__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Linux Kernel Packages Updated [Red Hat Security Advisory: RHSA-2004:413-07 & RHSA-2004:418-05] August 4, 2004 19:00 GMT Number O-193 [REVISED 19 Aug 2004] [REVISED 30 Aug 2004] [REVISED 30 May 2006] ______________________________________________________________________________ PROBLEM: Flaws were found in the Linux kernel when handling file offset pointers. Security issues were also found in the e1000 network driver, the Soundblaster 16 code, and a possible NULL-pointer dereference issue. PLATFORM: Red Hat Enterprise Linux AS, ES, and WS v.2.1 Red Hat Enterprise Linux AS, ES, and WS v.3 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3 Debian GNU/Linux 3.0 alias woody DAMAGE: A local unprivileged user could use these flaws to access large portions of the kernel memory and/or cause a denial-of-service attack. SOLUTION: Upgrade to the appropriate updated packages. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A local unprivileged user could obtain ASSESSMENT: multiple disclosures of information and/or cause a denial-of-service attack. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-193.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-413.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2004-418.html https://rhn.redhat.com/errata/RHSA-2004-327.html https://rhn.redhat.com/errata/RHSA-2004-437.html SGI #20040804-01-U http://www.sgi.com/support/security/advisories.html Debian Security Advisory DSA-1082-1 http://www.debian.org/security/2006/dsa-1082 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0178 CAN-2004-0415 CAN-2004-0447 CAN-2004-0535 CAN-2004-0587 ______________________________________________________________________________ REVISION HISTORY: 08/19/2004 - added a link to Red Hat RHSA-2004:327-09 for Red Hat Enterprise Linux AS (v.2.1) and Advanced Workstation 2.1 for the Itanium Processor and RHSA-2004:437-02 for Red Hat Enterprise Linux AS, ES, WS (v.2.1). 08/30/2004 - added link to SGI Security Advisory 20040804-01-U. 05/30/2006 - added a link to Debian Security Advisory DSA-1082-1 for Debian GNU/Linux 3.0 alias woody. [***** Start Red Hat Security Advisory: RHSA-2004:413-07 *****] Updated kernel packages fix security vulnerabilities Advisory: RHSA-2004:413-07 Last updated on: 2004-08-03 Affected Products: Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0178 CAN-2004-0415 CAN-2004-0447 CAN-2004-0535 CAN-2004-0587 Security Advisory Details: Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0415 to this issue. These packages contain a patch written by Al Viro to correct these flaws. Red Hat would like to thank iSEC Security Research for disclosing this issue and a number of vendor-sec participants for reviewing and working on the patch to this issue. In addition, these packages correct a number of minor security issues: An bug in the e1000 network driver. This bug could be used by local users to leak small amounts of kernel memory (CAN-2004-0535). A bug in the SoundBlaster 16 code which does not properly handle certain sample sizes. This flaw could be used by local users to crash a system (CAN-2004-0178). A possible NULL-pointer dereference in the Linux kernel prior to 2.4.26 on the Itanium platform could allow a local user to crash a system (CAN-2004-0447). Inappropriate permissions on /proc/scsi/qla2300/HbaApiNode (CAN-2004-0587). All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Updated packages: Red Hat Enterprise Linux AS (v. 3) ----------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.4.EL.x86_64.rpm 499203e60c5c0294fd2a41bbd9306b03 kernel-doc-2.4.21-15.0.4.EL.x86_64.rpm 007a0353e8c76dd40424909844f6705e kernel-smp-2.4.21-15.0.4.EL.x86_64.rpm 33ade25b9b682f514f9523ec977a2c09 kernel-smp-unsupported-2.4.21-15.0.4.EL.x86_64.rpm 3171661c4c24e3dcbf8970c8094e5851 kernel-source-2.4.21-15.0.4.EL.x86_64.rpm f33e51c95e59d8379d5dc4817ee13ce7 kernel-unsupported-2.4.21-15.0.4.EL.x86_64.rpm eea5cbda95fb75f0f9c40e6cd3260efe EM64T: kernel-2.4.21-15.0.4.EL.ia32e.rpm 80869adc4ed80a1c035ddaef69e2aa10 kernel-unsupported-2.4.21-15.0.4.EL.ia32e.rpm 5dd0f98110e54e64ebfb934a2bb9629f SRPMS: kernel-2.4.21-15.0.4.EL.src.rpm 9f04fbd5d2b5182bfe7fa0242b4fd0a3 athlon: kernel-2.4.21-15.0.4.EL.athlon.rpm 25e7d097ccf85396dfdc53c6b03d83ea kernel-smp-2.4.21-15.0.4.EL.athlon.rpm d619cffe546f2f41e9259ac437f07d44 kernel-smp-unsupported-2.4.21-15.0.4.EL.athlon.rpm 06ef0da24796cc19d9c492e8ab638a29 kernel-unsupported-2.4.21-15.0.4.EL.athlon.rpm 388a7af25fbefd195f9ab59922cca912 i386: kernel-BOOT-2.4.21-15.0.4.EL.i386.rpm 6741173959e3e0686c080f2313ec7d5d kernel-doc-2.4.21-15.0.4.EL.i386.rpm 938fabc770ac041b44d4c99bfa90709a kernel-source-2.4.21-15.0.4.EL.i386.rpm d106990663a3d5ad735a47a86830940c i686: kernel-2.4.21-15.0.4.EL.i686.rpm 2269c8e5bab350ac6e5f7252430dfd0f kernel-hugemem-2.4.21-15.0.4.EL.i686.rpm fa6a5940751cbbb60236c88f58e8cc31 kernel-hugemem-unsupported-2.4.21-15.0.4.EL.i686.rpm 40f3c5f256246fda87d9ddd3cb6791a5 kernel-smp-2.4.21-15.0.4.EL.i686.rpm 3d106ae97cca1fcba8a3de8a5866b88b kernel-smp-unsupported-2.4.21-15.0.4.EL.i686.rpm 8590ac5bbca153e1948f48f101bddcb6 kernel-unsupported-2.4.21-15.0.4.EL.i686.rpm 04197afa144f4c7874b01c50fc027d5d ia64: kernel-2.4.21-15.0.4.EL.ia64.rpm d9d9873b1a03437ce9a660d5498e6acc kernel-doc-2.4.21-15.0.4.EL.ia64.rpm 87c9d3baf789371a88c2078f1bf9cd2a kernel-source-2.4.21-15.0.4.EL.ia64.rpm d1280df50b401a4ab1fe3630fef1a4b0 kernel-unsupported-2.4.21-15.0.4.EL.ia64.rpm d07a66ca6e06045842c863be96729733 ppc64: kernel-doc-2.4.21-15.0.4.EL.ppc64.rpm 21628655b2e3bd052b9393e8eac6ebd1 kernel-source-2.4.21-15.0.4.EL.ppc64.rpm 86f1ad447a3023b3a6614c750271d155 ppc64iseries: kernel-2.4.21-15.0.4.EL.ppc64iseries.rpm 1c929592946473d5fe73c71354846313 kernel-unsupported-2.4.21-15.0.4.EL.ppc64iseries.rpm f8d2585dbf7adea54df19fdfd63a2eb7 ppc64pseries: kernel-2.4.21-15.0.4.EL.ppc64pseries.rpm 01d9b20c6c4c45276195104bc6984224 kernel-unsupported-2.4.21-15.0.4.EL.ppc64pseries.rpm 48bef493baacda16294ba973404d6587 s390: kernel-2.4.21-15.0.4.EL.s390.rpm 4ba1d35ff61699b9f3757941eef9623d kernel-doc-2.4.21-15.0.4.EL.s390.rpm 9cb546f7b760a62baf3e198ed7591a1a kernel-source-2.4.21-15.0.4.EL.s390.rpm d88eac17c9376f415351eb103a429ca0 kernel-unsupported-2.4.21-15.0.4.EL.s390.rpm 757875de32469823e2578a088c655925 s390x: kernel-2.4.21-15.0.4.EL.s390x.rpm 125b33d2f4d7558bfda6397540e7976b kernel-doc-2.4.21-15.0.4.EL.s390x.rpm e02ad38774bd83672d0f8bdeadb6f0f8 kernel-source-2.4.21-15.0.4.EL.s390x.rpm 25bea5095bcac052ae3897c026f218bd kernel-unsupported-2.4.21-15.0.4.EL.s390x.rpm f756be2685a447f6f19458c1aa75e2be Red Hat Enterprise Linux ES (v. 3) ----------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.4.EL.x86_64.rpm 499203e60c5c0294fd2a41bbd9306b03 kernel-doc-2.4.21-15.0.4.EL.x86_64.rpm 007a0353e8c76dd40424909844f6705e kernel-smp-2.4.21-15.0.4.EL.x86_64.rpm 33ade25b9b682f514f9523ec977a2c09 kernel-smp-unsupported-2.4.21-15.0.4.EL.x86_64.rpm 3171661c4c24e3dcbf8970c8094e5851 kernel-source-2.4.21-15.0.4.EL.x86_64.rpm f33e51c95e59d8379d5dc4817ee13ce7 kernel-unsupported-2.4.21-15.0.4.EL.x86_64.rpm eea5cbda95fb75f0f9c40e6cd3260efe EM64T: kernel-2.4.21-15.0.4.EL.ia32e.rpm 80869adc4ed80a1c035ddaef69e2aa10 kernel-unsupported-2.4.21-15.0.4.EL.ia32e.rpm 5dd0f98110e54e64ebfb934a2bb9629f SRPMS: kernel-2.4.21-15.0.4.EL.src.rpm 9f04fbd5d2b5182bfe7fa0242b4fd0a3 athlon: kernel-2.4.21-15.0.4.EL.athlon.rpm 25e7d097ccf85396dfdc53c6b03d83ea kernel-smp-2.4.21-15.0.4.EL.athlon.rpm d619cffe546f2f41e9259ac437f07d44 kernel-smp-unsupported-2.4.21-15.0.4.EL.athlon.rpm 06ef0da24796cc19d9c492e8ab638a29 kernel-unsupported-2.4.21-15.0.4.EL.athlon.rpm 388a7af25fbefd195f9ab59922cca912 i386: kernel-BOOT-2.4.21-15.0.4.EL.i386.rpm 6741173959e3e0686c080f2313ec7d5d kernel-doc-2.4.21-15.0.4.EL.i386.rpm 938fabc770ac041b44d4c99bfa90709a kernel-source-2.4.21-15.0.4.EL.i386.rpm d106990663a3d5ad735a47a86830940c i686: kernel-2.4.21-15.0.4.EL.i686.rpm 2269c8e5bab350ac6e5f7252430dfd0f kernel-hugemem-2.4.21-15.0.4.EL.i686.rpm fa6a5940751cbbb60236c88f58e8cc31 kernel-hugemem-unsupported-2.4.21-15.0.4.EL.i686.rpm 40f3c5f256246fda87d9ddd3cb6791a5 kernel-smp-2.4.21-15.0.4.EL.i686.rpm 3d106ae97cca1fcba8a3de8a5866b88b kernel-smp-unsupported-2.4.21-15.0.4.EL.i686.rpm 8590ac5bbca153e1948f48f101bddcb6 kernel-unsupported-2.4.21-15.0.4.EL.i686.rpm 04197afa144f4c7874b01c50fc027d5d ia64: kernel-2.4.21-15.0.4.EL.ia64.rpm d9d9873b1a03437ce9a660d5498e6acc kernel-doc-2.4.21-15.0.4.EL.ia64.rpm 87c9d3baf789371a88c2078f1bf9cd2a kernel-source-2.4.21-15.0.4.EL.ia64.rpm d1280df50b401a4ab1fe3630fef1a4b0 kernel-unsupported-2.4.21-15.0.4.EL.ia64.rpm d07a66ca6e06045842c863be96729733 Red Hat Enterprise Linux WS (v. 3) ----------------------------------------------------------------------------- AMD64: kernel-2.4.21-15.0.4.EL.x86_64.rpm 499203e60c5c0294fd2a41bbd9306b03 kernel-doc-2.4.21-15.0.4.EL.x86_64.rpm 007a0353e8c76dd40424909844f6705e kernel-smp-2.4.21-15.0.4.EL.x86_64.rpm 33ade25b9b682f514f9523ec977a2c09 kernel-smp-unsupported-2.4.21-15.0.4.EL.x86_64.rpm 3171661c4c24e3dcbf8970c8094e5851 kernel-source-2.4.21-15.0.4.EL.x86_64.rpm f33e51c95e59d8379d5dc4817ee13ce7 kernel-unsupported-2.4.21-15.0.4.EL.x86_64.rpm eea5cbda95fb75f0f9c40e6cd3260efe EM64T: kernel-2.4.21-15.0.4.EL.ia32e.rpm 80869adc4ed80a1c035ddaef69e2aa10 kernel-unsupported-2.4.21-15.0.4.EL.ia32e.rpm 5dd0f98110e54e64ebfb934a2bb9629f SRPMS: kernel-2.4.21-15.0.4.EL.src.rpm 9f04fbd5d2b5182bfe7fa0242b4fd0a3 athlon: kernel-2.4.21-15.0.4.EL.athlon.rpm 25e7d097ccf85396dfdc53c6b03d83ea kernel-smp-2.4.21-15.0.4.EL.athlon.rpm d619cffe546f2f41e9259ac437f07d44 kernel-smp-unsupported-2.4.21-15.0.4.EL.athlon.rpm 06ef0da24796cc19d9c492e8ab638a29 kernel-unsupported-2.4.21-15.0.4.EL.athlon.rpm 388a7af25fbefd195f9ab59922cca912 i386: kernel-BOOT-2.4.21-15.0.4.EL.i386.rpm 6741173959e3e0686c080f2313ec7d5d kernel-doc-2.4.21-15.0.4.EL.i386.rpm 938fabc770ac041b44d4c99bfa90709a kernel-source-2.4.21-15.0.4.EL.i386.rpm d106990663a3d5ad735a47a86830940c i686: kernel-2.4.21-15.0.4.EL.i686.rpm 2269c8e5bab350ac6e5f7252430dfd0f kernel-hugemem-2.4.21-15.0.4.EL.i686.rpm fa6a5940751cbbb60236c88f58e8cc31 kernel-hugemem-unsupported-2.4.21-15.0.4.EL.i686.rpm 40f3c5f256246fda87d9ddd3cb6791a5 kernel-smp-2.4.21-15.0.4.EL.i686.rpm 3d106ae97cca1fcba8a3de8a5866b88b kernel-smp-unsupported-2.4.21-15.0.4.EL.i686.rpm 8590ac5bbca153e1948f48f101bddcb6 kernel-unsupported-2.4.21-15.0.4.EL.i686.rpm 04197afa144f4c7874b01c50fc027d5d ia64: kernel-2.4.21-15.0.4.EL.ia64.rpm d9d9873b1a03437ce9a660d5498e6acc kernel-doc-2.4.21-15.0.4.EL.ia64.rpm 87c9d3baf789371a88c2078f1bf9cd2a kernel-source-2.4.21-15.0.4.EL.ia64.rpm d1280df50b401a4ab1fe3630fef1a4b0 kernel-unsupported-2.4.21-15.0.4.EL.ia64.rpm d07a66ca6e06045842c863be96729733 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Bugs fixed: (see bugzilla for more information) 120527 - CAN-2004-0447 [PATCH] IPF kernel crashes under gdb 121045 - CAN-2004-0178 Soundblaster 16 local DoS 125168 - CAN-2004-0535 e1000 kernel memory information leak 126396 - CAN-2004-0587 Bad permissions on qla* drivers References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0587 Keywords: errata, kernel, security, taroon ----------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. [***** End Red Hat Security Advisory: RHSA-2004:413-07 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-183: Microsoft Vulnerability in Windows Shell Could Allow Remote Code Execution O-184: PHP memory_limit and strip_tags Vulnerabilities O-185: Sun Java System Web Server Cross-site Scripting Vulnerabilitiy O-186: Samba Buffer Overrun Vulnerabilities O-187: 'chown(2)' System Call Vulnerability O-188: libapache-mod-ssl O-189: HP-UX xfs and stmkfont Vulnerabilities O-190: Check Point ASN.1 VPN-1 Buffer Overrun O-191: Microsoft Cumulative Security Update for Internet Explorer (867801) O-192: Red Hat Advisory: RHSA-2004:402-08