From Bugzilla Helper: User-Agent: Mozilla/5.0 (Mozilla rulez!) Description of problem: Paul Starzetz of iSEC has found yet another bug in binfmt_elf.c. It can be abused to crash the kernel, perhaps even to break into the kernel land. See the advisory for details. Version-Release number of selected component (if applicable): How reproducible: Didn't try Steps to Reproduce: Additional info: I've got a quick and dirty patch. I'll submit it ASAP.
Grr...Bugzilla assigned the bug to kernel-maint rather than to bugs
Created attachment 114264 [details] The patch for CAN-2005-1263 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch can be applied to FL kernel 2.4.20-43: 402e548b02382c015d6f5e5704370a1ba546598b linux-2.4.20-CAN-2005-1263-elfcoredump.patch When you run iSEC PoC code on it, it dies with SIGSEGV and dumps core without any adverse effects to the system. The patch is probably more intrusive than necessary because it makes three changes addressing the following three problems: - - potential invariant violation in create_elf_tables() - - missing check of create_elf_tables()'s return value in load_elf_binary() - - signedness problem in elf_core_dump() A closer look at the code reveal that the second change is almost pointless because a process with bprm->p == NULL is doomed to die anyway. The first change might be redundant but I'd keep it because there might be other pieces of code out there (/proc?) that would break when arg_start > arg_end or env_start > env_end. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCgoIypaUY/d+KOrERAkHAAJ979TBtSbluXBHm3uSJZS039ogrvwCfRcJD CzEgkfJGpuEX/iF38O+wvSQ= =gL0s -----END PGP SIGNATURE-----
See bug #157454 for the FC3 kernel and their update.
The patch in RHEL (2.4.21-32.0.1.EL) seems to close the hole in a different way (as far as I can tell). In their patch (part of the much larger linux-2.4.21-binfmt-elf.patch), it seems that they: Initialise current->mm->arg_end, current->mm->env_start, current->mm->env_end to 0 (in both binfmt_aout.c and binfmt_elf.c), and add put a test for current->mm->arg_end being non-null before copying data from user-space in binfmt_elf.c after the memset(&psinfo, 0, sizeof(psinfo)); at about line 1076. This is based on diffing the source/patch changes between 2.4.21-32.EL and 2.4.21-32.0.1.EL so may not include any changes they already made before that. I'm happy to construct/test a patch based on the RHEL change if anyone is interested.
yes, am interested.
Created attachment 115324 [details] Patch based on RHEL changes Well here is the patch I constructed, it seems a bit small to be a full fix for the issue, or maybe RHEL's patches already included a partial fix for this in 2.4.21-32. Taking the -43 FL specfile, I just add: # CAN-2005-1263 fix as done in RHEL 2.4.21-32.0.1.EL Patch11036: CAN-2005-1263.exec.patch This patch applies cleanly for me (on RH8 at least), though I've not yet finished a build with this patch, yet alone checked if it fixes the issue.
Doh, clearly one also needs to add: # CAN-2005-1263 patch %patch11036 -p1 later in the specfile. Not awake today...
What's the state on this one?
Back to the trees! The bug (or most of it) has already been fixed in 2.4.20-43 by the following snippet of linux-RHEL-missing-fixes.patch: --- linux-2.4.20/fs/binfmt_elf.c.stg0 Wed Aug 4 14:56:13 2004 +++ linux-2.4.20/fs/binfmt_elf.c Wed Aug 4 15:06:43 2004 @@ -1048,7 +1048,7 @@ int i, len; len = current->mm->arg_end - current->mm->arg_start; - if (len >= ELF_PRARGSZ) + if (len < 0 /* overflow */ || len >= ELF_PRARGSZ) len = ELF_PRARGSZ-1; copy_from_user(&psinfo.pr_psargs, (const char *)current->mm->arg_start, len); It might be a good idea to add some extra fixes to enforce sane values of arg_start, arg_end et alii under any circumstances (even in a.out) but RHEL patch (attachment 115324 [details]) appears to be rather silly to me.
Does this affect us? 05.32.12 CVE: CAN-2005-1761 Platform: Linux Title: Linux Kernel NFSACL Protocol XDR Data Remote Denial of Service Description: Linux Kernel is affected by a remote denial of service vulnerability when handling XDR data for the nfsacl protocol. An attacker could leverage this issue to deny service to legitimate users and possibly gain unauthorized access to the machine. Please refer the link below for a list of vulnerable versions. Ref: http://www.securityfocus.com/advisories/9010
From the way I read things, John, CAN-2005-1761 only affects IA64 CPUs. We don't support IA64, so CAN-2005-1761 does not affect us AFAICT. CAN-2005-1263: "The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow." Sounds pretty serious to me.... So does anyone want to build some .src.rpm's for the main (CAN-2005-1263) issue? Has anyone built a 2.4.x kernel based on these patches? Jonathan? Pavel? A 2.6.x kernel? I can't tell from the above comments whether or not the patches submitted above have actually been tested or not....
*** Bug 168803 has been marked as a duplicate of this bug. ***
* 05.48.7 - CVE: CVE-2005-3275 * Platform: Linux * Title: Linux Kernel NAT Handling Memory Corruption Denial of Service * Description: Linux Kernel is vulnerable to a denial of service issue. An attacker can exploit this by causing two packets for the same protocol to be NATed at the same time, resulting in a memory corruption. Please refer the links below for a list of affected versions. * Ref: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.32 http://www.securityfocus.com/bid/15531/info * 05.48.9 - CVE: CVE-2005-3272 * Platform: Linux * Title: Linux Kernel Network Bridge Incorrectly Forwarded Packets Information Disclosure * Description: The Linux Kernel is susceptible to an information disclosure vulnerability in its network bridging functionality. When packet filtering on a bridge, packets that are dropped by the packet filter result in an inappropriate bridge forwarding database. Malicious users that send spoofed packets to an affected firewall can cause the forwarding database to be updated in such a fashion that packets that should not normally traverse the bridge are leaked back to the attacker. Kernel versions 2.6.11.11 and prior are vulnerable to this issue. * Ref: http://www.securityfocus.com/bid/15536
I have made a spreadsheet of all the kernel issues I could find with their status. If I've missed any, please tell me. I will be making updated FL kernel packages based on the spreadsheet.
Created attachment 123817 [details] Kernel issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated fc3 kernel packages to QA: Changelog: * Fri Jan 27 2006 Marc Deslauriers <marcdeslauriers> 2.6.12-2.1.legacy_FC3 - - Added patches for: CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) a9e90391d398e0db501632ad415f0cf5f3101bbd kernel-2.6.12-2.1.legacy_FC3.i586.rpm 853fcc0e094cadf9538c67a2964c78c51572ba4e kernel-2.6.12-2.1.legacy_FC3.i686.rpm a03913be7b9960b5f683c53e6557b69663e052de kernel-2.6.12-2.1.legacy_FC3.src.rpm 18f05ab567ce025cd0a445af3b13680efd6f1979 kernel-smp-2.6.12-2.1.legacy_FC3.i586.rpm 3b19af6db102be01ae11a1988ac7ea1cebe5db6c kernel-smp-2.6.12-2.1.legacy_FC3.i686.rpm http://www.infostrategique.com/linuxrpms/legacy/3/kernel-2.6.12-2.1.legacy_FC3.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD3q0oLMAs/0C4zNoRArAuAKCtsED6KOGhwlGp2Z057fkWUL7GAgCeOCMD bfn/tTemPCF5yAwdVDZyHaE= =8Dt4 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated fc2 kernel packages to QA: Changelog: * Sat Jan 28 2006 Marc Deslauriers <marcdeslauriers> 2.6.10-2.1.legacy_FC2 - - Added patches for: CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline) CVE-2005-0867 (signedness issue in sysfs) CVE-2005-0937 (futex mmap_sem deadlock) CVE-2005-0977 (tmpfs truncate bug) CVE-2005-1041 (crash while reading /proc/net/route) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1264 (data corruptor/local root in raw driver) CVE-2005-1265 (Prevent NULL mmap in topdown model) CVE-2005-1368 (key lookup race DoS) CVE-2005-1369 (i2c alarms sysfs DoS) CVE-2005-1761 (ia64 ptrace vulnerability) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-1763 (x86_64-ptrace-overflow crash) CVE-2005-2098 (key management session can leave semaphore pinned) CVE-2005-2099 (Destruction of failed keyring oopses) CVE-2005-2456 (IPSEC overflow) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2492 (Fix raw_sendmsg accesses) CVE-2005-2555 (IPSEC lacks restrictions) CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) d87ebc435f09b44a39534d5c45d241d2c75e3034 kernel-2.6.10-2.1.legacy_FC2.i586.rpm 93a40aa21fa2afc091015d57d4d88a4c40f430db kernel-2.6.10-2.1.legacy_FC2.i686.rpm 31338b2bbd71bc1ad241125792d19a658d7c53fb kernel-2.6.10-2.1.legacy_FC2.src.rpm b9acaad79f099e82ef5c1b3928fd503a10a3ec3a kernel-smp-2.6.10-2.1.legacy_FC2.i586.rpm d7e0b9d299141b681c611add813c7289de2efe67 kernel-smp-2.6.10-2.1.legacy_FC2.i686.rpm http://www.infostrategique.com/linuxrpms/legacy/2/kernel-2.6.10-2.1.legacy_FC2.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD3q2FLMAs/0C4zNoRAmVEAJ0cPf+ZMGWlB7+Y+43nhkyNg+6ACQCZAbEA kQjM/TScS49jDLJhAXQQPIo= =aj4x -----END PGP SIGNATURE-----
rh73, rh9 and fc1 kernels to QA will follow in a couple of days.
Regarding Attachment #123817 [details], I cannot open this file... Can you create a spreadsheet file with an .sxc extension for OpenOffice 1.1? Thanks, Marc!
Created attachment 124004 [details] Same spreadsheet in OO.o 1.x format
Thanks for the OO.o 1.x spreadsheet. I am floored - that took tons of work! Are you looking for someone to check and make sure no CVE's were missed? Incidentally, was wondering if we want to fix the problem mentioned in Bug 162208 - "[PATCH] bonding: don't drop non-VLAN traffic"? Quoting Bug 162208 comment #2, "John W. Linville of Red Hat has proposed a patch for this issue for RHEL 4's kernel as attachment #121717 [details] in Bug 174671 comment #2. When we next go in to build a FC2 kernel for a security problem, this is a patch we could put in also. This problem may be present in FC1's and FC3's kernel as well."
Don't QA the FC2 kernel yet. I missed a ton of patches. I'll post a rebuild soon. I haven't added the patch from bug 162208. There are a bunch of other patch requests open in bugzilla also. We unfortunately don't have enough resources/time to include anything other than security fixes for now.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated fc1 kernel source package to QA. It has not been compile-tested yet. Changelog: * Thu Feb 02 2006 Marc Deslauriers <marcdeslauriers> 2.4.22-1.2199.6.legacy.nptl - - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2553 (32-bit ptrace find_target() oops) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709 (sysctl races) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3180 (orinoco driver information leakage) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area minor info leak) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) 7ad6987740bc080d00e3d84b2450a35bed73f128 kernel-2.4.22-1.2199.6.legacy.nptl.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/kernel-2.4.22-1.2199.6.legacy.nptl.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD5DUbLMAs/0C4zNoRArexAKC7M+1HlEe39EbCqP7i1Xg8XVCpXgCguNkQ dmjSSPhAVz+5YiEjcPZqQD0= =x59p -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated fc2 kernel source package to QA. It has not been compile-tested. Changelog: * Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers> 2.6.10-2.2.legacy_FC2 - - Added patches for: CVE-2005-2800 (/proc/scsi/scsi DoS) CVE-2005-2801 (ext2/3 xattr sharing bug) CVE-2005-2872 (ipt_recent integer handling) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3053 (sys_set_mempolicy() bounds check) CVE-2005-3106 (exec_mmap race DoS) CVE-2005-3109 (HFS oops) CVE-2005-3110 (race in ebtables) CVE-2005-3180 (etherleak in orinoco) CVE-2005-3181 (names_cache memory leak) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area has minor info leak) CVE-2005-3848 (dst_entry leak DoS) CVE-2005-3858 (ip6_input_finish DoS) * Sat Jan 28 2006 Marc Deslauriers <marcdeslauriers> 2.6.10-2.1.legacy_FC2 - - Added patches for: CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline) CVE-2005-0867 (signedness issue in sysfs) CVE-2005-0937 (futex mmap_sem deadlock) CVE-2005-0977 (tmpfs truncate bug) CVE-2005-1041 (crash while reading /proc/net/route) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1264 (data corruptor/local root in raw driver) CVE-2005-1265 (Prevent NULL mmap in topdown model) CVE-2005-1368 (key lookup race DoS) CVE-2005-1369 (i2c alarms sysfs DoS) CVE-2005-1761 (ia64 ptrace vulnerability) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-1763 (x86_64-ptrace-overflow crash) CVE-2005-2098 (key management session can leave semaphore pinned) CVE-2005-2099 (Destruction of failed keyring oopses) CVE-2005-2456 (IPSEC overflow) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2492 (Fix raw_sendmsg accesses) CVE-2005-2555 (IPSEC lacks restrictions) CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) f724adbaececd7b2b4ce9490b7133d20d8d6de07 kernel-2.6.10-2.2.legacy_FC2.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/kernel-2.6.10-2.2.legacy_FC2.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD5DWsLMAs/0C4zNoRAv8UAJ48asXNEjZh+m/xJ2DE5mU91kRTngCfeI45 29uWus4/bd9Ujbilf7mepAM= =Nw7H -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated rh9 and rh73 kernel source package to QA. It has not been compile-tested yet. It can be compiled for rh73 by changing the nptl switch near the beginning of the spec file. Changelog: * Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers> 2.4.20-44.9.legacy - - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0124 (coda fs flaw) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709 (sysctl races) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3180 (orinoco driver information leakage) CVE-2005-3273 (ROSE ndigis verification) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area minor info leak) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) a0c0ac526cf62a6933c17abc6ec2217d38daeceb kernel-2.4.20-44.9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/kernel-2.4.20-44.9.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD5DZOLMAs/0C4zNoRAgsXAKCR9GVKxdmCIxCFCbTVniqGT6fkQwCggwTq ygZIu+nJTk+zl0BNMEa7KHg= =0Ojt -----END PGP SIGNATURE-----
I checked the patches in RHL9, and they were good based on upstream. Two comments: - AFAICS, CVE-2005-3044 is 64-bit specific, isn't it? - compilation fails due to sysctl-unregister.patch: + struct proc_dir_entry *de = PDE(file->f_dentry->d_inode); .. the error is: kernel/kernel.o(.text+0xce16): In function `do_rw_proc': undefined reference to `PDE'
I also checked the security updates in latest RHEL3 kernel updates (all the updates since April 2005), did a grep in our kernel changelogs for CVE numbers, and checked out some obvious ones based on bugzilla. The following security issues *seem* to be ones we haven't addressed, or don't apply in RHL73/RHL9 kernel. Most of them seem very minor. It's not clear whether we need to address these (or some of these), and if so, whether to do so now, or when next respinning the updates. The most important ones seem to be CVE-2002-2185 and CAN-2005-0210 (if applicable). https://rhn.redhat.com/errata/RHSA-2006-0140.html on 2006-01-19: ---------------------------------------------------------------- - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) bz#174808 https://rhn.redhat.com/errata/RHSA-2005-663.html on 2005-09-28: --------------------------------------------------------------- - a flaw in stack expansion that allowed a local user of mlockall() to cause a denial of service (memory exhaustion) (CAN-2005-0179) bz#144524 - a small memory leak in network packet defragmenting that allowed a remote user to cause a denial of service (memory exhaustion) on systems using netfilter (CAN-2005-0210) bz#158724 [--note, this might be RHEL only, maybe related to IPsec backport]] https://rhn.redhat.com/errata/RHSA-2005-472.html on 2005-05-25: --------------------------------------------------------------- A flaw in shared memory locking allowed local unprivileged users to lock and unlock regions of shared memory segments they did not own (CAN-2005-0176). bz#142802 A flaw in the locking of SysV IPC shared memory regions allowed local unprivileged users to bypass their RLIMIT_MEMLOCK resource limit (CAN-2004-0491). bz#126411 From https://rhn.redhat.com/errata/RHSA-2005-293.html on 2005-04-22: -------------------------------------------------------------------- The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CAN-2004-0177) bz#121032 In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()'ed data for file system update. (BZ 147969)
Thanks for the info Pekka. Here is an updated rh9 and rh73 kernel source package to QA. - I removed the CVE-2005-3044 patch - I fixed the CVE-2005-2709 patch - I added a patch for CVE-2002-2185 - CVE-2005-0179 is specific to RHEL3, the code doesn't look present in rh9 - CVE-2005-0210 is specific to RHEL3, the code doesn't look present in rh9 - CVE-2005-0176 is specific to RHEL3, the code doesn't look present in rh9 - CVE-2004-0491 is specific to RHEL3, the code doesn't look present in rh9 - CVE-2004-0177 was already fixed by FLSA:2336 It can be compiled for rh73 by changing the nptl switch near the beginning of the spec file. Changelog: * Sat Feb 04 2006 Marc Deslauriers <marcdeslauriers> 2.4.20-45.9.legacy - Removed CVE-2005-3044 patch (it was 64-bit only) - Fixed CVE-2005-2709 patch - Added patch for CVE-2002-2185 (potential IGMP DoS) * Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers> 2.4.20-44.9.legacy - Added patches for: CVE-2004-0791 (source quench DoS) CVE-2005-0124 (coda fs flaw) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2708 (user code panics kernel in exec.c) CVE-2005-2709 (sysctl races) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3180 (orinoco driver information leakage) CVE-2005-3273 (ROSE ndigis verification) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area minor info leak) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) f706a64877d511608f765c60787caf3e1ab07aeb kernel-2.4.20-45.9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/kernel-2.4.20-45.9.legacy.src.rpm
It appears that CVE-2005-3272 mentioned in comment #13 also wasn't in the bug spreadsheet, but AFAICS, RHEL hasn't fixed it either. I took a look at FC1. The following patches seem 64-bit specific, and we shouldn't need them: ./linux-2.4.22-CVE-2005-3044.patch: ./linux-2.4.22-CVE-2005-2553.patch: ./linux-2.4.22-CVE-2005-1762.patch: ./linux-2.4.22-CVE-2005-0756.patch: The following patches exist on RHL9, and weren't in FC1 even though (according to CVE and other notes), they should be applicable: +./linux-2.4.29-CVE-2005-0124.patch: ASCII C program text +./linux-2.4.29-CVE-2005-3273.patch: ASCII C program text The others were OK. Obviously, CVE-2002-2185 isn't there, but can be added later if need be. Could you comment on these? I hope someone can do the QA for FC2/FC3. RHL73 and RHL9 are fine. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes good - patches verified (thanks for the good info on where they're from!) - RHL9 rebuilds and reboots +PUBLISH RHL73, RHL9 f706a64877d511608f765c60787caf3e1ab07aeb kernel-2.4.20-45.9.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD5cLNGHbTkzxSL7QRArL6AJ4kGb+afmOQZgFAkY2Y0/sABa49vQCgiRyO BcQ4gqy0Hx1wSdKAFS04uQI= =+dxs -----END PGP SIGNATURE-----
Fedora Legacy is getting a x86_64 build server. Jesse has mentioned that we will probably be rebuilding all the released security updates for x86_64 starting with FC1. The 64-bit kernel patches should stay. In the FC1 kernel, CVE-2005-0124 and CVE-2005-3273 are both fixed by the linux-2.4.29-rc2-security-fixes.patch patch. CVE-2002-2185 is trivial, it can be added for the test build.
Hmm. Something doesn't sound quite right about that. We already have 5 distros we're having hard time following. You're saying we should add new arches to those, bringing the total number (of VERIFY-testing) to at least 8 (and need to add handling for many 64-bit specific bugs we've come across lately).
Comments 30 and 31 might be a good thing to discuss on the fedora-legacy-list. See what others' thoughts are.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated fc3 kernel packages to QA: Changelog: * Tue Feb 07 2006 Marc Deslauriers <marcdeslauriers> 2.6.12-2.2.legacy_FC3 - - Added patches for: CVE-2002-2185 (IGMP DoS) CVE-2005-3527 (do_coredump() vs SIGSTOP race) CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem) CVE-2006-0095 (dm-crypt key leak) CVE-2006-0454 (ICMP route double-free) CVE-2005-3807 (memory leak with file leases) * Fri Jan 27 2006 Marc Deslauriers <marcdeslauriers> 2.6.12-2.1.legacy_FC3 - - Added patches for: CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) c3c03ddfa1154deaf389cc12a301e0fa34486197 kernel-2.6.12-2.2.legacy_FC3.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/kernel-2.6.12-2.2.legacy_FC3.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD6XGoLMAs/0C4zNoRAieTAKCJRyslurw+F7KG6TtmIPWe8NrrHgCffXE8 oj7nBgfCWhenfYBE3+nh21E= =RDBo -----END PGP SIGNATURE-----
Created attachment 124350 [details] Updated kernel bug spreadsheet What's in blue is what's fixed in the packages attached to this bug.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is, once more, an updated fc2 kernel source package to QA. It has not been compile-tested. Changelog: * Fri Feb 10 2006 Marc Deslauriers <marcdeslauriers> 2.6.10-2.3.legacy_FC2 - - Added patches for: CVE-2002-2185 (IGMP DoS) CVE-2005-3805 (POSIX timer cleanup handling on exit locking problem) CVE-2005-3807 (memory leak with file leases) CVE-2006-0095 (dm-crypt key leak) * Fri Feb 03 2006 Marc Deslauriers <marcdeslauriers> 2.6.10-2.2.legacy_FC2 - - Added patches for: CVE-2005-2800 (/proc/scsi/scsi DoS) CVE-2005-2801 (ext2/3 xattr sharing bug) CVE-2005-2872 (ipt_recent integer handling) CVE-2005-2973 (ipv6 infinite loop) CVE-2005-3053 (sys_set_mempolicy() bounds check) CVE-2005-3106 (exec_mmap race DoS) CVE-2005-3109 (HFS oops) CVE-2005-3110 (race in ebtables) CVE-2005-3180 (etherleak in orinoco) CVE-2005-3181 (names_cache memory leak) CVE-2005-3275 (NAT DoS) CVE-2005-3276 (sys_get_thread_area has minor info leak) CVE-2005-3848 (dst_entry leak DoS) CVE-2005-3858 (ip6_input_finish DoS) * Sat Jan 28 2006 Marc Deslauriers <marcdeslauriers> 2.6.10-2.1.legacy_FC2 - - Added patches for: CVE-2005-0756 (ptrace-check-segment x86_64 crash) CVE-2005-0839 (Only root should be able to set the N_MOUSE line discipline) CVE-2005-0867 (signedness issue in sysfs) CVE-2005-0937 (futex mmap_sem deadlock) CVE-2005-0977 (tmpfs truncate bug) CVE-2005-1041 (crash while reading /proc/net/route) CVE-2005-1263 (ELF core dump privilege elevation) CVE-2005-1264 (data corruptor/local root in raw driver) CVE-2005-1265 (Prevent NULL mmap in topdown model) CVE-2005-1368 (key lookup race DoS) CVE-2005-1369 (i2c alarms sysfs DoS) CVE-2005-1761 (ia64 ptrace vulnerability) CVE-2005-1762 (ptrace can induce double-fault on x86_64) CVE-2005-1763 (x86_64-ptrace-overflow crash) CVE-2005-2098 (key management session can leave semaphore pinned) CVE-2005-2099 (Destruction of failed keyring oopses) CVE-2005-2456 (IPSEC overflow) CVE-2005-2458 (gzip/zlib flaws) CVE-2005-2490 (compat layer sendmsg() races) CVE-2005-2492 (Fix raw_sendmsg accesses) CVE-2005-2555 (IPSEC lacks restrictions) CVE-2005-2709 (sysctl races) CVE-2005-3044 (lost fput and sockfd_put could lead to DoS) CVE-2005-3274 (ip_vs_conn_flush race condition DoS) CVE-2005-3356 (double decrement of mqueue_mnt->mnt_count in sys_mq_open) CVE-2005-3358 (prevent panic caused by invalid arguments to set_mempolicy) CVE-2005-3784 (auto-reap DoS) CVE-2005-3806 (ipv6 flowlabel DOS) CVE-2005-3857 (lease printk DoS) CVE-2005-4605 (kernel memory disclosure via /proc exploit) 69aad0ec7acb370deff773a63a10a357b6c2dd24 kernel-2.6.10-2.3.legacy_FC2.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/kernel-2.6.10-2.3.legacy_FC2.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD4DBQFD7gfPLMAs/0C4zNoRAhGHAJdB9Vi9NZSQqoYHnSQIePybJ1uWAJ4vgVeE mbPgTVTb2pEgvsG38xL8VA== =c893 -----END PGP SIGNATURE-----
The kernel package above (kernel-2.6.10-2.3.legacy_FC2.src.rpm) compiles fine on a FC2 SMP x86_64 Opteron machine. There's a big problem though - the RPMs (kernel- and kernel-smp), upon installation using "rpm -Uvh kernel*" removed all of my old (and currently running) kernel sets . The grub.conf now only lists the two new kernels. That is not the way a kernel RPMs usually installs - they should merely add themselves to the installed kernels and add stanzas to /etc/grub.conf.
that is the way that -Uvh has always worked. For kernels you want to -ivh. This is not a bug.
Oh boy...I'm eating my hat here. I just realised that the behaviour described above is exactly what "rpm -U" is supposed to do. I ought to have used "rpm -i"... Sorry about the wasted bandwidth. I'll see if I can clean up my own mess and provide a more useful feedback of how the new kernel package works in practice... I'm trying to figure out a recurring kernel panic/server freeze that occurs about every two weeks. Since I've recently implemented a SSH connection throttling using iptables and ipt_recent, I figured this kernel might sort it. (CVE-2005-2872) Again, my apologies.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was hoping someone else would do this, but in the interest of moving this forward.... QA w/ rpm-build-compare.sh: - - source integrity good - - spec file changes minimal - - patches verified to come from RHEL or upstream as indicated in the patch descriptions. I did not verify whether FC2 or FC3 address all the known vulnerabilities. Notes about patches: - - FC2 doesn't include the following FC3 fix, through bugtraq notes indicate that 2.6.10 should be affected? Was it excluded intentionally? CVE-2005-3527 (do_coredump() vs SIGSTOP race) - - CVE-2006-0454 patch source information (at least on FC3) is wrong, referring to a different bug, but the patch itself is OK. Can be fixed at build time. - - also checked that FC1 64-bit patches are OK, even though I'm against including 64-bit support for FC1; FC1 also required a few modifications (discussed above) at build time. +PUBLISH FC1, FC2, FC3 7ad6987740bc080d00e3d84b2450a35bed73f128 kernel-2.4.22-1.2199.6.legacy.nptl.src.rpm 69aad0ec7acb370deff773a63a10a357b6c2dd24 kernel-2.6.10-2.3.legacy_FC2.src.rpm c3c03ddfa1154deaf389cc12a301e0fa34486197 kernel-2.6.12-2.2.legacy_FC3.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD9IkbGHbTkzxSL7QRAjKjAJ91W+2MEq0MLK6BwH+ILbTIATwHPQCgkXIY xbmeeyUJCD0hStdEOFko6pM= =hpHh -----END PGP SIGNATURE-----
Sorry, haven't had time to review all of the patches. But we have been running the FC3 kernel on a number of test machines with no obvious problems, so that's a positive datapoint at leaset.
Thanks Pekka! The code that is affected by CVE-2005-3527 doesn't look present in the FC2 source. If someone finds it, please let me know, we'll include it next time. CVE-2006-0454 does indeed have wrong source info, I'll fix it when I build for testing. What were the modifications you needed for FC1? Was it the missing CVE-2002-2185 patch?
Yes, CVE-2002-2185.
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH73 Running on production web servers with no noticable issues. 488df87ec8914c665f2509688a06dbb7dc5cf476 kernel-2.4.20-45.7.legacy.i686.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD/+xKMyG7U7lo69MRAoZ5AJ9BM5SNoT+i8y+AsZnZE1H3JWtiAACgy9WL +XdXxPplfz2SS/xKZtAUBos= =sago -----END PGP SIGNATURE-----
Thanks!
Updated packages were pushed to updates-testing to fix bug 183491.
I would think that the timeout needs to be reset as well.
Yes ... and maybe rh73 should be re-verified? I'll adjust the timeout for two weeks from when the new packages were pushed to updates-testing for the moment. We can discuss if it shouldn't be so long... I intend to verify fc1 in the next day or two, though.
Remember that the buggy patch was not introduced in *THIS* update, but the previous one. Hence, I think we shouldn't overdo the testing for these updates, though a bit more testing seems warranted. I'd like to get the packages released in a week.
Not unreasonable, Pekka. One thing though - this is the *kernel*, and so far we have had only one verify vote. Considering how small a change this is, it makes sense that rh73 likely does not need re-verifying. So we can use verify votes for RH9, FC1, FC2 & FC3... Downloading FC1 packages now...
I am testing kernel-2.4.20-46.7 (RH73) this week (I don't expect any problems) and will post a verify in a few days if all is well.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've tested the -46 kernel package on RHL9. RPM signatures are OK, installs nicely, and seems to work fine. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEECsJGHbTkzxSL7QRAqJ6AJ4s3W56hmEVTxHS7q1GcpKuwsPtwQCgwnoI PMKslikHYCdIlssTX0gn4SM= =WENV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VERIFY++ RH73 Works as expected. Tested on production web/mail systems, no concerns. Install works find and no n ecessary changes needed to reboot into new kernel. Dmesg and /var/log/messages show no othing out of the ordinary. 82f9abe5137fe60c379e54ed4c30102e77a3d7ce kernel-2.4.20-46.7.legacy.i686.rpm - -Jim P. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEEHwJMyG7U7lo69MRAvwcAKDVsOP3hjuCFNpigFRtfp30PtuN0ACeJBEN mpHf/MctSUSYJ70823YjL2E= =cxK1 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test results for FC1 kernel: 70e345e1ff5427a4aa41fb4b72155e6ba73fcc38__kernel-2.4.22-1.2199.8.legacy.nptl.i586.rpm Fedora Core release 1 (Yarrow) Kernel 2.4.22-1.2199.8.legacy.nptl on an i586 twinkfed login: * Booted fine * Ran everything fine for most of a day. * Did not test for any of the vulnerabilities. * Shut down fine. * No issues with this kernel. Seems to work great. VERIFY++ FC1 kernel-2.4.22-1.2199.8.legacy.nptl.i586.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEFJJNxou1V/j9XZwRAo8HAJ4+OZAsiarlXmRliY8o1mXe/gEpqwCffmq8 dh8gUt+5I+Tz0tK/VCmXrUs= =cOrs -----END PGP SIGNATURE-----
Thanks Jim, David. Timeout over.
Packages were pushed to updates.