SUSE Security Announcement: kernel local privilege escalation (SUSE-SA:2005:003)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: kernel
Announcement-ID: SUSE-SA:2005:003
Date: Friday, Jan 21st 2005 16:00 MET
Affected products: 8.1, 8.2, 9.0, 9.1, 9.2
SUSE Linux Enterprise Server 8, 9
SUSE Linux Desktop 1.0
Novell Linux Desktop 9
Vulnerability Type: local privilege escalation
Severity (1-10): 7
SUSE default package: yes
Cross References: CAN-2004-1235
CAN-2005-0001
Content of this advisory:
1) security vulnerability resolved:
- local privilege escalation
- local denial of service attacks
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
- see summary report
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
Several exploitable security problems were identified and fixed in
the Linux kernel, the core of every SUSE Linux product.
- Due to missing locking in the sys_uselib system call a local attacker
can gain root access. This was found by Paul Starzetz and is tracked
by the Mitre CVE ID CAN-2004-1235.
- Paul Starzetz also found a race condition in SMP page table handling
which could lead to a local attacker gaining root access on SMP
machines. This is tracked by the Mitre CVE ID CAN-2005-0001.
- A local denial of service was found in the auditing subsystem which
have lead a local attacker crashing the machine. This was reported
and fixed by Redhat.
- The sendmsg / cmsg fix from the previous kernel update was faulty
on 64bit systems with 32bit compatibility layer and could lead to
32bit applications not working correctly on those 64bit systems.
- The smbfs security fixes from a before-previous kernel update were
faulty for some file write cases.
- A local denial of service with Direct I/O access to NFS file systems
could lead a local attacker to crash a machine with NFS mounts.
- grsecurity reported a signed integer problem in the SCSI ioctl
handling which had a missing boundary check.
Due to C language specifics, this evaluation was not correct and
there actually is no problem in this code.
The signed / unsigned mismatch was fixed nevertheless.
- Several more small non security problems were fixed.
NOTE: Two days ago we released the Service Pack 1 for the SUSE Linux
Enterprise Server 9. This kernel update contains fixes for the SUSE
Linux Enterprise Server 9 GA version kernel line.
A fix for the Service Pack 1 version line will be available shortly.
2) solution/workaround
There is no workaround. Please install the provided update packages.
3) special instructions and notes
SPECIAL INSTALL INSTRUCTIONS:
==============================
The following paragraphs will guide you through the installation
process in a step-by-step fashion. The character sequence "****"
marks the beginning of a new paragraph. In some cases, the steps
outlined in a particular paragraph may or may not be applicable
to your situation.
Therefore, please make sure to read through all of the steps below
before attempting any of these procedures.
All of the commands that need to be executed are required to be
run as the superuser (root). Each step relies on the steps before
it to complete successfully.
**** Step 1: Determine the needed kernel type
Please use the following command to find the kernel type that is
installed on your system:
rpm -qf /boot/vmlinuz
Following are the possible kernel types (disregard the version and
build number following the name separated by the "-" character)
k_deflt # default kernel, good for most systems.
k_i386 # kernel for older processors and chip sets
k_athlon # kernel made specifically for AMD Athlon(tm) family processors
k_psmp # kernel for Pentium-I dual processor systems
k_smp # kernel for SMP systems (Pentium-II and above)
k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM
kernel-64k-pagesize
kernel-bigsmp
kernel-default
kernel-smp
**** Step 2: Download the package for your system
Please download the kernel RPM package for your distribution with the
name as indicated by Step 1. The list of all kernel rpm packages is
appended below. Note: The kernel-source package does not
contain a binary kernel in bootable form. Instead, it contains the
sources that the binary kernel rpm packages are created from. It can be
used by administrators who have decided to build their own kernel.
Since the kernel-source.rpm is an installable (compiled) package that
contains sources for the linux kernel, it is not the source RPM for
the kernel RPM binary packages.
The kernel RPM binary packages for the distributions can be found at the
locations below ftp://ftp.suse.com/pub/suse/i386/update/.
8.1/rpm/i586
8.2/rpm/i586
9.0/rpm/i586
9.1/rpm/i586
9.2/rpm/i586
After downloading the kernel RPM package for your system, you should
verify the authenticity of the kernel rpm package using the methods as
listed in section 3) of each SUSE Security Announcement.
**** Step 3: Installing your kernel rpm package
Install the rpm package that you have downloaded in Steps 3 or 4 with
the command
rpm -Uhv --nodeps --force
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, Marcus Meissner wrote: | ______________________________________________________________________________ | | SUSE Security Announcement | | Package: kernel | Announcement-ID: SUSE-SA:2005:003 | Date: Friday, Jan 21st 2005 16:00 MET | Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 | SUSE Linux Enterprise Server 8, 9 | SUSE Linux Desktop 1.0 | Novell Linux Desktop 9 | Vulnerability Type: local privilege escalation | Severity (1-10): 7 | SUSE default package: yes | Cross References: CAN-2004-1235 | CAN-2005-0001 | | Content of this advisory: | 1) security vulnerability resolved: | - local privilege escalation | - local denial of service attacks | problem description | 2) solution/workaround | 3) special instructions and notes | 4) package location and checksums | 5) pending vulnerabilities, solutions, workarounds: | - see summary report | 6) standard appendix (further information) This one seems to break ndiswrapper on 9.2 at least. After the update my laptop simply freezes when i try to load ndiswrapper. Logs shows nothing.. Anyone with the same problem? Regards, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFB+XwuQoCguWUBzBwRAqGwAJkB47Cg+b/weey7AdkOIq7kug5VYACfV3up +LZVtOkAPI+voPONpKVYvTg= =1W2k -----END PGP SIGNATURE-----
On Fri, Jan 28, 2005 at 12:41:35AM +0100, Sven 'Darkman' Michels wrote:
Hi there,
Marcus Meissner wrote: | | Package: kernel | Announcement-ID: SUSE-SA:2005:003 | Date: Friday, Jan 21st 2005 16:00 MET | Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 | SUSE Linux Enterprise Server 8, 9 | SUSE Linux Desktop 1.0 | Novell Linux Desktop 9 | Vulnerability Type: local privilege escalation | Severity (1-10): 7 | SUSE default package: yes | Cross References: CAN-2004-1235 | CAN-2005-0001 | This one seems to break ndiswrapper on 9.2 at least. After the update my laptop simply freezes when i try to load ndiswrapper. Logs shows nothing..
Anyone with the same problem?
This should not happen. You did reboot the machine afterwards? Can you check: find /lib/modules -name ndiswrapper.ko it should only show 1 occurence. Ciao, Marcus
Hi Marcus, Marcus Meissner wrote:
This should not happen.
That was what i thought, too ;)
You did reboot the machine afterwards?
Jup, that was how i noticed that. Since i want to use my wlan without modprobing all the time after a reboot, i put the ndiswrapper in the list of modules to load at boot time. On wed. evening, i did all that and did a YOU, too. Thursday when i fired up my notebook, it just hangs after load of ndiswrapper. So i thought this module might not be loaded this way, so i removed it again from the list and bootet up normal. After my notebook was fully booted, i did a modprobe ndiswrapper and it locked up completely. Nothing appears in the logs nor on the console, it immedially locks up. I also removed and reinstalled my device drivers but with no success.
Can you check: find /lib/modules -name ndiswrapper.ko it should only show 1 occurence.
right: beverly:~ # find /lib/modules -name ndiswrapper.ko /lib/modules/2.6.8-24.11-default/extra/ndiswrapper.ko beverly:~ # so all looks fine, except that it still locks my box ;) I'll downgrade to good old 10 tomorrow and check if its working again (hopefully it isn't broken ;) and report again. Thanks, Sven
On Friday 28 January 2005 2:27 pm, Sven 'Darkman' Michels wrote:
so all looks fine, except that it still locks my box ;) I'll downgrade to good old 10 tomorrow and check if its working again (hopefully it isn't broken ;) and report again.
Don't know if this is directly related or not, but there are a bunch of recent posts to the NDISWrapper-General mailing list about freezes with recent kernels. FC3 is mentioned alot and I'm pretty sure SuSE came up too. Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.8-24.11-default x86_64
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven 'Darkman' Michels wrote: | so all looks fine, except that it still locks my box ;) I'll downgrade | to good old 10 tomorrow and check if its working again (hopefully it | isn't broken ;) and report again. Well, sorry for the delay but i was running out of time. I downgraded the kernel to 2.6.8-24.10, rebooted, did modprobe ndiswrapper and voila, works. No more freezes etc. - so it seems to be a problem with the new kernel. But as Scott Leighton already said, others are complaining on the ndiswrapper list, too. So maybe its something inside the latest fixes which broked ndiswrapper ... or whatever.. If you need some more informations about the box or whatever you need, just tell me. Regards, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFCBEaLQoCguWUBzBwRAtxrAJ91gKpfSkEVy+aCeZXDHosb0L6lbACfYkYV oJ7hHRCJK9D78h6o0g0U7v8= =r+mL -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, Marcus, sorry for replying to myself, but whats about this issue? Its still open for me. Regards, Sven Sven 'Darkman' Michels wrote: | Sven 'Darkman' Michels wrote: | | | so all looks fine, except that it still locks my box ;) I'll downgrade | | to good old 10 tomorrow and check if its working again (hopefully it | | isn't broken ;) and report again. | | Well, sorry for the delay but i was running out of time. | I downgraded the kernel to 2.6.8-24.10, rebooted, did modprobe | ndiswrapper and voila, works. No more freezes etc. - so it seems | to be a problem with the new kernel. But as Scott Leighton already | said, others are complaining on the ndiswrapper list, too. So maybe | its something inside the latest fixes which broked ndiswrapper ... | or whatever.. | | If you need some more informations about the box or whatever you | need, just tell me. | | Regards, | Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFCEzlRQoCguWUBzBwRAtzsAKClySze9785GKJgHuddRV7R6h1oFgCeII+T y+1VUzyfPLB8KpbShf1Yht0= =Hc8T -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-01-21 at 16:11 +0100, Marcus Meissner wrote:
Package: kernel Announcement-ID: SUSE-SA:2005:003 Date: Friday, Jan 21st 2005 16:00 MET Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 SUSE Linux Enterprise Server 8, 9 SUSE Linux Desktop 1.0 Novell Linux Desktop 9
...
SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.111.30.i586.rpm b84574947de5c47a2bcca43525e1fc4d ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.111.30.i586.rpm 5346f03accd80530ef1dd870a069dc11 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.111.30.i586.rpm dba08e4e49dbf1f32988152956448ab3 ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.111.30.i586.rpm 231eb3350db6a02b621731790f3b6d37
After letting YOU update to this kernel, I have lost the cute colored border around tty1. In log file '/var/log/boot.msg' I see this message: <6>bootsplash 3.1.6-2004/03/31: looking for picture...<6>...no good signature found. <4>Console: switching to colour frame buffer device 128x48 What is that signature? Should I do something? O wait till next patch? System data: nimrodel:~ # uname -a Linux nimrodel 2.6.5-7.111.30-default #1 Fri Jan 14 12:58:46 UTC 2005 i686 i686 i386 GNU/Linux nimrodel:~ # cat /proc/version Linux version 2.6.5-7.111.30-default (geeko@buildhost) (gcc version 3.3.3 (SuSE Linux)) #1 Fri Jan 14 12:58:46 UTC 2005 nimrodel:~ # cat /etc/SuSE-release SuSE Linux 9.1 (i586) VERSION = 9.1 nimrodel:~ # The entry in /boot/grub/menu.lst is, as always (ie, unchanged): title Linux kernel (hd1,1)/vmlinuz root=/dev/hdb6 vga=0x317 splash=verbose desktop resume=/dev/hda9 apic showopts initrd (hd1,1)/initrd - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFB+2VptTMYHG2NR9URAsC5AJ4uMcHgLwFS0uPe2NKri8obvdCDSQCcDBob aI+BGjQvKYCdqpBclB1SYZo= =jQDt -----END PGP SIGNATURE-----
On Sat, Jan 29, 2005 at 11:28:45AM +0100, Carlos E. R. wrote:
After letting YOU update to this kernel, I have lost the cute colored border around tty1. In log file '/var/log/boot.msg' I see this message:
<6>bootsplash 3.1.6-2004/03/31: looking for picture...<6>...no good signature found. <4>Console: switching to colour frame buffer device 128x48
What is that signature? Should I do something? O wait till next patch?
This did happen to me in the past as well for some times. For some reason mkinitrd that was run during the update was somewhat confused and messed up with the boot splash. I did never go more deep into this because it is not a serious problem and rerunning mkinitrd did fix this. Maybe rerunning mkinitrd does fix this for you as well. Robert -- Robert Schiele Tel.: +49-621-181-2214 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
The Saturday 2005-01-29 at 21:57 +0100, Robert Schiele wrote:
<6>bootsplash 3.1.6-2004/03/31: looking for picture...<6>...no good signature found. <4>Console: switching to colour frame buffer device 128x48
What is that signature? Should I do something? O wait till next patch?
This did happen to me in the past as well for some times. For some reason mkinitrd that was run during the update was somewhat confused and messed up with the boot splash. I did never go more deep into this because it is not a serious problem and rerunning mkinitrd did fix this.
Maybe rerunning mkinitrd does fix this for you as well.
Right, that was it: it worked today. Thanks :-) -- Cheers, Carlos Robinson
participants (5)
-
Carlos E. R.
-
Marcus Meissner
-
Robert Schiele
-
Scott Leighton
-
Sven 'Darkman' Michels