__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kernel Security and Bug Fix Update [Red Hat RHSA-2007:0099-2] March 15, 2007 20:00 GMT Number R-180 [REVISED 11 May 2007] [REVISED 22 Jun 2007] ______________________________________________________________________________ PROBLEM: There is a flaw in the Omnikey CardMan 4040 driver. PLATFORM: Red Hat Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 Server) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (etch) Debian GNU/Linux 3.1 (sarge) DAMAGE: Allows a local user to execute arbitrary code with kernel privileges. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Allows a local user to execute arbitrary code ASSESSMENT: with kernel privileges. In order to exploit this issue, the Omnikey CardMan 4040 PCMCI card must be present and the local user must have access rights to the character device created by the driver. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-180.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0099.html ADDITIONAL LINKS: http://www.debian.org/security/2007/dsa-1286 http://www.debian.org/security/2007/dsa-1304 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-0005 CVE-2007-0006 CVE-2007-0958 ______________________________________________________________________________ REVISION HISTORY: 05/11/2007 - revised R-180 to add a link to Debian Security Advisory DSA-1286-1 for Debian GNU/Linux 4.0 (etch). 06/22/2007 - revised R-117 to add a link to Debian Security Advisory DSA-1304-1 for Debian GNU/Linux 3.1 (sarge). [***** Start Red Hat RHSA-2007:0099-2 *****] Important: kernel security and bug fix update Advisory: RHSA-2007:0099-2 Type: Security Advisory Severity: Important Issued on: 2007-03-14 Last updated on: 2007-03-14 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070099.xml CVEs (cve.mitre.org): CVE-2007-0005 CVE-2007-0006 CVE-2007-0958 Details Updated kernel packages that fix security issues and bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues: * a flaw in the key serial number collision avoidance algorithm of the keyctl subsystem that allowed a local user to cause a denial of service (CVE-2007-0006, Important) * a flaw in the Omnikey CardMan 4040 driver that allowed a local user to execute arbitrary code with kernel privileges. In order to exploit this issue, the Omnikey CardMan 4040 PCMCIA card must be present and the local user must have access rights to the character device created by the driver. (CVE-2007-0005, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) In addition to the security issues described above, a fix for a kernel panic in the powernow-k8 module, and a fix for a kernel panic when booting the Xen domain-0 on system with large memory installations have been included. Red Hat would like to thank Daniel Roethlisberger for reporting an issue fixed in this erratum. Red Hat Enterprise Linux 5 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: kernel-PAE-devel-2.6.18-8.1.1.el5.i686.rpm dd24498506dafa2baaac2dbc73caf1df kernel-devel-2.6.18-8.1.1.el5.i686.rpm ada80c33f4246c176453cd7959131ff9 kernel-xen-devel-2.6.18-8.1.1.el5.i686.rpm 5178447f1a732ea42c18025b2e9b0d41 x86_64: kernel-devel-2.6.18-8.1.1.el5.x86_64.rpm e9db5d366e74227fc07122d97fec7b95 kernel-xen-devel-2.6.18-8.1.1.el5.x86_64.rpm a5ea0c18641105e334229134225a78de Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.18-8.1.1.el5.src.rpm 2744fcbcfaf6da06a0f26c920d040b51 IA-32: kernel-2.6.18-8.1.1.el5.i686.rpm f97e00e18601fd588bb5e920f5685f71 kernel-PAE-2.6.18-8.1.1.el5.i686.rpm b364467d99e079cb91759eb38dd7a1db kernel-PAE-devel-2.6.18-8.1.1.el5.i686.rpm dd24498506dafa2baaac2dbc73caf1df kernel-devel-2.6.18-8.1.1.el5.i686.rpm ada80c33f4246c176453cd7959131ff9 kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.i386.rpm 9b085bd3fc2faee25b4bee012cc7871a kernel-xen-2.6.18-8.1.1.el5.i686.rpm d6340ff404a26f3e475f183cefbaad71 kernel-xen-devel-2.6.18-8.1.1.el5.i686.rpm 5178447f1a732ea42c18025b2e9b0d41 IA-64: kernel-2.6.18-8.1.1.el5.ia64.rpm 2905b52ebddeba1c913612fba91fee3e kernel-devel-2.6.18-8.1.1.el5.ia64.rpm c9c53f487bbe1600b2ba0fc0ce3e94ca kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.ia64.rpm d1f64119e9583e1880f7512106b3664b kernel-xen-2.6.18-8.1.1.el5.ia64.rpm e890b7d7b3181afc5bfad05d746e840b kernel-xen-devel-2.6.18-8.1.1.el5.ia64.rpm 403efa13018904be8730c28fa8028409 PPC: kernel-2.6.18-8.1.1.el5.ppc64.rpm 4285e4fad7664624ab5971bebea97232 kernel-devel-2.6.18-8.1.1.el5.ppc64.rpm ba5d5adbc2026218f3a5cd5f8eeba504 kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.ppc.rpm 2245c81f05272e33663a1730c6aeabdb kernel-headers-2.6.18-8.1.1.el5.ppc64.rpm c6ab8bde7c3587a776763075b5fcc697 kernel-kdump-2.6.18-8.1.1.el5.ppc64.rpm d0c2637b7452cbb5d96173ec5b706a3e kernel-kdump-devel-2.6.18-8.1.1.el5.ppc64.rpm 64fe4b732f36c36d8132f257ee13510d s390x: kernel-2.6.18-8.1.1.el5.s390x.rpm fcc9f91e038e5eb07d5aa1945e5a13c0 kernel-devel-2.6.18-8.1.1.el5.s390x.rpm 3495075c9d16f20ffc93f4cb1f0d3492 kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.s390x.rpm 553a860b06c29d549eb2da4ff345542a x86_64: kernel-2.6.18-8.1.1.el5.x86_64.rpm ff57af3ca7970d24428155c5cd0c42ef kernel-devel-2.6.18-8.1.1.el5.x86_64.rpm e9db5d366e74227fc07122d97fec7b95 kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.x86_64.rpm 57a6db9809542db62551864b92a944f7 kernel-xen-2.6.18-8.1.1.el5.x86_64.rpm c456f6bc5801e67a88c59be81019116f kernel-xen-devel-2.6.18-8.1.1.el5.x86_64.rpm a5ea0c18641105e334229134225a78de Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.18-8.1.1.el5.src.rpm 2744fcbcfaf6da06a0f26c920d040b51 IA-32: kernel-2.6.18-8.1.1.el5.i686.rpm f97e00e18601fd588bb5e920f5685f71 kernel-PAE-2.6.18-8.1.1.el5.i686.rpm b364467d99e079cb91759eb38dd7a1db kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.i386.rpm 9b085bd3fc2faee25b4bee012cc7871a kernel-xen-2.6.18-8.1.1.el5.i686.rpm d6340ff404a26f3e475f183cefbaad71 x86_64: kernel-2.6.18-8.1.1.el5.x86_64.rpm ff57af3ca7970d24428155c5cd0c42ef kernel-doc-2.6.18-8.1.1.el5.noarch.rpm 8544c5c2ba06c1807756ea3f458bdbb7 kernel-headers-2.6.18-8.1.1.el5.x86_64.rpm 57a6db9809542db62551864b92a944f7 kernel-xen-2.6.18-8.1.1.el5.x86_64.rpm c456f6bc5801e67a88c59be81019116f (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 229883 - CVE-2007-0006 Key serial number collision problem 229884 - CVE-2007-0005 Buffer Overflow in Omnikey CardMan 4040 cmx driver 229885 - CVE-2007-0958 core-dumping unreadable binaries via PT_INTERP References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0005 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0006 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0958 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0099-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-170: Symantec Mail Security for SMTP Vulnerability R-171: Apple QuickTime 7.1.5 R-172: GnuPG Security Update R-173: NetMail 3.5.2E Update R-174: HP-UX Java (JRE and JDK) Vulnerability R-175: Security Vulnerability in the ipmitool(1m) Interface to Sun Fire R-176: Apple Security Update 2007-003 R-177: Linux Kernel Vulnerable to DoS via ipv6_getsockopt_sticky() Function R-178: Bind Security Update R-179: Sun Java System Web Server Vulnerability