search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Linux kernel do_mremap() call creates virtual memory area of 0 bytes in length

Vulnerability Note VU#490620

Original Release Date: 2004-03-09 | Last Revised: 2004-08-19

Overview

There is a vulnerability in the Linux kernel memory management routines that allows local users to gain superuser privileges.

Description

The Linux kernel contains a vulnerability in the do_mremap() call that allows software to create a virtual memory area (VMA) with a length of 0 bytes. This vulnerability is reported to exist in versions 2.4.23 and earlier, excluding 2.2.x versions. Because the vulnerability is located within the kernel, multiple Linux distributions will be affected. An attacker with local access to an affected host may be able to exploit this vulnerability and gain superuser privileges.

Impact

This vulnerability allows local users to gain superuser privileges on affected hosts.

Solution

Apply a patch from your vendor

This vulnerability affects multiple Linux distributions; please see the Systems Affected section of this document for information on specific vendors.

Vendor Information

490620
 

Conectiva Affected

Notified:  January 05, 2004 Updated: August 19, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : kernel
SUMMARY   : Fix for two vulnerabilities
DATE      : 2004-01-05 13:46:00
ID        : CLA-2004:799
RELEVANT
RELEASES  : 8, 9

- -------------------------------------------------------------------------

DESCRIPTION
The Linux kernel is responsible for handling the basic functions of
the GNU/Linux operating system.

This announcement fixes two local vulnerabilities in the kernel
package:

1) mremap() local vulnerability (CAN-2003-0985[2])
Paul Starzetz <ihaquer@isec.pl> from iSEC Security Research
reported[1] another vulnerability in the Linux memory management code
which can be used by local attackers to obtain root privileges or
cause a denial of service condition (DoS).

2) Information leak in RTC code (CAN-2003-0984[3])
Russell King <rmk@arm.linux.org.uk> reported that real time clock
(RTC) routines in Linux kernel 2.4.23 and earlier do not properly
initialize their structures, which could leak kernel data to user
space.


SOLUTION
It is recommended that all Conectiva Linux users upgrade the kernel
package.

IMPORTANT: exercise caution and preparation when upgrading the
kernel, since it will require a reboot after the new packages are
installed. In particular, Conectiva Linux 9 will most likely require
an initrd file (which is automatically created in the /boot directory
after the new packages are installed). Generic kernel update
instructions can be obtained in the manuals and in our faq page[4].


REFERENCES
1.http://isec.pl/vulnerabilities/isec-0013-mremap.txt
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984
4.http://www.conectiva.com.br/suporte/pr/sistema.kernel.atualizar.html


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/SRPMS/kernel-2.4.19-1U80_20cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/devfsd-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_20cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_20cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-BOOT-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-doc-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-enterprise-2.4.19-1U80_20cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-headers-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-rbc-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_20cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_20cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-source-2.4.19-1U80_20cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kernel24-2.4.21-31301U90_13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/devfsd-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_13cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_13cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_13cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_13cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-BOOT-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-doc-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-enterprise-2.4.21-31301U90_13cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-enterprise-2.4.21-31301U90_13cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-enterprise-2.4.21-31301U90_13cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-rbc-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-headers-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_13cl.athlon.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_13cl.i586.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_13cl.i686.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_13cl.pentium4.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-source-2.4.21-31301U90_13cl.i386.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

- run:                 apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/+Ybk42jd0JmAcZARAlJKAJ9x6rYu5qb5jtj4LcLlOiujzTQW/ACgvvTj
uK6MQOfSZS/wH32ltbNIXt0=
=ZgeM
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified:  January 06, 2004 Updated: August 19, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has published several advisories to address this vulnerability across multiple processor architectures. For further details, please see the document that corresponds to your processor architecture and kernel version:


    DSA-450-1 linux-kernel-2.4.19-mips -- several vulnerabilities
    DSA-442-1 linux-kernel-2.4.17-s390 -- several vulnerabilities
    DSA-440-1 linux-kernel-2.4.17-powerpc-apus -- several vulnerabilities
    DSA-439-1 linux-kernel-2.4.16-arm -- several vulnerabilities
    DSA-427-1 linux-kernel-2.4.17-mips+mipsel -- missing boundary check
    DSA-423-1 linux-kernel-2.4.17-ia64 -- several vulnerabilities
    DSA-417-1 linux-kernel-2.4.18-powerpc+alpha -- missing boundary check
    DSA-413-2 linux-kernel-2.4.18 -- missing boundary check

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc. Affected

Notified:  January 05, 2004 Updated: August 19, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| Guardian Digital Security Advisory January 05, 2003 |
| http://www.guardiandigital.com ESA-20040105-001 |
| |
| Package: kernel |
| Summary: bug and security fixes. |
+------------------------------------------------------------------------+

EnGarde Secure Linux is an enterprise class Linux platform engineered
to enable corporations to quickly and cost-effectively build a complete
and secure Internet presence while preventing Internet threats.

OVERVIEW
- --------
This update fixes two security issues and one critical bug in the Linux
Kernel shipped with EnGarde Secure Linux.

A summary of the bugs fixed:

* An EnGarde-specific memory leak in the LIDS code has been fixed.
This memory leak could cause a machine, over time, to freeze up.

* A security vulnerability in the mremap(2) system call was recently
discovered by Paul Starzetz. The incorrect bounds checking done
in this system call could be exploited by a local user to gain root
privileges.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0985 to this issue.

* A somewhat less critical vulnerability has been found in the Linux
RTC code. This vulnerability may leak small bits of arbitrary
kernel memory to user land.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0984 to this issue.

Guardian Digital products affected by this issue include:

EnGarde Secure Community 2
EnGarde Secure Professional v1.5

It is recommended that all users apply this update as soon as possible.

SOLUTION
- --------
Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool.

To modify your GDSN account and contact preferences, please go to:

https://www.guardiandigital.com/account/

REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

Official Web Site of the Linux Kernel:
http://www.kernel.org/

Guardian Digital Advisories:
http://infocenter.guardiandigital.com/advisories/

Security Contact: security@guardiandigital.com

- --------------------------------------------------------------------------
Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2004, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/+XJ8HD5cqd57fu0RAletAKCLtCixF4Qvs9hes1S+9UiTZY/tNQCdFjm1
o6kgmRCVXNU+thpSaxg7zm0=
=MU9t
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Notified:  January 07, 2004 Updated: August 19, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

               Mandrake Linux Security Update Advisory
_______________________________________________________________________

Package name:           kernel
Advisory ID:            MDKSA-2004:001
Date:                   January 7th, 2004

Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

A flaw in bounds checking in mremap() in the Linux kernel versions
2.4.23 and previous was discovered by Paul Starzetz.  This flaw may
be used to allow a local attacker to obtain root privilege.

Another minor information leak in the RTC (real time clock) routines
was fixed as well.

All Mandrake Linux users are encouraged to upgrade to these packages
immediately.  To update your kernel, please follow the directions
located at:

  http://www.mandrakesecure.net/en/kernelupdate.php

Mandrake Linux 9.1 and 9.2 users should upgrade the initscripts (9.1)
and bootloader-utils (9.2) packages prior to upgrading the kernel as
they contain a fixed installkernel script that fixes instances where
the loop module was not being loaded and would cause mkinitrd to fail.

Users requiring commercial NVIDIA drivers can find drivers for
Mandrake Linux 9.2 at MandrakeClub.
_______________________________________________________________________

References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984
______________________________________________________________________

Updated Packages:
 
Corporate Server 2.1:
344b324173b04d135c00072452203021  corporate/2.1/RPMS/kernel-2.4.19.37mdk-1-1mdk.i586.rpm
558b3f1e0ae41705a7e9d934d49947c4  corporate/2.1/RPMS/kernel-enterprise-2.4.19.37mdk-1-1mdk.i586.rpm
6a06c2133a894e542caf6cedf72e6d89  corporate/2.1/RPMS/kernel-secure-2.4.19.37mdk-1-1mdk.i586.rpm
45aaeb3cf17a0d59adfabf63e6d8de6f  corporate/2.1/RPMS/kernel-smp-2.4.19.37mdk-1-1mdk.i586.rpm
fd3c78a32146b808d3355e375e2a05b4  corporate/2.1/RPMS/kernel-source-2.4.19-37mdk.i586.rpm
adc06d97e9468534ec14e330b102180c  corporate/2.1/SRPMS/kernel-2.4.19.37mdk-1-1mdk.src.rpm

Corporate Server 2.1/x86_64:
d3d77a7084d6d5a976a8a40285ba03b6  x86_64/corporate/2.1/RPMS/kernel-2.4.19.34mdk-1-1mdk.x86_64.rpm
b2bb6374e1f0e2db7ea9d3f13b4a0d6f  x86_64/corporate/2.1/RPMS/kernel-secure-2.4.19.34mdk-1-1mdk.x86_64.rpm
216d6cfcc6a3409228d1a5161c6b0aeb  x86_64/corporate/2.1/RPMS/kernel-smp-2.4.19.34mdk-1-1mdk.x86_64.rpm
780d0a110c2512006a4e9cb52afe463c  x86_64/corporate/2.1/RPMS/kernel-source-2.4.19-34mdk.x86_64.rpm
a1fb994e250ce11fc08e460dee0cddd5  x86_64/corporate/2.1/SRPMS/kernel-2.4.19.34mdk-1-1mdk.src.rpm

Mandrake Linux 9.0:
344b324173b04d135c00072452203021  9.0/RPMS/kernel-2.4.19.37mdk-1-1mdk.i586.rpm
558b3f1e0ae41705a7e9d934d49947c4  9.0/RPMS/kernel-enterprise-2.4.19.37mdk-1-1mdk.i586.rpm
6a06c2133a894e542caf6cedf72e6d89  9.0/RPMS/kernel-secure-2.4.19.37mdk-1-1mdk.i586.rpm
45aaeb3cf17a0d59adfabf63e6d8de6f  9.0/RPMS/kernel-smp-2.4.19.37mdk-1-1mdk.i586.rpm
fd3c78a32146b808d3355e375e2a05b4  9.0/RPMS/kernel-source-2.4.19-37mdk.i586.rpm
adc06d97e9468534ec14e330b102180c  9.0/SRPMS/kernel-2.4.19.37mdk-1-1mdk.src.rpm

Mandrake Linux 9.1:
2bde1321f95b49fa456ade29d03f0212  9.1/RPMS/initscripts-7.06-12.3.91mdk.i586.rpm
7e6a48635fc44714dd4efdd5714c1968  9.1/RPMS/kernel-2.4.21.0.27mdk-1-1mdk.i586.rpm
f901e50a01fb020f31102a2cf494e817  9.1/RPMS/kernel-enterprise-2.4.21.0.27mdk-1-1mdk.i586.rpm
10c60ba7a25f1e7b3ea1f19636afcc6b  9.1/RPMS/kernel-secure-2.4.21.0.27mdk-1-1mdk.i586.rpm
6270d3d1ce00b5d85931145e1b27f8a4  9.1/RPMS/kernel-smp-2.4.21.0.27mdk-1-1mdk.i586.rpm
165628ae2d42c0f2f9bf894d3e9fc432  9.1/RPMS/kernel-source-2.4.21-0.27mdk.i586.rpm
8cfd6b274467b7165bd5985805254567  9.1/SRPMS/initscripts-7.06-12.3.91mdk.src.rpm
b6cd338f787dc5062763004afa45e623  9.1/SRPMS/kernel-2.4.21.0.27mdk-1-1mdk.src.rpm

Mandrake Linux 9.1/PPC:
08ec2073354e8d64ebf81a79cd5bc319  ppc/9.1/RPMS/initscripts-7.06-12.3.91mdk.ppc.rpm
84f9d61c4b504c6ccce1f87344d96692  ppc/9.1/RPMS/kernel-2.4.21.0.27mdk-1-1mdk.ppc.rpm
b389e5b0bffa3e166c2960d8e032fab1  ppc/9.1/RPMS/kernel-enterprise-2.4.21.0.27mdk-1-1mdk.ppc.rpm
0c0fd519aba807c43c78b89360ff26b1  ppc/9.1/RPMS/kernel-smp-2.4.21.0.27mdk-1-1mdk.ppc.rpm
feec3693688aedea8defd75da9cf6919  ppc/9.1/RPMS/kernel-source-2.4.21-0.27mdk.ppc.rpm
8cfd6b274467b7165bd5985805254567  ppc/9.1/SRPMS/initscripts-7.06-12.3.91mdk.src.rpm
b6cd338f787dc5062763004afa45e623  ppc/9.1/SRPMS/kernel-2.4.21.0.27mdk-1-1mdk.src.rpm

Mandrake Linux 9.2:
dbae8a701a027e2a0aeb524643d3cdee  9.2/RPMS/bootloader-utils-1.6-3.1.92mdk.i586.rpm
2f9b2ed7be3388932bbc319611a0b8b7  9.2/RPMS/kernel-2.4.22.26mdk-1-1mdk.i586.rpm
b2f4fe01031d1bf8d26ea6c408be63f8  9.2/RPMS/kernel-enterprise-2.4.22.26mdk-1-1mdk.i586.rpm
e0dc38c45880e6732a50feba5470eaac  9.2/RPMS/kernel-i686-up-4GB-2.4.22.26mdk-1-1mdk.i586.rpm
f4c5098f1ef165692963956fbc844690  9.2/RPMS/kernel-p3-smp-64GB-2.4.22.26mdk-1-1mdk.i586.rpm
957ea9608c9e6488185e1d5b19d615e2  9.2/RPMS/kernel-secure-2.4.22.26mdk-1-1mdk.i586.rpm
6c9bc5e4353a8f336a4bfe928a79bd13  9.2/RPMS/kernel-smp-2.4.22.26mdk-1-1mdk.i586.rpm
8068ecb61313e6157811dbb8fe0f46a1  9.2/RPMS/kernel-source-2.4.22-26mdk.i586.rpm
664a1994ee4c0d90df8f9341afa5b818  9.2/SRPMS/bootloader-utils-1.6-3.1.92mdk.src.rpm
4d92e02dee3945e4b7476ba4bba9bf6d  9.2/SRPMS/kernel-2.4.22.26mdk-1-1mdk.src.rpm

Mandrake Linux 9.2/AMD64:
603219ea9ca09a9283c98ebfaab3c1ba  amd64/9.2/RPMS/bootloader-utils-1.6-3.1.92mdk.amd64.rpm
2d44e7cd4ff2148e3b9e548fd1beec59  amd64/9.2/RPMS/kernel-2.4.22.27mdk-1-1mdk.amd64.rpm
e98224df11f1c5f8c2432457e1e4a004  amd64/9.2/RPMS/kernel-secure-2.4.22.27mdk-1-1mdk.amd64.rpm
0dd710693b0df96ac6b1e68c5f5ad7c9  amd64/9.2/RPMS/kernel-smp-2.4.22.27mdk-1-1mdk.amd64.rpm
d3b57b8dd9a19a6b4ed2f8f01cfeb75f  amd64/9.2/RPMS/kernel-source-2.4.22-27mdk.amd64.rpm
664a1994ee4c0d90df8f9341afa5b818  amd64/9.2/SRPMS/bootloader-utils-1.6-3.1.92mdk.src.rpm
945e4f9405fcccac6a844a86109b74b6  amd64/9.2/SRPMS/kernel-2.4.22.27mdk-1-1mdk.src.rpm

Multi Network Firewall 8.2:
15023427ad0c65e0607e217778bc6672  mnf8.2/RPMS/kernel-secure-2.4.19.37mdk-1-1mdk.i586.rpm
adc06d97e9468534ec14e330b102180c  mnf8.2/SRPMS/kernel-2.4.19.37mdk-1-1mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

 http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:

 gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

 http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

 http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

 security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
 <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE//ZQ2mqjQ0CJFipgRAhbiAJ9Ynq77P20SpN1fUtL/6T/6UHnGegCg8lul
m3Iey37txkx7vLqlIj18EAo=
=Bsd0
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Notified:  January 05, 2004 Updated: August 19, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated kernel resolves security vulnerability
Advisory ID: RHSA-2003:417-01
Issue date: 2004-01-05
Updated on: 2004-01-05
Product: Red Hat Linux
Keywords:
Cross references:
Obsoletes:
CVE Names: CAN-2003-0984 CAN-2003-0985
- ---------------------------------------------------------------------

1. Topic:

Updated kernel packages are now available that fix a security
vulnerability which may allow local users to gain root privileges.

2. Relevant releases/architectures:

Red Hat Linux 7.1 - athlon, i386, i586, i686
Red Hat Linux 7.2 - athlon, i386, i586, i686
Red Hat Linux 7.3 - athlon, i386, i586, i686
Red Hat Linux 8.0 - athlon, i386, i586, i686
Red Hat Linux 9 - athlon, i386, i586, i686

3. Problem description:

The Linux kernel handles the basic functions of the operating system.

Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux
kernel versions 2.4.23 and previous which may allow a local attacker to
gain root privileges. No exploit is currently available; however, it is
believed that this issue is exploitable (although not trivially.) The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0985 to this issue.

All users are advised to upgrade to these errata packages, which contain a
backported security patch that corrects this issue.

Red Hat would like to thank Paul Starzetz from ISEC for disclosing this
issue as well as Andrea Arcangeli and Solar Designer for working on the patch.

These packages also contain a fix for a minor information leak in the real
time clock (rtc) routines. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0984 to this issue.

We have provided kernel updates for Red Hat Linux 7.1-8.0 with this
advisory as these were prepared by us prior to December 31 2003. Please
note that Red Hat Linux 7.1, 7.2, 7.3, and 8.0 have reached their end of
life for errata support and no further errata will be issued for those
distributions.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

90338 - (TUX)password incorrectly parsed + patch to fix the problem

6. RPMs required:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm

athlon:
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ftp://updates.redhat.com/7.1/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/kernel-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-source-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/kernel-doc-2.4.20-28.7.i386.rpm

ftp://updates.redhat.com/7.1/en/os/i386/kernel-BOOT-2.4.20-28.7.i386.rpm

i586:
ftp://updates.redhat.com/7.1/en/os/i586/kernel-2.4.20-28.7.i586.rpm
ftp://updates.redhat.com/7.1/en/os/i586/kernel-smp-2.4.20-28.7.i586.rpm

i686:
ftp://updates.redhat.com/7.1/en/os/i686/kernel-2.4.20-28.7.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-smp-2.4.20-28.7.i686.rpm
ftp://updates.redhat.com/7.1/en/os/i686/kernel-bigmem-2.4.20-28.7.i686.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm

athlon:
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ftp://updates.redhat.com/7.2/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/kernel-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-source-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-doc-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/kernel-BOOT-2.4.20-28.7.i386.rpm

i586:
ftp://updates.redhat.com/7.2/en/os/i586/kernel-2.4.20-28.7.i586.rpm
ftp://updates.redhat.com/7.2/en/os/i586/kernel-smp-2.4.20-28.7.i586.rpm

i686:
ftp://updates.redhat.com/7.2/en/os/i686/kernel-2.4.20-28.7.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-smp-2.4.20-28.7.i686.rpm
ftp://updates.redhat.com/7.2/en/os/i686/kernel-bigmem-2.4.20-28.7.i686.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm

athlon:
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ftp://updates.redhat.com/7.3/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/kernel-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-source-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-doc-2.4.20-28.7.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/kernel-BOOT-2.4.20-28.7.i386.rpm

i586:
ftp://updates.redhat.com/7.3/en/os/i586/kernel-2.4.20-28.7.i586.rpm
ftp://updates.redhat.com/7.3/en/os/i586/kernel-smp-2.4.20-28.7.i586.rpm

i686:
ftp://updates.redhat.com/7.3/en/os/i686/kernel-2.4.20-28.7.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-smp-2.4.20-28.7.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/kernel-bigmem-2.4.20-28.7.i686.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/kernel-2.4.20-28.8.src.rpm

athlon:
ftp://updates.redhat.com/8.0/en/os/athlon/kernel-2.4.20-28.8.athlon.rpm
ftp://updates.redhat.com/8.0/en/os/athlon/kernel-smp-2.4.20-28.8.athlon.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/kernel-2.4.20-28.8.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-source-2.4.20-28.8.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-doc-2.4.20-28.8.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/kernel-BOOT-2.4.20-28.8.i386.rpm

i586:
ftp://updates.redhat.com/8.0/en/os/i586/kernel-2.4.20-28.8.i586.rpm
ftp://updates.redhat.com/8.0/en/os/i586/kernel-smp-2.4.20-28.8.i586.rpm

i686:
ftp://updates.redhat.com/8.0/en/os/i686/kernel-2.4.20-28.8.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-smp-2.4.20-28.8.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/kernel-bigmem-2.4.20-28.8.i686.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/kernel-2.4.20-28.9.src.rpm

athlon:
ftp://updates.redhat.com/9/en/os/athlon/kernel-2.4.20-28.9.athlon.rpm
ftp://updates.redhat.com/9/en/os/athlon/kernel-smp-2.4.20-28.9.athlon.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/kernel-2.4.20-28.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/kernel-source-2.4.20-28.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/kernel-doc-2.4.20-28.9.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/kernel-BOOT-2.4.20-28.9.i386.rpm

i586:
ftp://updates.redhat.com/9/en/os/i586/kernel-2.4.20-28.9.i586.rpm
ftp://updates.redhat.com/9/en/os/i586/kernel-smp-2.4.20-28.9.i586.rpm

i686:
ftp://updates.redhat.com/9/en/os/i686/kernel-2.4.20-28.9.i686.rpm
ftp://updates.redhat.com/9/en/os/i686/kernel-smp-2.4.20-28.9.i686.rpm
ftp://updates.redhat.com/9/en/os/i686/kernel-bigmem-2.4.20-28.9.i686.rpm



7. Verification:

MD5 sum Package Name

- --------------------------------------------------------------------------
6f37a0c884be50f702665dd418e7d8a5 7.1/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm
85dabb948243fcd96fed1946217b3259 7.1/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ba80fcbe3237ece886506446413d6330 7.1/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm
a4b2cd2ad6acb98c045a0644add55ef8 7.1/en/os/i386/kernel-2.4.20-28.7.i386.rpm
46cbf5df2050e923343be59c26eb5714 7.1/en/os/i386/kernel-BOOT-2.4.20-28.7.i386.rpm
9e64a9b15edc09d4a0f75513445f4021 7.1/en/os/i386/kernel-doc-2.4.20-28.7.i386.rpm
dbc9c6aa900467f4182306545d3bed81 7.1/en/os/i386/kernel-source-2.4.20-28.7.i386.rpm
46325c861ee83b2f679b9f8563f2e441 7.1/en/os/i586/kernel-2.4.20-28.7.i586.rpm
51ede5686dc0997c76a14d523e057e67 7.1/en/os/i586/kernel-smp-2.4.20-28.7.i586.rpm
ab86ca21757966e2f49d58438b26253a 7.1/en/os/i686/kernel-2.4.20-28.7.i686.rpm
78229375349f57c62f0f1837770cc3f0 7.1/en/os/i686/kernel-bigmem-2.4.20-28.7.i686.rpm
4321ad444747e8e3ebf6e7576b08d6db 7.1/en/os/i686/kernel-smp-2.4.20-28.7.i686.rpm
6f37a0c884be50f702665dd418e7d8a5 7.2/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm
85dabb948243fcd96fed1946217b3259 7.2/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ba80fcbe3237ece886506446413d6330 7.2/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm
a4b2cd2ad6acb98c045a0644add55ef8 7.2/en/os/i386/kernel-2.4.20-28.7.i386.rpm
46cbf5df2050e923343be59c26eb5714 7.2/en/os/i386/kernel-BOOT-2.4.20-28.7.i386.rpm
9e64a9b15edc09d4a0f75513445f4021 7.2/en/os/i386/kernel-doc-2.4.20-28.7.i386.rpm
dbc9c6aa900467f4182306545d3bed81 7.2/en/os/i386/kernel-source-2.4.20-28.7.i386.rpm
46325c861ee83b2f679b9f8563f2e441 7.2/en/os/i586/kernel-2.4.20-28.7.i586.rpm
51ede5686dc0997c76a14d523e057e67 7.2/en/os/i586/kernel-smp-2.4.20-28.7.i586.rpm
ab86ca21757966e2f49d58438b26253a 7.2/en/os/i686/kernel-2.4.20-28.7.i686.rpm
78229375349f57c62f0f1837770cc3f0 7.2/en/os/i686/kernel-bigmem-2.4.20-28.7.i686.rpm
4321ad444747e8e3ebf6e7576b08d6db 7.2/en/os/i686/kernel-smp-2.4.20-28.7.i686.rpm
6f37a0c884be50f702665dd418e7d8a5 7.3/en/os/SRPMS/kernel-2.4.20-28.7.src.rpm
85dabb948243fcd96fed1946217b3259 7.3/en/os/athlon/kernel-2.4.20-28.7.athlon.rpm
ba80fcbe3237ece886506446413d6330 7.3/en/os/athlon/kernel-smp-2.4.20-28.7.athlon.rpm
a4b2cd2ad6acb98c045a0644add55ef8 7.3/en/os/i386/kernel-2.4.20-28.7.i386.rpm
46cbf5df2050e923343be59c26eb5714 7.3/en/os/i386/kernel-BOOT-2.4.20-28.7.i386.rpm
9e64a9b15edc09d4a0f75513445f4021 7.3/en/os/i386/kernel-doc-2.4.20-28.7.i386.rpm
dbc9c6aa900467f4182306545d3bed81 7.3/en/os/i386/kernel-source-2.4.20-28.7.i386.rpm
46325c861ee83b2f679b9f8563f2e441 7.3/en/os/i586/kernel-2.4.20-28.7.i586.rpm
51ede5686dc0997c76a14d523e057e67 7.3/en/os/i586/kernel-smp-2.4.20-28.7.i586.rpm
ab86ca21757966e2f49d58438b26253a 7.3/en/os/i686/kernel-2.4.20-28.7.i686.rpm
78229375349f57c62f0f1837770cc3f0 7.3/en/os/i686/kernel-bigmem-2.4.20-28.7.i686.rpm
4321ad444747e8e3ebf6e7576b08d6db 7.3/en/os/i686/kernel-smp-2.4.20-28.7.i686.rpm
7ff4997770e18fd8dfa94dde6ccd9f05 8.0/en/os/SRPMS/kernel-2.4.20-28.8.src.rpm
69096d7bf580f241c2774a75d19a4f6b 8.0/en/os/athlon/kernel-2.4.20-28.8.athlon.rpm
07cc69196376c7cbcad2c4a93aff0be0 8.0/en/os/athlon/kernel-smp-2.4.20-28.8.athlon.rpm
a97ba9aea863b5b49f26259f105e8d8f 8.0/en/os/i386/kernel-2.4.20-28.8.i386.rpm
ab4eac1f8c255a9d70808469e46e918c 8.0/en/os/i386/kernel-BOOT-2.4.20-28.8.i386.rpm
210eb290286bb696f94e9ebe5399d67e 8.0/en/os/i386/kernel-doc-2.4.20-28.8.i386.rpm
312b7e646dc4825617d3a9b485957c67 8.0/en/os/i386/kernel-source-2.4.20-28.8.i386.rpm
90ddcdf7660107c2e297bd2531b4a544 8.0/en/os/i586/kernel-2.4.20-28.8.i586.rpm
25692d7064ab7bc55a17c53ee24e9d3d 8.0/en/os/i586/kernel-smp-2.4.20-28.8.i586.rpm
91ca2b2685cf6c5e0b8d1b9043865bea 8.0/en/os/i686/kernel-2.4.20-28.8.i686.rpm
3fecc24946697e5dd0428df38cbb2198 8.0/en/os/i686/kernel-bigmem-2.4.20-28.8.i686.rpm
40d954506e1b0ad60c7f150d76872ec5 8.0/en/os/i686/kernel-smp-2.4.20-28.8.i686.rpm
5eb1ef7c29f3bd5e3afb9c41d5f688e5 9/en/os/SRPMS/kernel-2.4.20-28.9.src.rpm
954a8afbe2216769a4aaa5b0b597612f 9/en/os/athlon/kernel-2.4.20-28.9.athlon.rpm
198dfae0a67d9aa91f367e90e1a264c7 9/en/os/athlon/kernel-smp-2.4.20-28.9.athlon.rpm
a398b7f0a741ab95ab0b66929c48dc95 9/en/os/i386/kernel-2.4.20-28.9.i386.rpm
e394c681c64e22a94ed22dd8a510aad0 9/en/os/i386/kernel-BOOT-2.4.20-28.9.i386.rpm
8355d266e3c354e97099add60ea25331 9/en/os/i386/kernel-doc-2.4.20-28.9.i386.rpm
12ad6c3ad16ddee2ad6c3ba579005a9d 9/en/os/i386/kernel-source-2.4.20-28.9.i386.rpm
0047dac37b4f888e53b5b304524b795d 9/en/os/i586/kernel-2.4.20-28.9.i586.rpm
08a3391dcb7f5532310ce234d2570bd0 9/en/os/i586/kernel-smp-2.4.20-28.9.i586.rpm
6cdbe7002a6834dc1aa27cc5f47ba5a7 9/en/os/i686/kernel-2.4.20-28.9.i686.rpm
3788274eba272ef23704bec4cb19e4af 9/en/os/i686/kernel-bigmem-2.4.20-28.9.i686.rpm
d9fe2e46b08f596e19a49ae724d2db5a 9/en/os/i686/kernel-smp-2.4.20-28.9.i686.rpm


These packages are GPG signed by Red Hat for security. Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

md5sum <filename>


8. References:

http://www.securityfocus.com/bid/9154/discussion/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/+V6NXlSAg2UNWIIRAmTUAJ4umvzPTN6Fa6RxQnjpiv3tUvhTtwCgkNnu
8haiGz6VTVazKRDmIKAa7Yo=
=2MIc
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Notified:  January 22, 2004 Updated: March 16, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has published two advisories to address this vulnerability. For more information, please see:

Slackware Affected

Notified:  January 06, 2004 Updated: March 16, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware has published several advisories to address this vulnerability. For further information, please see:

SuSE Inc. Affected

Notified:  January 05, 2004 Updated: August 19, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has published Security Announcements SuSE-SA:2004:001 and SuSE-SA:2004:003 to address this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Notified:  January 05, 2004 Updated: March 09, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0001

Package name:      kernel
Summary:           mremap fix
Date:              2004-01-05
Affected versions: TSL 2.0

- --------------------------------------------------------------------------
Package description:
 The kernel package contains the Linux kernel (vmlinuz), the core of your
 Trustix Secure Linux operating system.  The kernel handles the basic
 functions of the operating system:  memory allocation, process allocation,
 device input and output, etc.


Problem description:
 The kernel packages prior to this update suffers from a bug in the mremap
 function. This issue is fixed in this update. We have also fixed some minor
 bugs in the structure of the packages.


Action:
 We recommend that all systems with this package installed be upgraded.


Location:
 All TSL updates are available from
 <URI:http://http.trustix.org/pub/trustix/updates/>
 <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
 Trustix Secure Linux is a small Linux distribution for servers. With focus
 on security and stability, the system is painlessly kept safe and up to
 date from day one using swup, the automated software updater.


Automatic updates:
 Users of the SWUP tool can enjoy having updates automatically
 installed using 'swup --upgrade'.


Public testing:
 Most updates for Trustix are made available for public testing some time
 before release.
 If you want to contribute by testing the various packages in the
 testing tree, please feel free to share your findings on the
 tsl-discuss mailinglist.
 The testing tree is located at
 <URI:http://tsldev.trustix.org/cloud/>

 You may also use swup for public testing of updates:
 
 site {
     class = 0
     location = "http://tsldev.trustix.org/cloud/rdfs/latest.rdf"
     regexp = ".*"
 }
 

Questions?
 Check out our mailing lists:
 <URI:http://www.trustix.org/support/>


Verification:
 This advisory along with all TSL packages are signed with the TSL sign key.
 This key is available from:
 <URI:http://www.trustix.org/TSL-SIGN-KEY>

 The advisory itself is available from the errata pages at
 <URI:http://www.trustix.org/errata/trustix-2.0/>
 or directly at
 <URI:http://www.trustix.org/errata/misc/2004/TSL-2004-0001-kernel.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
21778052346a0cf581056c4d4fdd9fed  ./srpms/kernel-2.4.23-3tr.src.rpm
d4c33e78d6d445419c0375cf847d01f0  ./rpms/kernel-utils-2.4.23-3tr.i586.rpm
48ff81d9a03a77e4f875c5a7260e8001  ./rpms/kernel-source-2.4.23-3tr.i586.rpm
ffdccc0e67d07cd8f0af89e7bc6c6f27  ./rpms/kernel-smp-2.4.23-3tr.i586.rpm
38566364225adfc7c007d42f50d8cdc3  ./rpms/kernel-firewallsmp-2.4.23-3tr.i586.rpm
8c04b18da1337768187b72aa624bc196  ./rpms/kernel-firewall-2.4.23-3tr.i586.rpm
d73cb52aa25892d9eab03090f5ec6cd2  ./rpms/kernel-doc-2.4.23-3tr.i586.rpm
7206d43149f8fa1b23d31dfa18387e08  ./rpms/kernel-BOOT-2.4.23-3tr.i586.rpm
97cbc7221af8904515eb728eeae34eeb  ./rpms/kernel-2.4.23-3tr.i586.rpm
- --------------------------------------------------------------------------


TSL Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/+YW+i8CEzsK9IksRAtIMAKCinbMfyABrMoRmG5Sm32k5+80IUQCgrKtR
NYvos8discldMQgmL5iQIis=
=SDI8
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux Affected

Notified:  January 06, 2004 Updated: March 09, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 06/Jan/2004
============================================================

The following page contains the security information of Turbolinux Inc.

- Turbolinux Security Center
  http://www.turbolinux.com/security/

(1) kernel -> kernel mremap vulnerability


===========================================================
* kernel -> kernel mremap vulnerability
===========================================================

More information :
   The kernel package contains the Linux kernel (vmlinuz), the core of your Linux operating system.
   The kernel handles the basic functions of the operating system.
   The Linux memory management subsystem (mremap) isssue have been discovered in Kernel2.4.

Impact :
   The local users may be able to gain root privileges.

Affected Products :
   - Turbolinux 8 Server
   - Turbolinux 8 Workstation
   - Turbolinux 7 Server
   - Turbolinux 7 Workstation

Solution :
   Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
# zabom update kernel kernel-BOOT kernel-doc kernel-headers kernel-pcmcia-cs kernel-smp kernel-smp64G kernel-source
---------------------------------------------


<Turbolinux 8 Server>

  Source Packages
  Size : MD5

  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/kernel-2.4.18-16.src.rpm
    41913762 bb068af1293917a5830bc39939c7ed60

  Binary Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-2.4.18-16.i586.rpm
    14072693 1e2dfa0a3a6f90daaa15d48a34082c31
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-BOOT-2.4.18-16.i586.rpm
     7100767 f2ab93bca6266a0484828d697af11d79
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-doc-2.4.18-16.i586.rpm
     1457894 ab50b07561aefd7ad8953ed599867163
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-headers-2.4.18-16.i586.rpm
     1815780 77d5fa6d227e8124bc9746f0f3e8da76
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-pcmcia-cs-2.4.18-16.i586.rpm
      329042 d2672266844a19e9b8aeb290d817e4e3
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-smp-2.4.18-16.i586.rpm
    14551108 9c0260f2032f0a9411b48030e37ecc6e
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-smp64G-2.4.18-16.i586.rpm
    14540333 e4bc5e66c81abf489645ebbd593ba558
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-source-2.4.18-16.i586.rpm
    26537903 6d29fd4d02d927970fc18e4f9b4bde3d

<Turbolinux 8 Workstation>

  Source Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/kernel-2.4.18-16.src.rpm
    41913762 bb068af1293917a5830bc39939c7ed60

  Binary Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-2.4.18-16.i586.rpm
    14072693 1e2dfa0a3a6f90daaa15d48a34082c31
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-BOOT-2.4.18-16.i586.rpm
     7100767 f2ab93bca6266a0484828d697af11d79
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-doc-2.4.18-16.i586.rpm
     1457894 ab50b07561aefd7ad8953ed599867163
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-headers-2.4.18-16.i586.rpm
     1815780 77d5fa6d227e8124bc9746f0f3e8da76
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-pcmcia-cs-2.4.18-16.i586.rpm
      329042 d2672266844a19e9b8aeb290d817e4e3
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-smp-2.4.18-16.i586.rpm
    14551108 9c0260f2032f0a9411b48030e37ecc6e
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-smp64G-2.4.18-16.i586.rpm
    14540333 e4bc5e66c81abf489645ebbd593ba558
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-source-2.4.18-16.i586.rpm
    26537903 6d29fd4d02d927970fc18e4f9b4bde3d

<Turbolinux 7 Server>

  Source Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/kernel-2.4.18-16.src.rpm
    41913762 bb068af1293917a5830bc39939c7ed60

  Binary Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-2.4.18-16.i586.rpm
    14072693 1e2dfa0a3a6f90daaa15d48a34082c31
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-BOOT-2.4.18-16.i586.rpm
     7100767 f2ab93bca6266a0484828d697af11d79
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-doc-2.4.18-16.i586.rpm
     1457894 ab50b07561aefd7ad8953ed599867163
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-headers-2.4.18-16.i586.rpm
     1815780 77d5fa6d227e8124bc9746f0f3e8da76
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-pcmcia-cs-2.4.18-16.i586.rpm
      329042 d2672266844a19e9b8aeb290d817e4e3
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-smp-2.4.18-16.i586.rpm
    14551108 9c0260f2032f0a9411b48030e37ecc6e
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-smp64G-2.4.18-16.i586.rpm
    14540333 e4bc5e66c81abf489645ebbd593ba558
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-source-2.4.18-16.i586.rpm
    26537903 6d29fd4d02d927970fc18e4f9b4bde3d

<Turbolinux 7 Workstation>

  Source Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/kernel-2.4.18-16.src.rpm
    41913762 bb068af1293917a5830bc39939c7ed60

  Binary Packages
  Size : MD5

  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-2.4.18-16.i586.rpm
    14072693 1e2dfa0a3a6f90daaa15d48a34082c31
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-BOOT-2.4.18-16.i586.rpm
     7100767 f2ab93bca6266a0484828d697af11d79
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-doc-2.4.18-16.i586.rpm
     1457894 ab50b07561aefd7ad8953ed599867163
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-headers-2.4.18-16.i586.rpm
     1815780 77d5fa6d227e8124bc9746f0f3e8da76
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-pcmcia-cs-2.4.18-16.i586.rpm
      329042 d2672266844a19e9b8aeb290d817e4e3
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-smp-2.4.18-16.i586.rpm
    14551108 9c0260f2032f0a9411b48030e37ecc6e
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-smp64G-2.4.18-16.i586.rpm
    14540333 e4bc5e66c81abf489645ebbd593ba558
  ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-source-2.4.18-16.i586.rpm
    26537903 6d29fd4d02d927970fc18e4f9b4bde3d


References :

CVE
  [CAN-2003-0985]
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985


* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

 http://www.turbolinux.com/download/zabom.html
 http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update

============================================================
* To obtain the public key

Here is the public key

http://www.turbolinux.com/security/

* To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
 you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

* To change your email address

If you ever want to chage email address in this mailing list,
 you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the following command in the message body:

 chaddr 'old address' 'new address'

If you have any questions or problems, please contact

<supp_info@turbolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/+jHsK0LzjOqIJMwRAmKgAJ9lsDB19QPplRaX2f9bjekaMPkCtACeNgfi
9CSZg6sN3tPlfNhFr4q+PAk=
=uB9b
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware Affected

Notified:  January 28, 2004 Updated: March 16, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

VMware has published multiple advisories to address this vulnerability. For more information, see:

Hewlett-Packard Company Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Unknown

Updated:  August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex Unknown

Notified:  March 16, 2004 Updated: August 19, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 20 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Paul Starzetz.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2003-0985
Severity Metric: 13.54
Date Public: 2004-01-05
Date First Published: 2004-03-09
Date Last Updated: 2004-08-19 23:33 UTC
Document Revision: 23

Sponsored by CISA.