SuSE Security Announcement: kernel (SuSE-SA:2001:18)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: kernel
Announcement-ID: SuSE-SA:2001:18
Date: Thursday, May 17th, 2000 16:40 MET
Affected SuSE versions: (6.1, 6.2), 6.3, 6.4, 7.0, 7.1
Vulnerability Type: local root compromise
Severity (1-10): 7
SuSE default package: yes
Other affected systems: All Linux systems using a v2.2 kernel
Content of this advisory:
1) security vulnerability resolved: kernel
Problem, Workaround, Recommended solution, Instructions, Notes,
Verification
2) Acknowledgements
3) standard appendix (further information)
______________________________________________________________________________
1) The Problem, Workaround, Recommended solution, Instructions, Notes,
Verification
The Problem:
The SuSE Linux kernel is a standard kernel, enhanced with a set of
additional drivers and other improvements, to suit the end-user's
demand for a great variety of drivers for all kind of hardware.
Multiple security vulnerabilities have been found in all Linux kernels
of version 2.2 before version 2.2.19. Most of the found errors allow
a local attacker to gain root privileges. None of the found errors
in the v2.2 linux kernel make it possible for a remote attacker to
gain access to the system or to elevate privileges from the outside
of the system. Thanks to Alan Cox, a summary of these errors can be
found at http://www.linux.org.uk/VERSION/relnotes.2219.html .
One of the numerous features in the SuSE Linux kernels is support
for reiserfs, a fast, stable logging filesystem. In addition to the
bugs listed at www.linux.org.uk, the SuSE Linux kernel contains a fix
for a race condition between mmap(2) and write(2) in reiserfs that
can expose raw data from the disk to an unprivileged user (this
problem affected the ufs and ext2fs drivers in FreeBSD systems,
see FreeBSD-SA-01:30.ufs-ext2fs at http://www.freebsd.org/security/).
Please see the acknowledgement section 2) below for credits on
hunting these bugs and fixing them.
Workarounds:
In order to solve the security problems, it is recommended to update
the kernel to version 2.2.19. Some problems (ptrace race) can be
circumvented by removing all suid and sgid bits from all binaries
in the system. Since this does not help against the other errors,
there is no appropriate temporary workaround against all of the
known problems except for locking out users with shell access.
Advanced Linux users may decide to compile and install the 2.2.19
kernel themselves by hand. This requires some experience on behalf
of the administrator and may not be all satisfying because the
standard 2.2.19 kernel does not contain some of the drivers that
are included in the SuSE kernel (ppp over ethernet, hardware health
monitoring (SMBus), reiserfs, graphics hardware acceleration
modules (DRI), ...).
Recommended solution:
SuSE have chosen to provide update packages for the supported
distributions to the newest kernels instead of supplying patched
update kernel packages of the same kernel version in order to
avoid confusion about whether a vulnerable version of a kernel
is installed on a system or not. In addition to the clarifying
effect of a visible new kernel version that is known to have all
publically known security problems fixed, SAP LinuxLab
(http://www.sap.com/linux/) have certified this release of the
SuSE-enhanced Linux kernel version 2.2.19 with respect to stability
and performance. We expect that our usership will benefit from this
achievement.
Currently, only kernel update packages for the Intel i386 distributions
are available. The other supported architectures will have their kernel
updates in their respective update directories on our ftp server.
The SuSE Linux distribution 6.0 was shipped with a kernel of version 2.0.
All of the SuSE Linux distributions 6.1, 6.2, 6.3, 6.4, 7.0 and 7.1
are ready for a kernel of version 2.2.19. However, since update support
for the SuSE Linux distributions 6.0, 6.1 and 6.2 has been discontinued,
we strongly encourage all users of these distributions to update their
systems to a newer version of the SuSE Linux distribution. Please know
that the full distribution can be installed from our ftp server or one
of its mirrors. Experienced Linux users may choose to update their kernels
by hand to the latest version 2.2.19.
Step-By-Step Installation Instructions:
The kernel of a Linux/Un*x system is the most critical component with
relation to stability, reliability and security. By consequence, an
update of that component requires some care and full attention to
succeed.
The following paragraphs will guide you through the installation
process in a step-by-step fashion. The character sequence "****"
marks the beginning of a new paragraph. In some cases, you decide
if the paragraph is needed for you or not. Please read through all
of the steps down to the end. All of the commands that need to be
executed are required to be run as the superuser (root). Each step
relies on the steps before to be successfully completed.
**** Step 1: Determine the needed RPM package
Use the command
rpm -qf `awk -F= '/image/{print $2}' < /etc/lilo.conf`
to find the name of the kernel RPM package that is installed on
your system. Get the respective kernel RPM package from the following
location:
ftp://ftp.suse.com/pub/suse/i386/update/<DIST>/kernel/2.2.19/
where <DIST> is the distribution version of your system (one out of
6.3, 6.4, 7.0 or 7.1).
Most installations are likely to run a k_deflt kernel.
To verify the integrity of the files that you need to download, see the
section "Verification" near the end of this announcement.
In SuSE-6.3 distributions, the above command can produce inconclusive
results. This is caused by a different kernel installation procedure
in this version of the SuSE Linux distribution.
To select your kernel type, choose from the following options:
k_eide - should be used for "exotic" IDE chipsets, mostly found on
additional IDE interface adapters to PCI or ISA bus systems.
k_laptop - should be used for laptops. This kernel has APM support
configured.
k_i386 - a kernel that should run on most i386 processors. Use this
kernel package if the k_pentiu kernel will not boot.
k_smp - kernel for multiprocessor systems (SMP)
k_pentiu - the standard kernel. It should run on most systems.
In the case that you have a self-compiled kernel running on your
system, please note that most kernels for the newer distributions
have APM configured. This obsoletes the need for a particular
laptop kernel. k_deflt (after SuSE-6.3) should do on most modern
hardware.
**** Step 2: SuSE-6.3 special
If you have a SuSE-6.3 system, continue to read this paragraph,
otherwise jump to Step 3.
In SuSE Linux version 6.3, the kernel and the kernel modules are
packaged in two different packages. Both packages must be downloaded
and installed. On SMP systems, the packages kernmods (-> kernmod-SMP)
and k_smp are needed. On single processor systems, get the kernmod
package plus the package as determined by the description in Step 1.
**** Step 3: Installation of the RPM package
Install the rpm package using the command
rpm -Uhv
Hello,
**** Step 5: LVM
If you use LVM, then continue to read this paragraph, otherwise jump to Step 6. If you use LVM (Logical Volume Manager) in your installation of SuSE Linux, then you need the updated lvm package from the kernel/2.2.19/ directory for your distribution as well. The package contains the userspace utilities to manage the Logical Volume Manager driver. An update package is needed because the LVM data format/structure on disk has changed with the new version of the LVM kernel driver. Install the package as usual using the command rpm -Uhv lvm-0.9.1_beta4-12.i386.rpm Be sure you have downloaded the package for the explicit version of your SuSE Linux Installation. The package names are identical for all distribution versions. WARNING: After the first boot with the new kernel you will not be able to downgrade to older versions of LVM any more.
Where is lvm-0.9.1_beta4-12.i386.rpm ?. I have suse 7.0 and i can´t find it. I only can find lvm-0.8-0.i386.rpm at ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1. Thanks
Hi, On Thu, May 17, Jacobo González Simón wrote:
Where is lvm-0.9.1_beta4-12.i386.rpm ?. I have suse 7.0 and i can´t find it. I only can find lvm-0.8-0.i386.rpm at ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1.
It is in the same directory as the updated kernel RPMs, this is: ftp.suse.com:/pub/suse/i386/update/7.0/kernel/2.2.19/lvm-0.9.1_beta4-12.i386.rpm But you might want to wait some more hours. We just found a bug in the user space tools of lvm-0.9.1_beta4 and are currently testing lvm-0.9.1_beta7 on all versions. So there will soon be another update ;( -o) Hubert Mantel Goodbye, dots... /\\ _\_v
On Thu, 17 May 2001, Roman Drahtmueller wrote:
All files that are needed or referred to in this announcement have their md5 sums listed in the file ftp://ftp.suse.com/pub/suse/i386/update/<dist>/kernel/MD5SUMS . These files are signed by security@suse.de in the file MD5SUMS.sig. Since there are 150 files, we do not send the md5sums with the mail this time.
Thanks for generating and posting this huge set of md5 sums. As I had difficulty finding a verified gpg package to install on my home 6.3 workstation, (Werner Koch's key is not yet signed by someone in my web of trust) rpm --checksig was not appropriate for me. Way to go, SuSE dproc
participants (4)
-
dproc@dol.net
-
Hubert Mantel
-
Jacobo González Simón
-
Roman Drahtmueller