Overview
A vulnerability in the Linux mremap(2) system call could allow an authenticated, local attacker to execute arbitrary code with root privileges.
Description
The Linux kernel uses a linked list of vitrual memory area (VMA) descriptors to reference valid regions of the page table for a given process. VMA descriptors include information about the memory area such as start address, length, and page protection flags. A VMA effectively contains a range of page table entries (PTEs) that make up part of the page table. The mremap(2) system call has the ability to resize or move a VMA or part of a VMA within a process' memory space. mremap(2) contains a function called do_munmap() that is used to unmap regions of memory during resize or move operations. There is a limit on the number of VMA descriptors that can exist at one time, and do_munmap() does not create a new VMA descriptor if doing so would exceed this limit. |
Impact
An authenticated, local attacker could execute arbitrary code with root privileges. |
Solution
Patch or Upgrade |
Vendor Information
Astaro Affected
Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see Up2Date 4.021 #35996.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see CLSA-2004:820.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Affected
Vendor Statement
We have fixed this problem for our various kernels in the following advisories:
http://www.debian.org/security/2004/dsa-456
http://www.debian.org/security/2004/dsa-454
http://www.debian.org/security/2004/dsa-453
http://www.debian.org/security/2004/dsa-450
http://www.debian.org/security/2004/dsa-444
http://www.debian.org/security/2004/dsa-442
http://www.debian.org/security/2004/dsa-440
http://www.debian.org/security/2004/dsa-439
http://www.debian.org/security/2004/dsa-441
http://www.debian.org/security/2004/dsa-438
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fedora Legacy Project Affected
Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see FLSA:1284.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fedora Project Affected
Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see FEDORA-2004-080.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Linux Affected
Updated: March 11, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see GLSA 200403-02.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Linux Kernel Archives Affected
Updated: March 10, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
This issue is resolved in Linux kernels 2.2.26, 2.4.25, and 2.6.3.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Linux Netwosix Affected
Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see LNSA-#2004-0003.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Notified: March 10, 2004 Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see MDKSA-2004:015 and MDKSA-2004:015-1.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Affected
Notified: March 10, 2004 Updated: March 25, 2004
Status
Affected
Vendor Statement
No supported release of Openwall GNU/*/Linux (Owl) was affected by this vulnerability as of the time it was made public. We had the bug proactively fixed in Owl 1.1 release (Linux kernel 2.4.23-ow2), not realizing its full security impact at the time.
Although those are no longer a part of Owl (not in Owl 1.1), we continue to maintain security hardening patches for Linux 2.2.x kernels and make them available for the public. Linux 2.2.x was affected by a variation of this vulnerability and thus, as a service to the community, we had included a workaround in Linux 2.2.25-ow2 patch. Linux 2.2.26 now includes the same change.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Affected
Vendor Statement
Updates to correct this issue were made available for Red Hat Linux and Red Hat Enterprise Linux. Users of the Red Hat Network can update their systems using the 'up2date' tool.
Red Hat Linux 9:
Red Hat Enterprise Linux 2.1:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Affected
Notified: March 10, 2004 Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see 20040204-01-U.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Slackware Affected
Updated: March 25, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see SSA:2004-049-01.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SmoothWall Affected
Updated: March 11, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see SWL-2004:002.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see SuSE-SA:2004:005.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Affected
Notified: March 10, 2004 Updated: March 25, 2004
Status
Affected
Vendor Statement
The following Sun products are vulnerable.
Java Desktop System Version 2003.
A patch is available to customers via the on-line update mechanism in JDS. Please see http://wwws.sun.com/software/javadesktopsystem/update/index.html for further details.
Sun Cobalt legacy products:
RaQ4
RaQXTR
Qube3
RaQ550
Sun will be publishing Sun Alerts for this issue which will be available from the following location:
http://sunsolve.Sun.COM/pub-cgi/search.pl?mode=results&so=date&coll=fsalert&zone_32=category:security
The Sun Alerts will be updated with the patch information as soon as patches are available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix Affected
Updated: March 11, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see TSLSA-2004-0007 (Trustix 2.0, kernel 2.4.24) and TSLSA-2004-0008 (Trustix 1.5, kernel 2.2.25).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
TurboLinux Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Affected
Vendor Statement
This Vulnerability is fixed by TLSA-2004-7.
Please refer to
http://www.turbolinux.com/security/2004/TLSA-2004-7.txt
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wirex Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see IMNX-2004-7+-001-01.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: March 10, 2004 Updated: March 11, 2004
Status
Not Affected
Vendor Statement
Apple: Not Vulnerable
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Not Affected
Notified: March 10, 2004 Updated: March 25, 2004
Status
Not Affected
Vendor Statement
Fujitsu's UXP/V o.s. is not affected by the problem in VU#981222 because it does not support the mremap.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Not Affected
Notified: March 10, 2004 Updated: March 25, 2004
Status
Not Affected
Vendor Statement
NetBSD is not affected.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
EMC Corporation Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: March 10, 2004 Updated: March 25, 2004
Status
Unknown
Vendor Statement
IBM eServer Platform Response
For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/security=alerts?OpenDocument&pathID=
In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration.
All questions should be reffered to servsec@us.ibm.com.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ingrian Networks Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nokia Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Updated: March 11, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was researched and reported by Paul Starzetz of iSEC.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2004-0077 |
| Severity Metric: | 26.52 |
| Date Public: | 2004-02-18 |
| Date First Published: | 2004-03-10 |
| Date Last Updated: | 2004-03-25 17:10 UTC |
| Document Revision: | 26 |