__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated Kernel Packages Fix Security Vulnerabilities [RHSA-2004:255-10] June 18, 2004 16:00 GMT Number O-164 [REVISED 19 Aug 2004] [REVISED 30 May 2006] ______________________________________________________________________________ PROBLEM: There are three security vulnerabilities in the Red Hat Linux kernel: 1) A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64; 2) A flaw was discovered in an error path supporting the clone() system call; 3) Enhancements were committed to the 2.6 kernel which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. PLATFORM: Red Hat Desktop (v.3) Red Hat Enterprise Linux AS (v.3) & (v.2.1) Red Hat Enterprise Linux ES (v.3) Red Hat Enterprise Linux WS (v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 alias woody DAMAGE: 1) A local user could cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions; 2) A loca user could cause a denial of service (memory leak) by passing invalid arguments to clone() running in an infinite loop of a user's program; 3) Flaws could lead to privilege escallation or access to kernel memory. SOLUTION: Upgrade kernels to the packages associated with the machine architectures and configurations as listed in the erratum. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user could gain root privileges. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-164.shtml ORIGINAL BULLETIN: Red Hat RHSA-2004:255-10 https://rhn.redhat.com/errata/RHSA-2004-255.html ADDITIONAL LINKS: US-CERT Vulnerability Note VU#973654 http://www.kb.cert.org/vuls/id/973654 Red Hat RHSA-2004:327-09 https://rhn.redhat.com/errata/RHSA-2004-327.html Debian Security Advisory DSA-1082-1 http://www.debian.org/security/2006/dsa-1082 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0427 CAN-2004-0495 CAN-2004-0554 ______________________________________________________________________________ REVISION HISTORY: 08/19/2004 - added a link to Red Hat RHSA-2004:327-09 for Red Hat Enterprise Linux AS (v.2.1) and Advanced Workstation 2.1 for the Itanium Processor. 05/30/2006 - added a link to Debian Security Advisory DSA-1082-1 for Debian GNU/Linux 3.0 alias woody. [***** Start RHSA-2004:255-10 *****] Updated kernel packages fix security vulnerabilities Advisory: RHSA-2004:255-10 Last updated on: 2004-06-17 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0427 CAN-2004-0495 CAN-2004-0554 back Security Advisory Details: Updated kernel packages for Red Hat Enterprise Linux 3 that fix security vulnerabilities are now available. The Linux kernel handles the basic functions of the operating system. A flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 that allowed local users to cause a denial of service (system crash) by triggering a signal handler with a certain sequence of fsave and frstor instructions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0554 to this issue. Another flaw was discovered in an error path supporting the clone() system call that allowed local users to cause a denial of service (memory leak) by passing invalid arguments to clone() running in an infinite loop of a user's program. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0427 to this issue. Enhancements were committed to the 2.6 kernel by Al Viro which enabled the Sparse source code checking tool to check for a certain class of kernel bugs. A subset of these fixes also applies to various drivers in the 2.4 kernel. Although the majority of these resides in drivers unsupported in Red Hat Enterprise Linux 3, the flaws could lead to privilege escalation or access to kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0495 to these issues. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. These packages contain backported patches to correct these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.2.EL.x86_64.rpm 13aabc1c96dfee65f73246051a955ba8 kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm 608d072210521af17c455f7754a6e352 kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm 82154d7551d6e4947af70b3044c9d4d2 kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm 8fde60be45154b7722893feb65506f42 kernel-source-2.4.21-15.0.2.EL.x86_64.rpm 44be30f820be806621b47786ebff1844 kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm aa060423c3136a26ca31a7aafa337380 EM64T: kernel-2.4.21-15.0.2.EL.ia32e.rpm 90dabcf0bb591756e5f04f397cf8a156 kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm 144943d76b23470572326c84b57c0dd9 SRPMS: kernel-2.4.21-15.0.2.EL.src.rpm 669d77609b1c47ff49c939c1ea7bbc45 athlon: kernel-2.4.21-15.0.2.EL.athlon.rpm 05b0bcb454ac5454479481d0288fbf20 kernel-smp-2.4.21-15.0.2.EL.athlon.rpm 96eb477ac938da01b729b5ac5ed36e3b kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm 9d24273cc70bb6be810984cb3f3d0a36 kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm 17f10f04cffc9751afb1499aaff00fdc i386: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm 4635f8c6555f3b3e52feb9444b2e230d kernel-doc-2.4.21-15.0.2.EL.i386.rpm 6cf6c39a83dfe7cca9c9a79f02dc3fa8 kernel-source-2.4.21-15.0.2.EL.i386.rpm 3c690c54909996d3bba3da7c8d8f894a i686: kernel-2.4.21-15.0.2.EL.i686.rpm a3073219b60cbb7ce447a22e5103e097 kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm 6c8dad84abc4dd1892c9dc862c329273 kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm 426c517d35a53546138b0d72a0515909 kernel-smp-2.4.21-15.0.2.EL.i686.rpm bece09ba4a651196758380372dc4c593 kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm 775338e099c3bdf36a586d29e55dbd3e kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm 89ee51cb60f7a1f34e66cbb16abcba07 Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.2.EL.x86_64.rpm 13aabc1c96dfee65f73246051a955ba8 kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm 608d072210521af17c455f7754a6e352 kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm 82154d7551d6e4947af70b3044c9d4d2 kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm 8fde60be45154b7722893feb65506f42 kernel-source-2.4.21-15.0.2.EL.x86_64.rpm 44be30f820be806621b47786ebff1844 kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm aa060423c3136a26ca31a7aafa337380 EM64T: kernel-2.4.21-15.0.2.EL.ia32e.rpm 90dabcf0bb591756e5f04f397cf8a156 kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm 144943d76b23470572326c84b57c0dd9 SRPMS: kernel-2.4.21-15.0.2.EL.src.rpm 669d77609b1c47ff49c939c1ea7bbc45 athlon: kernel-2.4.21-15.0.2.EL.athlon.rpm 05b0bcb454ac5454479481d0288fbf20 kernel-smp-2.4.21-15.0.2.EL.athlon.rpm 96eb477ac938da01b729b5ac5ed36e3b kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm 9d24273cc70bb6be810984cb3f3d0a36 kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm 17f10f04cffc9751afb1499aaff00fdc i386: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm 4635f8c6555f3b3e52feb9444b2e230d kernel-doc-2.4.21-15.0.2.EL.i386.rpm 6cf6c39a83dfe7cca9c9a79f02dc3fa8 kernel-source-2.4.21-15.0.2.EL.i386.rpm 3c690c54909996d3bba3da7c8d8f894a i686: kernel-2.4.21-15.0.2.EL.i686.rpm a3073219b60cbb7ce447a22e5103e097 kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm 6c8dad84abc4dd1892c9dc862c329273 kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm 426c517d35a53546138b0d72a0515909 kernel-smp-2.4.21-15.0.2.EL.i686.rpm bece09ba4a651196758380372dc4c593 kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm 775338e099c3bdf36a586d29e55dbd3e kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm 89ee51cb60f7a1f34e66cbb16abcba07 ia64: kernel-2.4.21-15.0.2.EL.ia64.rpm 24ddfb9f957028d3bbc5cfff2b25bc67 kernel-doc-2.4.21-15.0.2.EL.ia64.rpm cc60f06bdd3ad6a05040df8ba40d41a1 kernel-source-2.4.21-15.0.2.EL.ia64.rpm a8fc2a1042ee3e580881b50c97a3241d kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm 60e5c1f1efa438a658b12e16543214cd ppc64: kernel-doc-2.4.21-15.0.2.EL.ppc64.rpm 3f21dd578af78ed576c7cbf6e17a3f16 kernel-source-2.4.21-15.0.2.EL.ppc64.rpm 937a05a7666f14f95d20be19fc461f05 ppc64iseries: kernel-2.4.21-15.0.2.EL.ppc64iseries.rpm 495a1c8f85e0e237643fd2e3f89ddaed kernel-unsupported-2.4.21-15.0.2.EL.ppc64iseries.rpm 57f0111e6443fd5a39099731cc0856e8 ppc64pseries: kernel-2.4.21-15.0.2.EL.ppc64pseries.rpm 6ad188ae0c61a077dede364c59448f61 kernel-unsupported-2.4.21-15.0.2.EL.ppc64pseries.rpm 22f38c0c1abee45e0ac24caa19e06311 s390: kernel-2.4.21-15.0.2.EL.s390.rpm 1b9d329e2b074616239a91fd967871c8 kernel-doc-2.4.21-15.0.2.EL.s390.rpm 5e27cc65020dbb1c92368e79c3edcbe6 kernel-source-2.4.21-15.0.2.EL.s390.rpm 282bb4f0e5bfbec228a742ab6666665d kernel-unsupported-2.4.21-15.0.2.EL.s390.rpm 8f67e244ba867a103e6b211d3d0d1fba s390x: kernel-2.4.21-15.0.2.EL.s390x.rpm a8bab06e561ac8b6ab473b4e722a570b kernel-doc-2.4.21-15.0.2.EL.s390x.rpm 860944b6a4e8384a0b344dc96ea48b6d kernel-source-2.4.21-15.0.2.EL.s390x.rpm 6e9628389fa69aafc9c910e4b37a425a kernel-unsupported-2.4.21-15.0.2.EL.s390x.rpm 3522c33c18eb876b5033ef12398707fe Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.2.EL.x86_64.rpm 13aabc1c96dfee65f73246051a955ba8 kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm 608d072210521af17c455f7754a6e352 kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm 82154d7551d6e4947af70b3044c9d4d2 kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm 8fde60be45154b7722893feb65506f42 kernel-source-2.4.21-15.0.2.EL.x86_64.rpm 44be30f820be806621b47786ebff1844 kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm aa060423c3136a26ca31a7aafa337380 EM64T: kernel-2.4.21-15.0.2.EL.ia32e.rpm 90dabcf0bb591756e5f04f397cf8a156 kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm 144943d76b23470572326c84b57c0dd9 SRPMS: kernel-2.4.21-15.0.2.EL.src.rpm 669d77609b1c47ff49c939c1ea7bbc45 athlon: kernel-2.4.21-15.0.2.EL.athlon.rpm 05b0bcb454ac5454479481d0288fbf20 kernel-smp-2.4.21-15.0.2.EL.athlon.rpm 96eb477ac938da01b729b5ac5ed36e3b kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm 9d24273cc70bb6be810984cb3f3d0a36 kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm 17f10f04cffc9751afb1499aaff00fdc i386: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm 4635f8c6555f3b3e52feb9444b2e230d kernel-doc-2.4.21-15.0.2.EL.i386.rpm 6cf6c39a83dfe7cca9c9a79f02dc3fa8 kernel-source-2.4.21-15.0.2.EL.i386.rpm 3c690c54909996d3bba3da7c8d8f894a i686: kernel-2.4.21-15.0.2.EL.i686.rpm a3073219b60cbb7ce447a22e5103e097 kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm 6c8dad84abc4dd1892c9dc862c329273 kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm 426c517d35a53546138b0d72a0515909 kernel-smp-2.4.21-15.0.2.EL.i686.rpm bece09ba4a651196758380372dc4c593 kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm 775338e099c3bdf36a586d29e55dbd3e kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm 89ee51cb60f7a1f34e66cbb16abcba07 ia64: kernel-2.4.21-15.0.2.EL.ia64.rpm 24ddfb9f957028d3bbc5cfff2b25bc67 kernel-doc-2.4.21-15.0.2.EL.ia64.rpm cc60f06bdd3ad6a05040df8ba40d41a1 kernel-source-2.4.21-15.0.2.EL.ia64.rpm a8fc2a1042ee3e580881b50c97a3241d kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm 60e5c1f1efa438a658b12e16543214cd Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.2.EL.x86_64.rpm 13aabc1c96dfee65f73246051a955ba8 kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm 608d072210521af17c455f7754a6e352 kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm 82154d7551d6e4947af70b3044c9d4d2 kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm 8fde60be45154b7722893feb65506f42 kernel-source-2.4.21-15.0.2.EL.x86_64.rpm 44be30f820be806621b47786ebff1844 kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm aa060423c3136a26ca31a7aafa337380 EM64T: kernel-2.4.21-15.0.2.EL.ia32e.rpm 90dabcf0bb591756e5f04f397cf8a156 kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm 144943d76b23470572326c84b57c0dd9 SRPMS: kernel-2.4.21-15.0.2.EL.src.rpm 669d77609b1c47ff49c939c1ea7bbc45 athlon: kernel-2.4.21-15.0.2.EL.athlon.rpm 05b0bcb454ac5454479481d0288fbf20 kernel-smp-2.4.21-15.0.2.EL.athlon.rpm 96eb477ac938da01b729b5ac5ed36e3b kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm 9d24273cc70bb6be810984cb3f3d0a36 kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm 17f10f04cffc9751afb1499aaff00fdc i386: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm 4635f8c6555f3b3e52feb9444b2e230d kernel-doc-2.4.21-15.0.2.EL.i386.rpm 6cf6c39a83dfe7cca9c9a79f02dc3fa8 kernel-source-2.4.21-15.0.2.EL.i386.rpm 3c690c54909996d3bba3da7c8d8f894a i686: kernel-2.4.21-15.0.2.EL.i686.rpm a3073219b60cbb7ce447a22e5103e097 kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm 6c8dad84abc4dd1892c9dc862c329273 kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm 426c517d35a53546138b0d72a0515909 kernel-smp-2.4.21-15.0.2.EL.i686.rpm bece09ba4a651196758380372dc4c593 kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm 775338e099c3bdf36a586d29e55dbd3e kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm 89ee51cb60f7a1f34e66cbb16abcba07 ia64: kernel-2.4.21-15.0.2.EL.ia64.rpm 24ddfb9f957028d3bbc5cfff2b25bc67 kernel-doc-2.4.21-15.0.2.EL.ia64.rpm cc60f06bdd3ad6a05040df8ba40d41a1 kernel-source-2.4.21-15.0.2.EL.ia64.rpm a8fc2a1042ee3e580881b50c97a3241d kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm 60e5c1f1efa438a658b12e16543214cd (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 125794 - CAN-2004-0554 local user can get the kernel to hang 125901 - [PATCH] CAN-2004-0554: FPU exception handling local DoS 125968 - last RH kernel affected bug 126121 - CAN-2004-0495 Sparse security fixes backported for 2.4 kernel References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0427 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2004:255-10 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-154: Microsoft – Crystal Reports Web Viewer Information Disclosure Vulnerability O-155: Kerberos Buffer Overflow Vulnerability O-156: Multiple Vulnerabilities in CVS O-157: Cisco CatOS Telnet, HTTP and SSH Vulnerability O-158: FTP Client Improperly handles Pipe Character in File Names O-159: NETGEAR WG602 Wireless Access Point Default Backdoor Account Vulnerability O-160: Microsoft Windows 2000 Advanced Server Security Bypass O-161: RealPlayer Security Vulnerabilities O-162: Red Hat Updated Tripwire Packages Fix Security Flaw O-163: Cisco IOS Malformed BGP Packet Causes Reload