RHSA-2005:293 - Security Advisory

Topic

Updated kernel packages that fix several security issues in the Red Hat
Enterprise Linux 3 kernel are now available.

This security advisory has been rated as having important security impact
by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

Description

The following security issues were fixed:

The Vicam USB driver did not use the copy_from_user function to access
userspace, crossing security boundaries. (CAN-2004-0075)

The ext3 and jfs code did not properly initialize journal descriptor
blocks. A privileged local user could read portions of kernel memory.
(CAN-2004-0177)

The terminal layer did not properly lock line discipline changes or pending
IO. An unprivileged local user could read portions of kernel memory, or
cause a denial of service (system crash). (CAN-2004-0814)

A race condition was discovered. Local users could use this flaw to read
the environment variables of another process that is still spawning via
/proc/.../cmdline. (CAN-2004-1058)

A flaw in the execve() syscall handling was discovered, allowing a local
user to read setuid ELF binaries that should otherwise be protected by
standard permissions. (CAN-2004-1073). Red Hat originally reported this
as being fixed by RHSA-2004:549, but the associated fix was missing from
that update.

Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function.
A local user could use this flaw to cause a denial of service (system
crash) on the Itanium architecture. (CAN-2005-0135)

A missing Itanium syscall table entry could allow an unprivileged
local user to cause a denial of service (system crash) on the Itanium
architecture. (CAN-2005-0137)

A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T
architectures was discovered. A local user could use this flaw to
access privileged IO ports. (CAN-2005-0204)

A flaw was discovered in the Linux PPP driver. On systems allowing remote
users to connect to a server using ppp, a remote client could cause a
denial of service (system crash). (CAN-2005-0384)

A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was
discovered that left a pointer to a freed tty structure. A local user
could potentially use this flaw to cause a denial of service (system crash)
or possibly gain read or write access to ttys that should normally be
prevented. (CAN-2005-0403)

A flaw in fragment queuing was discovered affecting the netfilter
subsystem. On systems configured to filter or process network packets (for
example those configured to do firewalling), a remote attacker could send a
carefully crafted set of fragmented packets to a machine and cause a denial
of service (system crash). In order to sucessfully exploit this flaw, the
attacker would need to know (or guess) some aspects of the firewall ruleset
in place on the target system to be able to craft the right fragmented
packets. (CAN-2005-0449)

Missing validation of an epoll_wait() system call parameter could allow
a local user to cause a denial of service (system crash) on the IBM S/390
and zSeries architectures. (CAN-2005-0736)

A flaw when freeing a pointer in load_elf_library was discovered. A local
user could potentially use this flaw to cause a denial of service (system
crash). (CAN-2005-0749)

A flaw was discovered in the bluetooth driver system. On system where the
bluetooth modules are loaded, a local user could use this flaw to gain
elevated (root) privileges. (CAN-2005-0750)

In addition to the security issues listed above, there was an important
fix made to the handling of the msync() system call for a particular case
in which the call could return without queuing modified mmap()'ed data for
file system update. (BZ 147969)

Note: The kernel-unsupported package contains various drivers and modules
that are unsupported and therefore might contain security problems that
have not been addressed.

Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to
the packages associated with their machine architectures/configurations

Please note that the fix for CAN-2005-0449 required changing the
external symbol linkages (kernel module ABI) for the ip_defrag()
and ip_ct_gather_frags() functions. Any third-party module using either
of these would also need to be fixed.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Affected Products

• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 121032 - CAN-2004-0177 ext3 infoleak
• BZ - 126407 - CAN-2004-0075 Vicam USB user/kernel copying
• BZ - 130774 - oops in drivers/char/tty_io.c:init_dev()
• BZ - 131674 - CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer
• BZ - 133108 - CAN-2004-0814 input/serio local DOS
• BZ - 133113 - CAN-2004-1058 /proc/<PID>/cmdline information disclosure
• BZ - 144059 - CAN-2005-0403 panic in tty init_dev
• BZ - 144530 - random poolsize sysctl handler integer overflow
• BZ - 148855 - CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports
• BZ - 150334 - Kernel panic: Code: Bad EIP value
• BZ - 151086 - kernel locks up tty/psuedo-tty access
• BZ - 151241 - CAN-2005-0384 pppd remote DoS
• BZ - 151805 - CAN-2005-0449 Possible remote Oops/firewall bypass - kABI breaker
• BZ - 152178 - CAN-2005-0750 bluetooth security flaw
• BZ - 152411 - CAN-2005-0749 load_elf_library possible DoS
• BZ - 152552 - CAN-2004-1073 looks unfixed in RHEL3
• BZ - 155234 - CAN-2005-0137 ia64 syscall_table DoS

CVEs

• CVE-2004-0075
• CVE-2005-0749
• CVE-2005-0135
• CVE-2005-0384
• CVE-2005-0449
• CVE-2005-0736
• CVE-2005-0750
• CVE-2004-0177
• CVE-2004-0814
• CVE-2004-1058
• CVE-2004-1073
• CVE-2005-0137
• CVE-2005-0204
• CVE-2005-0403

References

(none)