SUSE Security Announcement: Linux Kernel (SuSE-SA:2004:005)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: Linux Kernel
Announcement-ID: SuSE-SA:2004:005
Date: Wednesday, Feb. 18th 2004 23:05 MET
Affected products: 8.0, 8.1, 8.2, 9.0
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Enterprise Server 7, 8
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
Vulnerability Type: local privilege escalation
Severity (1-10): 6
SUSE default package: yes
Cross References: CAN-2004-0003
CAN-2004-0010
CAN-2004-0077
CAN-2004-0075
Content of this advisory:
1) security vulnerability resolved:
- do_mremap: insecure memory page management
- several local denial-of-service attacks
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- netpbm
- zebra
- susehelp
- mod_gzip
- mod_auth_shadow
- mod_python
- mutt
- mailman
- clamav
- XFree86/xf86
- libxml2
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
Another bug in the Kernel's do_mremap() function, which is unrelated to
the bug fixed in SuSE-SA:2004:001, was found by Paul Starzetz.
The do_mremap() function of the Linux Kernel is used to manage
Virtual Memory Areas (VMAs) which includes moving, removing and
resizing of memory areas. To remove old memory areas do_mremap()
uses the function du_munmap() without checking the return value.
By forcing do_munmap() to return an error the memory management of
a process can be tricked into moving page table entries from one VMA
to another. The destination VMA may be protected by a different ACL
which enables a local attacker to gain write access to previous read-only
pages.
The result will be local root access to the system.
Additionally to the bug mentioned above some other bugs were fixed
(depending on architecture) that can cause local denial-of-service
conditions:
- Vicam USB driver: CAN-2004-0075
+ denial-of-service due to problem while
copying data from user to kernel space
- Direct Render Infrastructure: CAN-2004-0003
+ denial-of-service due to integer overflow
+ needs r128 card and console to be exploited
- ncpfs/ncp_lookup: CAN-2004-0010
+ buffer overflow with the probability to
gain root
- execve():
+ malformed elf binaries can lead to a local
denial-of-service attack
SPECIAL INSTALL INSTRUCTIONS:
==============================
The following paragraphs will guide you through the installation
process in a step-by-step fashion. The character sequence "****"
marks the beginning of a new paragraph. In some cases, you decide
if the paragraph is needed for you or not. Please read through all
of the steps down to the end. All of the commands that need to be
executed are required to be run as the superuser (root). Each step
relies on the steps before to complete successfully.
**** Step 1: Determine the needed kernel type
Please use the following command to find the kernel type that is
installed on your system:
rpm -qf /boot/vmlinuz
The following options are possible (disregarding the version and build
number following the name, separated by the "-" character):
k_deflt # default kernel, good for most systems.
k_i386 # ke for older processors and chipsets
k_athlon # kernel made specifically for AMD Athlon(tm) family processors
k_psmp # kernel for Pentium-I dual processor systems
k_smp # kernel for SMP systems (Pentium-II and above)
k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM
**** Step 2: Download the package for your system
Please download the kernel RPM package for your distribution with the
name starting as indicated by Step 1. The list of all kernel rpm
packages is appended below. Note: The kernel-source package does not
contain any binary kernel in bootable form. Instead, it contains the
sources that the binary kernel rpm packages are made from. It can be
used by administrators who have decided to build their own kernel.
Since the kernel-source.rpm is an installable (compiled) package that
contains sources for the linux kernel, it is not the source RPM for
the kernel RPM binary packages.
The kernel RPM binary packages for the distributions can be found at these
locations below ftp://ftp.suse.com/pub/suse/i386/update/.
8.0/images/
8.1/rpm/i586
8.2/rpm/i586
9.0/rpm/i586
After downloading the kernel RPM package for your system, you should
verify the authenticity of the kernel rpm package using the methods as
listed in section 3) of each SUSE Security Announcement.
**** Step 3: Installing your kernel rpm package
Install the rpm package that you have downloaded in Steps 3 or 4 with
the command
rpm -Uhv --nodeps --force
On Wednesday 18 February 2004 13:20, Thomas Biege wrote:
___________________________________________________________________________ ___
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2004:005 Date: Wednesday, Feb. 18th 2004 23:05 MET Affected products: 8.0, 8.1, 8.2, 9.0
I just happened to do a yast online update earlier today and I noticed that the machine (SuSE 8.1 pro) dowloaded and installed a kernel (2.4.21-189) and while downloading it, it said it was an athlon package. (Its a dual Pentium II mobo.) I thought the Athlon notation thingie was fixed?? The actual file downloaded was -rw-r--r-- 1 root root 22614744 Feb 18 12:24 k_psmp-2.4.21-189.i586.rpm Yet it specifically mentioned athlon while it was downloading it. Should I be afraid to reboot that server? -- _____________________________________ John Andersen
Hi John! On Wed, 18 Feb 2004, John Andersen wrote:
I just happened to do a yast online update earlier today and I noticed that the machine (SuSE 8.1 pro) dowloaded and installed a kernel (2.4.21-189) and while downloading it, it said it was an athlon package. (Its a dual Pentium II mobo.)
I thought the Athlon notation thingie was fixed??
The actual file downloaded was -rw-r--r-- 1 root root 22614744 Feb 18 12:24 k_psmp-2.4.21-189.i586.rpm
Yet it specifically mentioned athlon while it was downloading it.
Should I be afraid to reboot that server?
Always be afraid :-) Do rpm --verify -vv k_psmp and rpm -qi k_psmp check the output of both is what you expect. If it is, check that lilo/grub points to the new kernel and a tested kernel, and be less afraid.
On Thursday 19 February 2004 00:20, Thomas Biege wrote:
___________________________________________________________________________ ___
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2004:005 Date: Wednesday, Feb. 18th 2004 23:05 MET Affected products: 8.0, 8.1, 8.2, 9.0 [...] SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-189.i58 6.rpm 268986c15003f47539f97847ca0a71ba
I am trying to download above package but continuously get a message from kget that the file/directory does not exist. (The filename is complete in the original message). Is it really not around. strange. Kostas
Konstantinos Georgokitsos wrote:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-189.i58 6.rpm 268986c15003f47539f97847ca0a71ba
I am trying to download above package but continuously get a message from kget that the file/directory does not exist. (The filename is complete in the original message).
I was trying to download the 9.0 athlon kernel package using the link provided in the advisory but that file wasn't on ftp.suse.com either. I was able to find it on a mirror site though. Here is the file that you're looking for.. http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/8.1/rpm/i586...
Don't worry! Get the file from a mirror. Just like ftp://ftp.uni-bayreuth.de/pub/linux/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-189.i586.rpm GSK
On Thursday 19 February 2004 00:20, Thomas Biege wrote:
___________________________________________________________________________ ___
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2004:005 Date: Wednesday, Feb. 18th 2004 23:05 MET Affected products: 8.0, 8.1, 8.2, 9.0 [...] SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-189.i58 6.rpm 268986c15003f47539f97847ca0a71ba
I am trying to download above package but continuously get a message from kget that the file/directory does not exist. (The filename is complete in the original message).
Is it really not around. strange.
Kostas
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thu, 19 Feb 2004, Konstantinos Georgokitsos wrote:
On Thursday 19 February 2004 00:20, Thomas Biege wrote:
___________________________________________________________________________ ___
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2004:005 Date: Wednesday, Feb. 18th 2004 23:05 MET Affected products: 8.0, 8.1, 8.2, 9.0 [...] SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-189.i58 6.rpm 268986c15003f47539f97847ca0a71ba
I am trying to download above package but continuously get a message from kget that the file/directory does not exist. (The filename is complete in the original message).
Is it really not around. strange.
It looks like the mirroring didn't work. We are currently solving this
issue.
Bye,
Thomas
--
Thomas Biege
Is it really not around. strange.
It looks like the mirroring didn't work. We are currently solving this issue.
The sync between the staging server and ftp.suse.com was temporarily disabled due to a flawed configuration change. This is resolved since some hours. The k_athlon thingy for 9.0 is fixed now, too. 8.1 and 8.2 are following in a few minutes. It is a cosmetical problem, and it will do the right thing even though it looks different. The cosmetical problem this time is different from the one last time, where the description showed "Athlon optimized kernel" for all kernel update packages. A "human" somewhere in the automatic process hasn't seen the cosmetic implications... Thanks Roman.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Thomas Biege. On 19.02.2004 01:20 you said the following: | Intel i386 Platform: | | SuSE-9.0: | ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-192.i586.rpm | ecfbe03e394832b72a3b9c82eb126064 sh-2.05b$ LC_ALL=C wget ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k ~ ernel-source-2.4.21-192.i586.rpm - --11:33:08-- ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-sour ~ ce-2.4.21-192.i586.rpm ~ => `kernel-source-2.4.21-192.i586.rpm' Resolving ftp.suse.com... done. Connecting to ftp.suse.com[195.135.221.130]:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/suse/i386/update/9.0/rpm/i586 ... done. ==> EPSV ... failed. ==> PASV ... done. ==> RETR kernel-source-2.4.21-192.i586.rpm ... No such file `kernel-source-2.4.21-192.i586.rpm'. - -- Boris B. Zhmurov DialogueScience, Inc. Technical department. 40 Vavilova St., Moscow, 119991, Russia Tel.: (+7-095) 137-0150, 135-6253 HTTP://www.antivir.ru FTP://ftp.antivir.ru "wget http://bb.dials.ru/bb_public_key.pgp -O - | gpg --import" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFANHV5mEQixi5w37YRArbYAJ9XHZXCaqFa+qz81Z/LUgcnv0UI0wCfRwZb MxmIdRdr2Q64cVWoKCjNNhQ= =Gaqd -----END PGP SIGNATURE-----
Hello, Boris B. Zhmurov. On 19.02.2004 11:36 you said the following:
No such file `kernel-source-2.4.21-192.i586.rpm'.
And k_deflt too... :( Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/suse/i386/update/9.0/rpm/i586 ... done. ==> EPSV ... failed. ==> PASV ... done. ==> RETR k_deflt-2.4.21-192.i586.rpm ... No such file `k_deflt-2.4.21-192.i586.rpm'. -- Boris B. Zhmurov DialogueScience, Inc. Technical department. 40 Vavilova St., Moscow, 119991, Russia Tel.: (+7-095) 137-0150, 135-6253 HTTP://www.antivir.ru FTP://ftp.antivir.ru "wget http://bb.dials.ru/bb_public_key.pgp -O - | gpg --import"
Hallo, ist der neue Kernel für SAP-Server zugelassen? Oder darf man ihn ohne Gefahr für das System benutzen (bisher SLES8, SP2a)? Gruß aus Leipzig \/\/erner Flamme Thomas Biege schrieb am 18.02.2004 23:20:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2004:005 Date: Wednesday, Feb. 18th 2004 23:05 MET Affected products: 8.0, 8.1, 8.2, 9.0 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10): 6 SUSE default package: yes Cross References: CAN-2004-0003 CAN-2004-0010 CAN-2004-0077 CAN-2004-0075
Content of this advisory: 1) security vulnerability resolved: - do_mremap: insecure memory page management - several local denial-of-service attacks problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - netpbm - zebra - susehelp - mod_gzip - mod_auth_shadow - mod_python - mutt - mailman - clamav - XFree86/xf86 - libxml2 3) standard appendix (further information) ---snip--- -- Werner Flamme, Abt. WKDV UFZ Umweltforschungszentrum Leipzig-Halle GmbH, Permoserstr. 15, 04318 Leipzig eMail: werner.flamme@ufz.de, Tel.: (0341) 235-2500
Hallo, kann es sein, dass dieser unten angepriesene ;-) schicke Kernel kein SMB unterstützt? Wenn ich versuche, meine Arbeitsverzeichnisse zu mounten (die für Windoofs zugänglich sein müssen) erhalte ich die Meldung, dass der Kernel kein SMB unterstützt. Und ausnahmsweise kann ich nur sagen "Gestern hat's noch geklappt!" SuSE 9.0, Kernelversion: 2.4.21-192 (Bauzeit 18.02.2004 21:28:46, Installationszeit 19.02.2004 12:51:03 (lt. YaST), Baurechner lifschitz.suse.de). Fehler bei mir, muss ich den Kernel neu compilieren oder kommt eine Korrekturversion? Gruß \/\/erner Thomas Biege schrieb am 18.02.2004 23:20:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: Linux Kernel Announcement-ID: SuSE-SA:2004:005 Date: Wednesday, Feb. 18th 2004 23:05 MET Affected products: 8.0, 8.1, 8.2, 9.0 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7, 8 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server
Hi Werner, please learn that this is an English speaking mailing list.
kann es sein, dass dieser unten angepriesene ;-) schicke Kernel kein SMB unterstützt? Wenn ich versuche, meine Arbeitsverzeichnisse zu mounten (die für Windoofs zugänglich sein müssen) erhalte ich die Meldung, dass der Kernel kein SMB unterstützt. Und ausnahmsweise kann ich nur sagen "Gestern hat's noch geklappt!"
--> TRANSLATION: can it be that the kernel mentioned in the Announcement does not support SMB. If I try to mount a directory that is shared to my windows machines, I get the messsage: kernel doesn't support SMB. But this time I have to say: "yesterday it still worked".
SuSE 9.0, Kernelversion: 2.4.21-192 (Buildtime 18.02.2004 21:28:46, Installation time 19.02.2004 12:51:03 (lt. YaST), Build machine lifschitz.suse.de).
Fehler bei mir, muss ich den Kernel neu compilieren oder kommt eine Korrekturversion?
--> Is this an error on my side, do I have to recompile the kernel or will there be a correction ? ANSWER: I installed the kernel from the announcement on a SuSE 9.0 server running k_athlon and one running k_smp and both times SAMBA is working and can be accessed. Regards, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
participants (11)
-
Armin Schoech -
Avtar Gill -
Boris B. Zhmurov -
dproc -
Gero Schmidt-Kärst -
John Andersen -
Konstantinos Georgokitsos -
Roman Drahtmueller -
Thomas Biege -
thomas@suse.de
-
Werner Flamme