__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kernel Security and Bug Fix Update [Red Hat RHSA-2008:0519-24] June 26, 2008 19:00 GMT Number S-331 [REVISED 10 Sep 2008] ______________________________________________________________________________ PROBLEM: There are updated kernel packages that fix various security issues and a bug that are available for Red Hat Enterprise Linux 5. PLATFORM: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (etch) DAMAGE: Heap overflow gaining privilegs for arbitrary code execution. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. This could allow a local unprivileged user to ASSESSMENT: cause a heap overflow, gaining privileges for arbitrary code execution. ______________________________________________________________________________ CVSS 2 BASE SCORE: 4.4 TEMPORAL SCORE: 3.4 VECTOR: (AV:L/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-331.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2008-0519.html ADDITIONAL LINK: http://www.debian.org/security/2008/dsa-1630 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-0598 CVE-2008-2358 CVE-2008-2729 ______________________________________________________________________________ REVISION HISTORY: 09/10/2008 - revised S-331 to add a link to Debian Security Advisory DSA-1630-1 for Debian GNU/Linux 4.0. [***** Start Red Hat RHSA-2008:0519-24 *****] Important: kernel security and bug fix update Advisory: RHSA-2008:0519-24 Type: Security Advisory Severity: Important Issued on: 2008-06-25 Last updated on: 2008-06-25 Affected Products: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20080519.xml CVEs (cve.mitre.org): CVE-2008-0598 CVE-2008-2358 CVE-2008-2729 Details Updated kernel packages that fix various security issues and a bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These updated packages fix the following security issues: * A security flaw was found in the Linux kernel memory copy routines, when running on certain AMD64 systems. If an unsuccessful attempt to copy kernel memory from source to destination memory locations occurred, the copy routines did not zero the content at the destination memory location. This could allow a local unprivileged user to view potentially sensitive data. (CVE-2008-2729, Important) * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important) * Brandon Edwards discovered a missing length validation check in the Linux kernel DCCP module reconciliation feature. This could allow a local unprivileged user to cause a heap overflow, gaining privileges for arbitrary code execution. (CVE-2008-2358, Moderate) As well, these updated packages fix the following bug: * Due to a regression, "gettimeofday" may have gone backwards on certain x86 hardware. This issue was quite dangerous for time-sensitive systems, such as those used for transaction systems and databases, and may have caused applications to produce incorrect results, or even crash. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.18-92.1.6.el5.src.rpm e086378099e4a42b8efc4d98fb95498e IA-32: kernel-2.6.18-92.1.6.el5.i686.rpm 61e7a4be1da263a7dd1e624249d6cd87 kernel-PAE-2.6.18-92.1.6.el5.i686.rpm b10edf433713ffe5e5ffc40279361768 kernel-PAE-devel-2.6.18-92.1.6.el5.i686.rpm 3d755468de4489ca7d70ed70ade40be3 kernel-debug-2.6.18-92.1.6.el5.i686.rpm e2e586b271ec40d59e5a6793acea8cb5 kernel-debug-devel-2.6.18-92.1.6.el5.i686.rpm 1abe094e32fe6a9ddf88f16d607da53e kernel-devel-2.6.18-92.1.6.el5.i686.rpm fa7fe915c93cafb2f912b96f7b3a7fe4 kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.i386.rpm 070d1d3a47174851124d9da370f54711 kernel-xen-2.6.18-92.1.6.el5.i686.rpm 190ebd0ec16c5f93540143aa4ea1549a kernel-xen-devel-2.6.18-92.1.6.el5.i686.rpm bf3dd56e3eb06832dcc4c1c537e70c81 IA-64: kernel-2.6.18-92.1.6.el5.ia64.rpm f2a5e15a814000f4bd850de5d00e90c5 kernel-debug-2.6.18-92.1.6.el5.ia64.rpm bde901707ff081b6631366f9fca7e682 kernel-debug-devel-2.6.18-92.1.6.el5.ia64.rpm b7b6e9ae14984e0c4ac938e0e1ecb810 kernel-devel-2.6.18-92.1.6.el5.ia64.rpm 93dc3ccea8e430ea841fc77d24c4ab13 kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.ia64.rpm eb1309596c271d97b7fa092b7726e2ad kernel-xen-2.6.18-92.1.6.el5.ia64.rpm 7946a9f4a6128f2700c74068950fdac2 kernel-xen-devel-2.6.18-92.1.6.el5.ia64.rpm 07c13b8c09057bab3e91c047642ad5ad PPC: kernel-2.6.18-92.1.6.el5.ppc64.rpm 772f7636b624029717794d5298a21d84 kernel-debug-2.6.18-92.1.6.el5.ppc64.rpm d7dff08e190d7ea44588f368814b69b2 kernel-debug-devel-2.6.18-92.1.6.el5.ppc64.rpm b2f5b108c0af16052b8dc1607bc7d209 kernel-devel-2.6.18-92.1.6.el5.ppc64.rpm 25ba9d16e17972e9d7bea1a7073acfaa kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.ppc.rpm 0388cb8da1653a5e8fd0732512fdbd1c kernel-headers-2.6.18-92.1.6.el5.ppc64.rpm 42a1eaec7dc3e95a06455ef00b9ed203 kernel-kdump-2.6.18-92.1.6.el5.ppc64.rpm 646282ad1dc331d83c076ef710176dbd kernel-kdump-devel-2.6.18-92.1.6.el5.ppc64.rpm 0bd2660462b1269e9e09a2266649404a s390x: kernel-2.6.18-92.1.6.el5.s390x.rpm 1d5089508a8549b9817ebb4c89921c6a kernel-debug-2.6.18-92.1.6.el5.s390x.rpm f83ea63d2217c5f45de9209ac9efebbd kernel-debug-devel-2.6.18-92.1.6.el5.s390x.rpm ec8996b4aa863ef7c313b844af561f79 kernel-devel-2.6.18-92.1.6.el5.s390x.rpm e675134038c5f741fce3b8ed41f3c79b kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.s390x.rpm 8470db8f183327366f67ec26e3dc4cc9 kernel-kdump-2.6.18-92.1.6.el5.s390x.rpm e1ace8cbe9094ee3a487e9b75c8f570f kernel-kdump-devel-2.6.18-92.1.6.el5.s390x.rpm 625a941d4f352f44b650566655aa6ae9 x86_64: kernel-2.6.18-92.1.6.el5.x86_64.rpm 372b66c7257ff14741ea715f992db80c kernel-debug-2.6.18-92.1.6.el5.x86_64.rpm 179df85cad7fb052f1b62b9ff25d4cb4 kernel-debug-devel-2.6.18-92.1.6.el5.x86_64.rpm 8c21f90747d07a1e9560f237eb7b8989 kernel-devel-2.6.18-92.1.6.el5.x86_64.rpm 0cac5cb4097199b549fd7654c4b4c6d8 kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.x86_64.rpm 242b122f68f7e0a6ed373197ebed6f12 kernel-xen-2.6.18-92.1.6.el5.x86_64.rpm 619542f29b01a973471d0efdc903fd4a kernel-xen-devel-2.6.18-92.1.6.el5.x86_64.rpm 65da9c02e2a1cd9292c2b57d995fa216 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: kernel-2.6.18-92.1.6.el5.src.rpm e086378099e4a42b8efc4d98fb95498e IA-32: kernel-2.6.18-92.1.6.el5.i686.rpm 61e7a4be1da263a7dd1e624249d6cd87 kernel-PAE-2.6.18-92.1.6.el5.i686.rpm b10edf433713ffe5e5ffc40279361768 kernel-PAE-devel-2.6.18-92.1.6.el5.i686.rpm 3d755468de4489ca7d70ed70ade40be3 kernel-debug-2.6.18-92.1.6.el5.i686.rpm e2e586b271ec40d59e5a6793acea8cb5 kernel-debug-devel-2.6.18-92.1.6.el5.i686.rpm 1abe094e32fe6a9ddf88f16d607da53e kernel-devel-2.6.18-92.1.6.el5.i686.rpm fa7fe915c93cafb2f912b96f7b3a7fe4 kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.i386.rpm 070d1d3a47174851124d9da370f54711 kernel-xen-2.6.18-92.1.6.el5.i686.rpm 190ebd0ec16c5f93540143aa4ea1549a kernel-xen-devel-2.6.18-92.1.6.el5.i686.rpm bf3dd56e3eb06832dcc4c1c537e70c81 x86_64: kernel-2.6.18-92.1.6.el5.x86_64.rpm 372b66c7257ff14741ea715f992db80c kernel-debug-2.6.18-92.1.6.el5.x86_64.rpm 179df85cad7fb052f1b62b9ff25d4cb4 kernel-debug-devel-2.6.18-92.1.6.el5.x86_64.rpm 8c21f90747d07a1e9560f237eb7b8989 kernel-devel-2.6.18-92.1.6.el5.x86_64.rpm 0cac5cb4097199b549fd7654c4b4c6d8 kernel-doc-2.6.18-92.1.6.el5.noarch.rpm 934a17b777485226deed13e62672b982 kernel-headers-2.6.18-92.1.6.el5.x86_64.rpm 242b122f68f7e0a6ed373197ebed6f12 kernel-xen-2.6.18-92.1.6.el5.x86_64.rpm 619542f29b01a973471d0efdc903fd4a kernel-xen-devel-2.6.18-92.1.6.el5.x86_64.rpm 65da9c02e2a1cd9292c2b57d995fa216 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 433938 - CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data 447389 - CVE-2008-2358 kernel: dccp: sanity check feature length 451271 - CVE-2008-2729 kernel: [x86_64] The string instruction version didn't zero the output on exception. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2358 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2729 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2008:0519-24 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update