-4571", "CVE-2007-4573"); script_name(english:"openSUSE 10 Security Update : kernel (kernel-4487)"); script_summary(english:"Check for the kernel-4487 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. Since this value can only be changed by a root user, exploitability is low. - CVE-2007-2525: A memory leak in the PPPoE driver can be abused by local users to cause a denial-of-service condition. - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. and the following non security bugs : - patches.arch/x86-fam10-mtrr: mtrr: fix size_or_mask and size_and_mask [#237736] - patches.fixes/usb_nokia6233_fix1.patch: usb: rndis_host: fix crash while probing a Nokia S60 mobile [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usbnet: init fault (oops) cleanup, whitespace fixes [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usb: unusual_devs.h entry for Nokia 6233 [#244459] - patches.fixes/bt_broadcom_reset.diff: quirky Broadcom device [#257303] - patches.arch/i386-compat-vdso: i386: allow debuggers to access the vsyscall page with compat vDSO [#258433] - - patches.fixes/anycast6-unbalanced-inet6_dev-refcnt.patch : Fix netdevice reference leak when reading from /proc/net/anycast6 [#285336] - - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-b etter: SCSI: throttle SG_DXFER_TO_FROM_DEV warning message better [#290117] - - patches.fixes/nf_conntrack_h323-out-of-bounds-index.diff : nf_conntrack_h323: add checking of out-of-range on choices' index values [#290611] - patches.fixes/ppc-fpu-corruption-fix.diff: ppc: fix corruption of fpu [#290622] - - patches.fixes/ppp-fix-osize-too-small-errors-when-decodi ng-m ppe.diff: ppp: Fix osize too small errors when decoding mppe [#291102] - patches.fixes/hugetlbfs-stack-grows-fix.patch: Don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.fixes/pwc_dos.patch: fix a disconnect method waiting for user space to close a file. A malicious user can stall khubd indefinitely long [#302063] [#302194] - patches.suse/kdb.add-unwind-info-to-kdb_call: Add unwind info to kdb_call() to fix build of KDB kernel on i386 [#305209] - Updated config files: enable KDB for kernel-debug on i386. [#305209]" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(119, 264, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-xenpae"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"kernel-bigsmp-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-default-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-kdump-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-source-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-syms-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-xen-2.6.18.8-0.7") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kernel-xenpae-2.6.18.8-0.7") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-bigsmp / kernel-default / kernel-kdump / kernel-source / etc"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0937.NASL description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 26206 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26206 title CentOS 4 : kernel (CESA-2007:0937) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2007:0937 and # CentOS Errata and Security Advisory 2007:0937 respectively. # include("compat.inc"); if (description) { script_id(26206); script_version("1.15"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2007-4573"); script_bugtraq_id(25774); script_xref(name:"RHSA", value:"2007:0937"); script_name(english:"CentOS 4 : kernel (CESA-2007:0937)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue." ); # https://lists.centos.org/pipermail/centos-announce/2007-September/014251.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?37c7987a" ); # https://lists.centos.org/pipermail/centos-announce/2007-September/014264.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?71eaaf4a" ); # https://lists.centos.org/pipermail/centos-announce/2007-September/014265.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f6d29f79" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(264); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-hugemem-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-largesmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-largesmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-smp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xenU"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-xenU-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", reference:"kernel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", reference:"kernel-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-doc-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-doc-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-hugemem-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"kernel-largesmp-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-largesmp-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"kernel-largesmp-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-largesmp-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-smp-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-smp-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-xenU-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-xenU-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"kernel-xenU-devel-2.6.9-55.0.9.EL")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"kernel-xenU-devel-2.6.9-55.0.9.EL")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-devel / kernel-doc / kernel-hugemem / etc"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-198.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088) The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228) The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415) The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620) The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622) The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function. (CVE-2009-2287) The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722) The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308) The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function. (CVE-2009-2846) Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521) mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256) The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. (CVE-2010-1162) mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. (CVE-2010-1187) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248) Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. (CVE-2010-2492) The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. (CVE-2010-2798) The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240) The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. (CVE-2010-2803) Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959) Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080) A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space method with an arbitrary length input. (CVE-2010-3081) The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 49795 published 2010-10-08 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49795 title Mandriva Linux Security Advisory : kernel (MDVSA-2010:198) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-188.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount symlinks, which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088) The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. (CVE-2009-3228) The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel node set. (CVE-2010-0415) The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. (CVE-2009-3620) The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. (CVE-2010-0622) The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function. (CVE-2009-2287) The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 2.6.31.1 does not properly verify the Current Privilege Level (CPL) before accessing a debug register, which allows guest OS users to cause a denial of service (trap) on the host OS via a crafted application. (CVE-2009-3722) The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal. (CVE-2009-4308) The eisa_eeprom_read function in the parisc isa-eeprom component (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6 allows local users to access restricted memory via a negative ppos argument, which bypasses a check that assumes that ppos is positive and causes an out-of-bounds read in the readb function. (CVE-2009-2846) Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. (CVE-2010-2521) mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict overcommit is enabled and CONFIG_SECURITY is disabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-1643. (CVE-2008-7256) The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. (CVE-2010-1162) mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. (CVE-2010-1643) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. (CVE-2010-1187) The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. (CVE-2010-1173) fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248) Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. (CVE-2010-2492) The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file. (CVE-2010-2226) The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. (CVE-2010-2798) The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. (CVE-2010-2240) The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. (CVE-2010-2803) Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. (CVE-2010-2959) Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device. (CVE-2010-3080) A vulnerability in Linux kernel caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the compat_alloc_user_space method with an arbitrary length input. (CVE-2010-3081) The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 49666 published 2010-09-24 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49666 title Mandriva Linux Security Advisory : kernel (MDVSA-2010:188) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4471.NASL description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] Fixes for S/390 : - IBM Patchcluster 17 [#330036] - Problem-ID: 38085 - zfcp: zfcp_scsi_eh_abort_handler or zfcp_scsi_eh_device_reset_handler hanging after CHPID off/on - Problem-ID: 38491 - zfcp: Error messages when LUN 0 is present - Problem-ID: 37390 - zcrypt: fix PCIXCC/CEX2C error recovery [#306056] - Problem-ID: 38500 - kernel: too few page cache pages in state volatile - Problem-ID: 38634 - qeth: crash during reboot after failing online setting - Problem-ID: 38927 - kernel: shared memory may not be volatile - Problem-ID: 39069 - cio: Disable channel path measurements on shutdown/reboot - Problem-ID: 27787 - qeth: recognize last seen 2020-06-01 modified 2020-06-02 plugin id 29488 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29488 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4471) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-247.NASL description A vulnerability was discovered and corrected in the Linux 2.6 kernel : The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a stack pointer underflow issue, as exploited in the wild in September 2010. (CVE-2010-3081) The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression. (CVE-2010-3301) Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation. (CVE-2010-3015) Additionally, the kernel has been updated to the stable version 2.6.31.14. A timeout bug in bnx2 has been fixed. Muting and unmuting on VT1812/VT2002P now should work correctly. A fix for ACL decoding on NFS was added. Rebooting on Dell Precision WorkStation T7400 was corrected. Read balancing with RAID0 and RAID1 on drives larger then 2TB was also fixed. A more detailed description is available in the package changelog and related tickets. Thanks to Thomas Backlund and Herton Ronaldo Krzesinski for contributions in this update. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 50981 published 2010-12-06 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50981 title Mandriva Linux Security Advisory : kernel (MDVSA-2010:247) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0936.NASL description From Red Hat Security Advisory 2007:0936 : Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67577 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67577 title Oracle Linux 5 : kernel (ELSA-2007-0936) NASL family Fedora Local Security Checks NASL id FEDORA_2007-2298.NASL description Update to official Linux 2.6.22.6 (from 2.6.22.6-rc1): http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6 Update to Linux 2.6.22.7: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7 - libata: add option to disable DMA on PATA devices (libata.pata_dma, see kernel-parameters.txt for details) - libata: fix DMA on ATAPI devices with it821x (#242229) - libata: fix cable detection on pata_via - fix vmware last seen 2020-06-01 modified 2020-06-02 plugin id 27765 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27765 title Fedora 7 : kernel-2.6.22.7-85.fc7 (2007-2298) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4503.NASL description This kernel update fixes the following security problems : - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. and the following non security bugs : - supported.conf: Mark 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.fixes/sky2-tx-sum-resume.patch: sky2: fix transmit state on resume [#297132] [#326376] - patches.suse/reiserfs-add-reiserfs_error.diff: patches.suse/reiserfs-use-reiserfs_error.diff: patches.suse/reiserfs-buffer-info-for-balance.diff: Fix reiserfs_error() with NULL superblock calls [#299604] - patches.fixes/acpi_disable_C_states_in_suspend.patch: ACPI: disable lower idle C-states across suspend/resume [#302482] - kernel-syms.rpm: move the copies of the Modules.alias files from /lib/modules/... to /usr/src/linux-obj/... to avoid a file conflict between kernel-syms and other kernel-$flavor packages. The Modules.alias files in kernel-syms.rpm are intended for future use - [#307291] - patches.fixes/jffs2-fix-ACL-vs-mode-handling: Fix ACL vs. mode handling. [#310520] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race-on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - Update config files: Enabled CONFIG_DVB_PLUTO2 for i386 since it last seen 2020-06-01 modified 2020-06-02 plugin id 27299 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27299 title openSUSE 10 Security Update : kernel (kernel-4503) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0937.NASL description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 26905 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26905 title RHEL 4 : kernel (RHSA-2007:0937) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0937.NASL description From Red Hat Security Advisory 2007:0937 : Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67578 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67578 title Oracle Linux 4 : kernel (ELSA-2007-0937) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0936.NASL description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 26205 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26205 title CentOS 5 : kernel (CESA-2007:0936) NASL family Fedora Local Security Checks NASL id FEDORA_2007-712.NASL description Update to official Linux 2.6.22.6 (previously 2.6.22.6-rc1): http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6 Update to Linux 2.6.22.7: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7 - USB: three trivial fixes - futex: fix compat list traversal - Restore ofpath functionality (IDE_PROC_FS=y)(#289931) - add option to disable DMA on libata PATA devices (libata.pata_dma, see kernel-parameters.txt) - fix DMA on ATAPI devices with it821x - fix cable detection on pata_via - fix vmware last seen 2020-06-01 modified 2020-06-02 plugin id 26116 published 2007-09-25 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26116 title Fedora Core 6 : kernel-2.6.22.7-57.fc6 (2007-712) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4745.NASL description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref last seen 2020-06-01 modified 2020-06-02 plugin id 59125 published 2012-05-17 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59125 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4745) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1378.NASL description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3731 Evan Teran discovered a potential local denial of service (oops) in the handling of PTRACE_SETREGS and PTRACE_SINGLESTEP requests. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Matt Keenan reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process last seen 2020-06-01 modified 2020-06-02 plugin id 26208 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26208 title Debian DSA-1378-2 : linux-2.6 - several vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1381.NASL description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5755 The NT bit maybe leaked into the next task which can make it possible for local attackers to cause a Denial of Service (crash) on systems which run the amd64 flavour kernel. The stable distribution ( last seen 2020-06-01 modified 2020-06-02 plugin id 26211 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26211 title Debian DSA-1381-2 : linux-2.6 - several vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0938.NASL description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 26906 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26906 title RHEL 3 : kernel (RHSA-2007:0938) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-518-1.NASL description Evan Teran discovered that the Linux kernel ptrace routines did not correctly handle certain requests robustly. Local attackers could exploit this to crash the system, causing a denial of service. (CVE-2007-3731) It was discovered that hugetlb kernels on PowerPC systems did not prevent the stack from colliding with reserved kernel memory. Local attackers could exploit this and crash the system, causing a denial of service. (CVE-2007-3739) It was discovered that certain CIFS filesystem actions did not honor the umask of a process. Local attackers could exploit this to gain additional privileges. (CVE-2007-3740) Wojciech Purczynski discovered that the Linux kernel ia32 syscall emulation in x86_64 kernels did not correctly clear the high bits of registers. Local attackers could exploit this to gain root privileges. (CVE-2007-4573). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28123 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28123 title Ubuntu 6.06 LTS / 6.10 / 7.04 : linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities (USN-518-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1504.NASL description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process last seen 2020-06-01 modified 2020-06-02 plugin id 31148 published 2008-02-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31148 title Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4752.NASL description This kernel update fixes the following security problems : ++ CVE-2007-3104: The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. ++ CVE-2007-4997: A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. ++ CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. ++ CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. ++ CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. ++ CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. ++ CVE-2007-5904: Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. ++ CVE-2007-6063: Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes. last seen 2020-06-01 modified 2020-06-02 plugin id 29880 published 2008-01-08 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29880 title openSUSE 10 Security Update : kernel (kernel-4752) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0938.NASL description From Red Hat Security Advisory 2007:0938 : Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67579 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67579 title Oracle Linux 3 : kernel (ELSA-2007-0938) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0938.NASL description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 26207 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26207 title CentOS 3 : kernel (CESA-2007:0938) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4741.NASL description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref last seen 2020-06-01 modified 2020-06-02 plugin id 29489 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29489 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4741) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-4473.NASL description This kernel update fixes the following security problems : - CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes. last seen 2020-06-01 modified 2020-06-02 plugin id 27297 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27297 title openSUSE 10 Security Update : kernel (kernel-4473) NASL family Scientific Linux Local Security Checks NASL id SL_20070927_KERNEL_ON_SL5_X.NASL description A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Please Note: Kernel last seen 2020-06-01 modified 2020-06-02 plugin id 60258 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60258 title Scientific Linux Security Update : kernel on SL5.x, SL4.x, SL3.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-195.NASL description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : A stack-based buffer overflow in the random number generator could allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size (CVE-2007-3105). The lcd_write function did not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption) (CVE-2007-3513). The decode_choice function allowed remote attackers to cause a denial of service (crash) via an encoded out-of-range index value for a choice field which triggered a NULL pointer dereference (CVE-2007-3642). The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die which delivered an attacker-controlled parent process death signal (PR_SET_PDEATHSIG) (CVE-2007-3848). The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer ioctl patch in aacraid did not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges (CVE-2007-4308). The IA32 system call emulation functionality, when running on the x86_64 architecture, did not zero extend the eax register after the 32bit entry path to ptrace is used, which could allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register (CVE-2007-4573). In addition to these security fixes, other fixes have been included such as : - More NVidia PCI ids wre added - The 3w-9xxx module was updated to version 2.26.02.010 - Fixed the map entry for ICH8 - Added the TG3 5786 PCI id - Reduced the log verbosity of cx88-mpeg To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 27561 published 2007-10-25 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27561 title Mandrake Linux Security Advisory : kernel (MDKSA-2007:195) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0936.NASL description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 26904 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26904 title RHEL 5 : kernel (RHSA-2007:0936) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-105.NASL description The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740) The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer. (CVE-2007-3851) The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. (CVE-2007-4133) The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This vulnerability is now being fixed in the Xen kernel too. (CVE-2007-4573) Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two error. (CVE-2007-4997) The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 relies on user space to close the device, which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. (CVE-2007-5093) A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375) The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 37772 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37772 title Mandriva Linux Security Advisory : kernel (MDVSA-2008:105)
Oval
| accepted | 2013-04-29T04:21:43.668-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9735 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-09-27 |
| organization | Red Hat |
| statement | This issue affected users who were running 64-bit versions of Red Hat Enterprise Linux 3, 4, or 5 on x86_64 architecture. It did not affect users of Red Hat Enterprise Linux 2.1. Updates are available for Red Hat Enterprise Linux 3, 4, and 5 to correct this issue. New kernel packages along with our advisory are available at the URL below as well as via the Red Hat Network. http://rhn.redhat.com/errata/CVE-2007-4573.html |
References
- http://fedoranews.org/updates/FEDORA-2007-229.shtml
- http://fedoranews.org/updates/FEDORA-2007-229.shtml
- http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.35.3
- http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.35.3
- http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00001.html
- http://lkml.org/lkml/2007/9/21/512
- http://lkml.org/lkml/2007/9/21/512
- http://lkml.org/lkml/2007/9/21/513
- http://lkml.org/lkml/2007/9/21/513
- http://marc.info/?l=full-disclosure&m=119062587407908&w=2
- http://marc.info/?l=full-disclosure&m=119062587407908&w=2
- http://secunia.com/advisories/26917
- http://secunia.com/advisories/26917
- http://secunia.com/advisories/26919
- http://secunia.com/advisories/26919
- http://secunia.com/advisories/26934
- http://secunia.com/advisories/26934
- http://secunia.com/advisories/26953
- http://secunia.com/advisories/26953
- http://secunia.com/advisories/26955
- http://secunia.com/advisories/26955
- http://secunia.com/advisories/26978
- http://secunia.com/advisories/26978
- http://secunia.com/advisories/26994
- http://secunia.com/advisories/26994
- http://secunia.com/advisories/26995
- http://secunia.com/advisories/26995
- http://secunia.com/advisories/27212
- http://secunia.com/advisories/27212
- http://secunia.com/advisories/27227
- http://secunia.com/advisories/27227
- http://secunia.com/advisories/27912
- http://secunia.com/advisories/27912
- http://secunia.com/advisories/29058
- http://secunia.com/advisories/29058
- http://securitytracker.com/id?1018748
- http://securitytracker.com/id?1018748
- http://www.debian.org/security/2007/dsa-1378
- http://www.debian.org/security/2007/dsa-1378
- http://www.debian.org/security/2007/dsa-1381
- http://www.debian.org/security/2007/dsa-1381
- http://www.debian.org/security/2008/dsa-1504
- http://www.debian.org/security/2008/dsa-1504
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:195
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:195
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:196
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:196
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:008
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:008
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:105
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:105
- http://www.novell.com/linux/security/advisories/2007_53_kernel.html
- http://www.novell.com/linux/security/advisories/2007_53_kernel.html
- http://www.redhat.com/support/errata/RHSA-2007-0936.html
- http://www.redhat.com/support/errata/RHSA-2007-0936.html
- http://www.redhat.com/support/errata/RHSA-2007-0937.html
- http://www.redhat.com/support/errata/RHSA-2007-0937.html
- http://www.redhat.com/support/errata/RHSA-2007-0938.html
- http://www.redhat.com/support/errata/RHSA-2007-0938.html
- http://www.securityfocus.com/archive/1/480451/100/0/threaded
- http://www.securityfocus.com/archive/1/480451/100/0/threaded
- http://www.securityfocus.com/archive/1/480705/100/0/threaded
- http://www.securityfocus.com/archive/1/480705/100/0/threaded
- http://www.securityfocus.com/bid/25774
- http://www.securityfocus.com/bid/25774
- http://www.ubuntu.com/usn/usn-518-1
- http://www.ubuntu.com/usn/usn-518-1
- http://www.vupen.com/english/advisories/2007/3246
- http://www.vupen.com/english/advisories/2007/3246
- https://issues.rpath.com/browse/RPL-1754
- https://issues.rpath.com/browse/RPL-1754
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9735
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9735
- https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00355.html
- https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00355.html