Bug 433938 (CVE-2008-0598)
Summary: | CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | unspecified | CC: | anton, davids, dhoward, dwu, kreilly, lgoncalv, lwang, meissner, mjenner, qcai, rwheeler, security-response-team, vgoyal, williams, zkabelac | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2010-12-23 16:30:39 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 433941, 433942, 433943, 433944, 433945, 453136, 459505 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
Jan Lieskovsky
2008-02-22 09:28:32 UTC
removing embargo. * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) Created attachment 311794 [details] Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5 First included in: https://rhn.redhat.com/errata/RHSA-2008-0519.html Created attachment 311795 [details] Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL First included in: https://rhn.redhat.com/errata/RHSA-2008-0508.html (In reply to comment #21) > Created an attachment (id=311795) [edit] > Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL This refers to linux-2.6.9-x86_64-copy_user-zero-tail.patch. the 2.6.9 patch is probably wrong. Created attachment 316196 [details]
xx.c
gcc -o xx xx.c
./xx
extracted from LTP read02 testcase.
on bad kernel it will result in:
unexpected success with bad address, ret 0x79680000
on a good kernel it will result in:
read: Bad address
(In reply to comment #38) > Created an attachment (id=316196) [details] > xx.c > > gcc -o xx xx.c > ./xx > > > extracted from LTP read02 testcase. > > on bad kernel it will result in: > unexpected success with bad address, ret 0x79680000 > > on a good kernel it will result in: > read: Bad address Thanks Marcus. This is addressed in bug #453053. This was addressed via: Red Hat Enterprise Linux version 4 (RHSA-2008:0508) Red Hat Enterprise Linux version 5 (RHSA-2008:0519) Red Hat Enterprise Linux version 3 (RHSA-2008:0973) MRG Realtime for RHEL 5 Server (RHSA-2009:0009) |