__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat 'mremap()' function Vulnerability [RHSA-2003:417-08, RHSA-2003:418-04, RHSA-2003:419-05] January 5, 2004 18:00 GMT Number O-045 [REVISED 9 Jan 2004] [REVISED 20 Jan 2004] [REVISED 23 Jan 2004] [REVISED 19 Feb 2004] [REVISED 20 Feb 2004] [REVISED 02 Mar 2004] [REVISED 01 Apr 2004] [REVISED 06 Apr 2004] [REVISED 30 May 2006] ______________________________________________________________________________ PROBLEM: A flaw in bounds checking in mremap() exists in Linux kernel versions. PLATFORM: Linux 7.1, 7.2, 7.3, 8.0, and 9 Enterprise Linux AS (v2.1), ES (v2.1) and WS (v2.1) Enterprise Linux AS (v.3), ES (v. 3), and WS (v. 3) Debian GNU/Linux 3.0 alias (woody) Linux Advanced Workstation 2.1 for the Itanium Processor SGI (see SGI Security Advisories) SOFTWARE: Linux kernel versions 2.4.23 and earlier Linux kernel 2.4.17-ia64 Linux kernel 2.4.17-hppa Linux kernel 2.4.18-hppa Linux kernel-2.4.19-mips Linux kernel-2.2.22-alpha Linux kernel 2.2.20-i386+m68k+powerpc DAMAGE: A local attacker could gain root privileges. SOLUTION: Install appropriate updated Red Hat kernel packages. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. No known exploit is available yet for local ASSESSMENT: attackers to gain root privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-045.shtml ORIGINAL BULLETINS: https://rhn.redhat.com/errata/RHSA-2003-417.html https://rhn.redhat.com/errata/RHSA-2003-418.html https://rhn.redhat.com/errata/RHSA-2003-419.html ADDITIONAL - Red Hat RHSA-2003:416-09 INFORMATION: https://rhn.redhat.com/errata/RHSA-2003-416.html - Debian Security Advisories http://www.debian.org/security/2004/dsa-413 http://www.debian.org/security/2004/dsa-417 http://www.debian.org/security/2004/dsa-427 http://www.debian.org/security/2004/dsa-438 http://www.debian.org/security/2004/dsa-439 http://www.debian.org/security/2004/dsa-440 http://www.debian.org/security/2004/dsa-441 http://www.debian.org/security/2004/dsa-442 http://www.debian.org/security/2004/dsa-444 http://www.debian.org/security/2004/dsa-454 http://www.debian.org/security/2004/dsa-450 http://www.debian.org/security/2004/dsa-470 http://www.debian.org/security/2004/dsa-475 http://www.debian.org/security/2004/dsa-1082 - SGI Security Advisory 20040102-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20040102-01-U.asc - SGI Security Advisory 20040204-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20040204-01-U.asc CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0985 CAN-2004-0077 ______________________________________________________________________________ REVISION HISTORY: 1/9/04 - Add links for Debian Security Advisories DSA-413-1 for linux-kernel-2.4.18; and DSA-417-1 for linux-kernel-2.4.18-powerpc_alpha; and Red Hat RHSA-2003-416-09 for Red Hat Enterprise Linux AS, ES, WS (v. 3). 1/20/04 - Added link for Debian Security Advisory DSA-427-1 for linux-kernel-2.4.x and 2.6.x for the mips and mipsel architecture patches. 1/23/04 - Added link for SGI Security Advisory 20040102-01-U for their SGI ProPack v2.3 patch release. 02/19/04 - Added a link to Debian Security Advisories: DSA-439-1 linux-kernel-2.4.16-arm; DSA-440-1 linux-kernel-2.4.17-powerpc-apus; DSA-441-1 linux-kernel-2.4.17-mips+pipsel; DSA-438-1 linux-kernel-2.4.18-alpha+i386+powerpc. 03/02/04 - Added links to the following newly released patches: -Debian Security Advisory DSA-442-1 Linux-kernel-2.4.17-s390 -Debian Security Advisory DSA-450-1 Linux-kernel-2.4.19-mips -Debian Security Advisory DSA-454-1 Linux-kernel-2.2.22-alpha -SGI Security Advisory Number 20040204-01-U ProPack v2.4 Kernel fixes and Security Update 04/01/04 - Added a link to Debian Security Advisory DSA-470-1 for linux-kernel-2.4.17-hppa for an upgrade fixing the flaw in bounds checking in mremap(). 04/06/04 - Added a link to Debian Security Advisory DSA-475-1 for linux-kernel-2.4.18-hppa for an upgrade fixing the flaw in bounds checking in mremap(). 05/30/06 - added a link to Debian Security Advisory DSA-1082-1 for Debian GNU/Linux 3.0 alias woody. [***** Start RHSA-2003:417-08 *****] Updated kernel resolves security vulnerability Advisory: RHSA-2003:417-08 Last updated on: 2004-01-05 Affected Products: Red Hat Linux 7.1 Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0984 CAN-2003-0985 Security Advisory Details: Updated kernel packages are now available that fix a security vulnerability which may allow local users to gain root privileges. The Linux kernel handles the basic functions of the operating system. Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0985 to this issue. All users are advised to upgrade to these errata packages, which contain a backported security patch that corrects this issue. Red Hat would like to thank Paul Starzetz from ISEC for disclosing this issue as well as Andrea Arcangeli and Solar Designer for working on the patch. These packages also contain a fix for a minor information leak in the real time clock (rtc) routines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0984 to this issue. We have provided kernel updates for Red Hat Linux 7.1-8.0 with this advisory as these were prepared by us prior to December 31 2003. Please note that Red Hat Linux 7.1, 7.2, 7.3, and 8.0 have reached their end of life for errata support and no further errata will be issued for those distributions. Updated packages: Red Hat Linux 7.1 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-28.7.src.rpm [ via FTP ] [ via HTTP ] 6f37a0c884be50f702665dd418e7d8a5 athlon: kernel-2.4.20-28.7.athlon.rpm [ via FTP ] [ via HTTP ] 85dabb948243fcd96fed1946217b3259 kernel-smp-2.4.20-28.7.athlon.rpm [ via FTP ] [ via HTTP ] ba80fcbe3237ece886506446413d6330 i386: kernel-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] a4b2cd2ad6acb98c045a0644add55ef8 kernel-BOOT-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] 46cbf5df2050e923343be59c26eb5714 kernel-doc-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] 9e64a9b15edc09d4a0f75513445f4021 kernel-source-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] dbc9c6aa900467f4182306545d3bed81 i586: kernel-2.4.20-28.7.i586.rpm [ via FTP ] [ via HTTP ] 46325c861ee83b2f679b9f8563f2e441 kernel-smp-2.4.20-28.7.i586.rpm [ via FTP ] [ via HTTP ] 51ede5686dc0997c76a14d523e057e67 i686: kernel-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] ab86ca21757966e2f49d58438b26253a kernel-bigmem-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] 78229375349f57c62f0f1837770cc3f0 kernel-smp-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] 4321ad444747e8e3ebf6e7576b08d6db Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-28.7.src.rpm [ via FTP ] [ via HTTP ] 6f37a0c884be50f702665dd418e7d8a5 athlon: kernel-2.4.20-28.7.athlon.rpm [ via FTP ] [ via HTTP ] 85dabb948243fcd96fed1946217b3259 kernel-smp-2.4.20-28.7.athlon.rpm [ via FTP ] [ via HTTP ] ba80fcbe3237ece886506446413d6330 i386: kernel-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] a4b2cd2ad6acb98c045a0644add55ef8 kernel-BOOT-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] 46cbf5df2050e923343be59c26eb5714 kernel-doc-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] 9e64a9b15edc09d4a0f75513445f4021 kernel-source-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] dbc9c6aa900467f4182306545d3bed81 i586: kernel-2.4.20-28.7.i586.rpm [ via FTP ] [ via HTTP ] 46325c861ee83b2f679b9f8563f2e441 kernel-smp-2.4.20-28.7.i586.rpm [ via FTP ] [ via HTTP ] 51ede5686dc0997c76a14d523e057e67 i686: kernel-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] ab86ca21757966e2f49d58438b26253a kernel-bigmem-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] 78229375349f57c62f0f1837770cc3f0 kernel-smp-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] 4321ad444747e8e3ebf6e7576b08d6db Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-28.7.src.rpm [ via FTP ] [ via HTTP ] 6f37a0c884be50f702665dd418e7d8a5 athlon: kernel-2.4.20-28.7.athlon.rpm [ via FTP ] [ via HTTP ] 85dabb948243fcd96fed1946217b3259 kernel-smp-2.4.20-28.7.athlon.rpm [ via FTP ] [ via HTTP ] ba80fcbe3237ece886506446413d6330 i386: kernel-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] a4b2cd2ad6acb98c045a0644add55ef8 kernel-BOOT-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] 46cbf5df2050e923343be59c26eb5714 kernel-doc-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] 9e64a9b15edc09d4a0f75513445f4021 kernel-source-2.4.20-28.7.i386.rpm [ via FTP ] [ via HTTP ] dbc9c6aa900467f4182306545d3bed81 i586: kernel-2.4.20-28.7.i586.rpm [ via FTP ] [ via HTTP ] 46325c861ee83b2f679b9f8563f2e441 kernel-smp-2.4.20-28.7.i586.rpm [ via FTP ] [ via HTTP ] 51ede5686dc0997c76a14d523e057e67 i686: kernel-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] ab86ca21757966e2f49d58438b26253a kernel-bigmem-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] 78229375349f57c62f0f1837770cc3f0 kernel-smp-2.4.20-28.7.i686.rpm [ via FTP ] [ via HTTP ] 4321ad444747e8e3ebf6e7576b08d6db Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-28.8.src.rpm [ via FTP ] [ via HTTP ] 7ff4997770e18fd8dfa94dde6ccd9f05 athlon: kernel-2.4.20-28.8.athlon.rpm [ via FTP ] [ via HTTP ] 69096d7bf580f241c2774a75d19a4f6b kernel-smp-2.4.20-28.8.athlon.rpm [ via FTP ] [ via HTTP ] 07cc69196376c7cbcad2c4a93aff0be0 i386: kernel-2.4.20-28.8.i386.rpm [ via FTP ] [ via HTTP ] a97ba9aea863b5b49f26259f105e8d8f kernel-BOOT-2.4.20-28.8.i386.rpm [ via FTP ] [ via HTTP ] ab4eac1f8c255a9d70808469e46e918c kernel-doc-2.4.20-28.8.i386.rpm [ via FTP ] [ via HTTP ] 210eb290286bb696f94e9ebe5399d67e kernel-source-2.4.20-28.8.i386.rpm [ via FTP ] [ via HTTP ] 312b7e646dc4825617d3a9b485957c67 i586: kernel-2.4.20-28.8.i586.rpm [ via FTP ] [ via HTTP ] 90ddcdf7660107c2e297bd2531b4a544 kernel-smp-2.4.20-28.8.i586.rpm [ via FTP ] [ via HTTP ] 25692d7064ab7bc55a17c53ee24e9d3d i686: kernel-2.4.20-28.8.i686.rpm [ via FTP ] [ via HTTP ] 91ca2b2685cf6c5e0b8d1b9043865bea kernel-bigmem-2.4.20-28.8.i686.rpm [ via FTP ] [ via HTTP ] 3fecc24946697e5dd0428df38cbb2198 kernel-smp-2.4.20-28.8.i686.rpm [ via FTP ] [ via HTTP ] 40d954506e1b0ad60c7f150d76872ec5 Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: kernel-2.4.20-28.9.src.rpm [ via FTP ] [ via HTTP ] 5eb1ef7c29f3bd5e3afb9c41d5f688e5 athlon: kernel-2.4.20-28.9.athlon.rpm [ via FTP ] [ via HTTP ] 954a8afbe2216769a4aaa5b0b597612f kernel-smp-2.4.20-28.9.athlon.rpm [ via FTP ] [ via HTTP ] 198dfae0a67d9aa91f367e90e1a264c7 i386: kernel-2.4.20-28.9.i386.rpm [ via FTP ] [ via HTTP ] a398b7f0a741ab95ab0b66929c48dc95 kernel-BOOT-2.4.20-28.9.i386.rpm [ via FTP ] [ via HTTP ] e394c681c64e22a94ed22dd8a510aad0 kernel-doc-2.4.20-28.9.i386.rpm [ via FTP ] [ via HTTP ] 8355d266e3c354e97099add60ea25331 kernel-source-2.4.20-28.9.i386.rpm [ via FTP ] [ via HTTP ] 12ad6c3ad16ddee2ad6c3ba579005a9d i586: kernel-2.4.20-28.9.i586.rpm [ via FTP ] [ via HTTP ] 0047dac37b4f888e53b5b304524b795d kernel-smp-2.4.20-28.9.i586.rpm [ via FTP ] [ via HTTP ] 08a3391dcb7f5532310ce234d2570bd0 i686: kernel-2.4.20-28.9.i686.rpm [ via FTP ] [ via HTTP ] 6cdbe7002a6834dc1aa27cc5f47ba5a7 kernel-bigmem-2.4.20-28.9.i686.rpm [ via FTP ] [ via HTTP ] 3788274eba272ef23704bec4cb19e4af kernel-smp-2.4.20-28.9.i686.rpm [ via FTP ] [ via HTTP ] d9fe2e46b08f596e19a49ae724d2db5a Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 90338 - (TUX)password incorrectly parsed + patch to fix the problem References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985 http://www.securityfocus.com/bid/9154/discussion/ ---------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. Search by Google [***** End RHSA-2003:417-08 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat , Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-035: Sun 'dtprintinfo(1)' CDE Print Viewer Vulnerability O-036: CISCO Authentication Library in ACNS Vulnerability O-037: Red Hat GnuPG Packages ElGamal Keys Vulnerability O-038: CISCO Unity Vulnerabilities on IBM-based Servers O-039: CISCO FWSM Vulnerabilities O-040: CISCO PIX Vulnerabilities O-041: Sun 'lpstat' Printing Vulnerability O-042: Red Hat 'lftp' Buffer Overflow Vulnerability O-043: Red Hat Updated Kernel Packages O-044: Sun Security Issue Involving the tcsh(1) ls-F Builtin on Solaris 8