__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Kernel Security Update [Red Hat RHSA-2005:472-05] May 26, 2005 17:00 GMT Number P-208 [REVISED 25 AUG 2005] ______________________________________________________________________________ PROBLEM: There are several security issues in kernel packages: 1) A flaw between execve() syscall handling and core dumping of ELF-format executables; 2) A flaw in shared memory locking; and 3) A flaw in the locking of SysV IPC shared memory regions. PLATFORM: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS, ES, WS (v. 3) DAMAGE: Allowed local unprivileged users: 1) to cause a denial of service (system crash) or possibly gain privileges; 2) to lock and unlock regions of shared memory segments they did not own; and 3) to bypass their RLIMIT_MEMLOCK resource limit. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Allows local unprivileged users to possibly ASSESSMENT: gain privileged. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-208.shtml ORIGINAL BULLETIN: Red Hat RHSA-2005:472-05 https://rhn.redhat.com/errata/RHSA-2005-472.html ADDITIONAL LINKS: Red Hat Security Advisory RHSA-2005:529-12 https://rhn.redhat.com/errata/RHSA-2005-529.html Red Hat Security Advisory RHSA-2005:551-09 https://rhn.redhat.com/errata/RHSA-2005-551.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0491 CAN-2004-0176 CAN-2005-1263 ______________________________________________________________________________ REVISION HISTORY: 08/25/2005 - added links to Red Hat Security Advisories RHSA-2005:529-12 and RHSA-2005:551-09 [***** Start Red Hat RHSA-2005:472-05 *****] Important: kernel security update Advisory: RHSA-2005:472-05 Type: Security Advisory Issued on: 2005-05-25 Last updated on: 2005-05-25 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0491 CAN-2005-0176 CAN-2005-1263 Details Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the three security issues described below as well as an important fix for a problem that could lead to data corruption on x86-architecture SMP systems with greater than 4GB of memory through heavy usage of multi-threaded applications. A flaw between execve() syscall handling and core dumping of ELF-format executables allowed local unprivileged users to cause a denial of service (system crash) or possibly gain privileges. The Common Vulnerabilities and Exposures project has assigned the name CAN-2005-1263 to this issue. A flaw in shared memory locking allowed local unprivileged users to lock and unlock regions of shared memory segments they did not own (CAN-2005-0176). A flaw in the locking of SysV IPC shared memory regions allowed local unprivileged users to bypass their RLIMIT_MEMLOCK resource limit (CAN-2004-0491). Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Please also consult the RHEL3 Update 5 advisory RHSA-2005:294 for the complete list of features added and bugs fixed in U5, which was released only a week prior to this security update. Solution Before applying this update, make sure that all previously released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ Updated packages Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- SRPMS: kernel-2.4.21-32.0.1.EL.src.rpm a3294ea2b31db1bf71ede79779154f38 IA-32: kernel-2.4.21-32.0.1.EL.athlon.rpm f30e36f4f0ab84d2e769e93829aa2d20 kernel-2.4.21-32.0.1.EL.i686.rpm 8f7eec82049385001ae13568757a1bfa kernel-BOOT-2.4.21-32.0.1.EL.i386.rpm 8a8c57c90c0a9f5c34f967a4e21248f9 kernel-doc-2.4.21-32.0.1.EL.i386.rpm c758821e238e5071adf2882b0bf57753 kernel-hugemem-2.4.21-32.0.1.EL.i686.rpm 8393b9131dce3de5227d38ab93330a0e kernel-hugemem-unsupported-2.4.21-32.0.1.EL.i686.rpm f4a85b153deaf0e452a8588592838a99 kernel-smp-2.4.21-32.0.1.EL.athlon.rpm c779afc884615fd6acc4a808db06ac41 kernel-smp-2.4.21-32.0.1.EL.i686.rpm 074d57f89eae848e55970fb792b760bb kernel-smp-unsupported-2.4.21-32.0.1.EL.athlon.rpm 616020364fcea7e7096bd62801e79fc4 kernel-smp-unsupported-2.4.21-32.0.1.EL.i686.rpm c3334ea418483f996ebeeb162ed70cef kernel-source-2.4.21-32.0.1.EL.i386.rpm cddaf98d731e7f56a3de6d99d526368c kernel-unsupported-2.4.21-32.0.1.EL.athlon.rpm 3eda75e78526882c03fd1dc10547aeed kernel-unsupported-2.4.21-32.0.1.EL.i686.rpm b472ffdcda9b6f22464a16065380dfb9 x86_64: kernel-2.4.21-32.0.1.EL.ia32e.rpm d532f04df3c0564483d86dd4e1705096 kernel-2.4.21-32.0.1.EL.x86_64.rpm 8a2779b71f5d106f65a45857f0632755 kernel-doc-2.4.21-32.0.1.EL.x86_64.rpm e5c7ea7acd1a1f66ce323d709ad193e9 kernel-smp-2.4.21-32.0.1.EL.x86_64.rpm bc742330f75227eb12797af9ff926f47 kernel-smp-unsupported-2.4.21-32.0.1.EL.x86_64.rpm c1f5b201f8f558e8630e849f6d51e596 kernel-source-2.4.21-32.0.1.EL.x86_64.rpm 1d6e7647f79c50e46dd536ace43fa781 kernel-unsupported-2.4.21-32.0.1.EL.ia32e.rpm 8520b785bb89fb1d2727e5d3dabd90d1 kernel-unsupported-2.4.21-32.0.1.EL.x86_64.rpm cf1d9a17cd60efea252f414a537b7feb Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- SRPMS: kernel-2.4.21-32.0.1.EL.src.rpm a3294ea2b31db1bf71ede79779154f38 IA-32: kernel-2.4.21-32.0.1.EL.athlon.rpm f30e36f4f0ab84d2e769e93829aa2d20 kernel-2.4.21-32.0.1.EL.i686.rpm 8f7eec82049385001ae13568757a1bfa kernel-BOOT-2.4.21-32.0.1.EL.i386.rpm 8a8c57c90c0a9f5c34f967a4e21248f9 kernel-doc-2.4.21-32.0.1.EL.i386.rpm c758821e238e5071adf2882b0bf57753 kernel-hugemem-2.4.21-32.0.1.EL.i686.rpm 8393b9131dce3de5227d38ab93330a0e kernel-hugemem-unsupported-2.4.21-32.0.1.EL.i686.rpm f4a85b153deaf0e452a8588592838a99 kernel-smp-2.4.21-32.0.1.EL.athlon.rpm c779afc884615fd6acc4a808db06ac41 kernel-smp-2.4.21-32.0.1.EL.i686.rpm 074d57f89eae848e55970fb792b760bb kernel-smp-unsupported-2.4.21-32.0.1.EL.athlon.rpm 616020364fcea7e7096bd62801e79fc4 kernel-smp-unsupported-2.4.21-32.0.1.EL.i686.rpm c3334ea418483f996ebeeb162ed70cef kernel-source-2.4.21-32.0.1.EL.i386.rpm cddaf98d731e7f56a3de6d99d526368c kernel-unsupported-2.4.21-32.0.1.EL.athlon.rpm 3eda75e78526882c03fd1dc10547aeed kernel-unsupported-2.4.21-32.0.1.EL.i686.rpm b472ffdcda9b6f22464a16065380dfb9 IA-64: kernel-2.4.21-32.0.1.EL.ia64.rpm c10a00a0548076ea502106afac33e63a kernel-doc-2.4.21-32.0.1.EL.ia64.rpm 0ba08af2b5d5f5b1c00250e6d350e793 kernel-source-2.4.21-32.0.1.EL.ia64.rpm d275d6c615cb3412e45aa4d78ace1749 kernel-unsupported-2.4.21-32.0.1.EL.ia64.rpm d678c9224c56f5bc1e83cdaddf90b419 PPC: kernel-2.4.21-32.0.1.EL.ppc64iseries.rpm 3285b1097d83b39e8f5bd0c7442a38c7 kernel-2.4.21-32.0.1.EL.ppc64pseries.rpm aee706eb7afbfb0d104b32414321c0fe kernel-doc-2.4.21-32.0.1.EL.ppc64.rpm 0df4f27241d864aa97b8c6b65c192754 kernel-source-2.4.21-32.0.1.EL.ppc64.rpm 94093bba6dd19f9beb125d326e9dea80 kernel-unsupported-2.4.21-32.0.1.EL.ppc64iseries.rpm dc4619039c6c145024d865b5ede767c5 kernel-unsupported-2.4.21-32.0.1.EL.ppc64pseries.rpm 8e14770d84fa176a9c28ab613fc06d5d s390: kernel-2.4.21-32.0.1.EL.s390.rpm 330adcf820bea66ce0467dfebddff8e7 kernel-doc-2.4.21-32.0.1.EL.s390.rpm bf35c7665526c46bacdc8cab8794742c kernel-source-2.4.21-32.0.1.EL.s390.rpm 2cf9a00e21b35478deb826f039fdb481 kernel-unsupported-2.4.21-32.0.1.EL.s390.rpm 18f80bb172a141ee13489eaf59027b3b s390x: kernel-2.4.21-32.0.1.EL.s390x.rpm c0e8287dcfec54dab6737d157809d4b6 kernel-doc-2.4.21-32.0.1.EL.s390x.rpm 4ae8efce1828b68781e3e38b8046a219 kernel-source-2.4.21-32.0.1.EL.s390x.rpm c7268b452f1688334a2b0c8402b50cd8 kernel-unsupported-2.4.21-32.0.1.EL.s390x.rpm 0634145d1338a4233703ee91f06300e1 x86_64: kernel-2.4.21-32.0.1.EL.ia32e.rpm d532f04df3c0564483d86dd4e1705096 kernel-2.4.21-32.0.1.EL.x86_64.rpm 8a2779b71f5d106f65a45857f0632755 kernel-doc-2.4.21-32.0.1.EL.x86_64.rpm e5c7ea7acd1a1f66ce323d709ad193e9 kernel-smp-2.4.21-32.0.1.EL.x86_64.rpm bc742330f75227eb12797af9ff926f47 kernel-smp-unsupported-2.4.21-32.0.1.EL.x86_64.rpm c1f5b201f8f558e8630e849f6d51e596 kernel-source-2.4.21-32.0.1.EL.x86_64.rpm 1d6e7647f79c50e46dd536ace43fa781 kernel-unsupported-2.4.21-32.0.1.EL.ia32e.rpm 8520b785bb89fb1d2727e5d3dabd90d1 kernel-unsupported-2.4.21-32.0.1.EL.x86_64.rpm cf1d9a17cd60efea252f414a537b7feb Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: kernel-2.4.21-32.0.1.EL.src.rpm a3294ea2b31db1bf71ede79779154f38 IA-32: kernel-2.4.21-32.0.1.EL.athlon.rpm f30e36f4f0ab84d2e769e93829aa2d20 kernel-2.4.21-32.0.1.EL.i686.rpm 8f7eec82049385001ae13568757a1bfa kernel-BOOT-2.4.21-32.0.1.EL.i386.rpm 8a8c57c90c0a9f5c34f967a4e21248f9 kernel-doc-2.4.21-32.0.1.EL.i386.rpm c758821e238e5071adf2882b0bf57753 kernel-hugemem-2.4.21-32.0.1.EL.i686.rpm 8393b9131dce3de5227d38ab93330a0e kernel-hugemem-unsupported-2.4.21-32.0.1.EL.i686.rpm f4a85b153deaf0e452a8588592838a99 kernel-smp-2.4.21-32.0.1.EL.athlon.rpm c779afc884615fd6acc4a808db06ac41 kernel-smp-2.4.21-32.0.1.EL.i686.rpm 074d57f89eae848e55970fb792b760bb kernel-smp-unsupported-2.4.21-32.0.1.EL.athlon.rpm 616020364fcea7e7096bd62801e79fc4 kernel-smp-unsupported-2.4.21-32.0.1.EL.i686.rpm c3334ea418483f996ebeeb162ed70cef kernel-source-2.4.21-32.0.1.EL.i386.rpm cddaf98d731e7f56a3de6d99d526368c kernel-unsupported-2.4.21-32.0.1.EL.athlon.rpm 3eda75e78526882c03fd1dc10547aeed kernel-unsupported-2.4.21-32.0.1.EL.i686.rpm b472ffdcda9b6f22464a16065380dfb9 IA-64: kernel-2.4.21-32.0.1.EL.ia64.rpm c10a00a0548076ea502106afac33e63a kernel-doc-2.4.21-32.0.1.EL.ia64.rpm 0ba08af2b5d5f5b1c00250e6d350e793 kernel-source-2.4.21-32.0.1.EL.ia64.rpm d275d6c615cb3412e45aa4d78ace1749 kernel-unsupported-2.4.21-32.0.1.EL.ia64.rpm d678c9224c56f5bc1e83cdaddf90b419 x86_64: kernel-2.4.21-32.0.1.EL.ia32e.rpm d532f04df3c0564483d86dd4e1705096 kernel-2.4.21-32.0.1.EL.x86_64.rpm 8a2779b71f5d106f65a45857f0632755 kernel-doc-2.4.21-32.0.1.EL.x86_64.rpm e5c7ea7acd1a1f66ce323d709ad193e9 kernel-smp-2.4.21-32.0.1.EL.x86_64.rpm bc742330f75227eb12797af9ff926f47 kernel-smp-unsupported-2.4.21-32.0.1.EL.x86_64.rpm c1f5b201f8f558e8630e849f6d51e596 kernel-source-2.4.21-32.0.1.EL.x86_64.rpm 1d6e7647f79c50e46dd536ace43fa781 kernel-unsupported-2.4.21-32.0.1.EL.ia32e.rpm 8520b785bb89fb1d2727e5d3dabd90d1 kernel-unsupported-2.4.21-32.0.1.EL.x86_64.rpm cf1d9a17cd60efea252f414a537b7feb Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: kernel-2.4.21-32.0.1.EL.src.rpm a3294ea2b31db1bf71ede79779154f38 IA-32: kernel-2.4.21-32.0.1.EL.athlon.rpm f30e36f4f0ab84d2e769e93829aa2d20 kernel-2.4.21-32.0.1.EL.i686.rpm 8f7eec82049385001ae13568757a1bfa kernel-BOOT-2.4.21-32.0.1.EL.i386.rpm 8a8c57c90c0a9f5c34f967a4e21248f9 kernel-doc-2.4.21-32.0.1.EL.i386.rpm c758821e238e5071adf2882b0bf57753 kernel-hugemem-2.4.21-32.0.1.EL.i686.rpm 8393b9131dce3de5227d38ab93330a0e kernel-hugemem-unsupported-2.4.21-32.0.1.EL.i686.rpm f4a85b153deaf0e452a8588592838a99 kernel-smp-2.4.21-32.0.1.EL.athlon.rpm c779afc884615fd6acc4a808db06ac41 kernel-smp-2.4.21-32.0.1.EL.i686.rpm 074d57f89eae848e55970fb792b760bb kernel-smp-unsupported-2.4.21-32.0.1.EL.athlon.rpm 616020364fcea7e7096bd62801e79fc4 kernel-smp-unsupported-2.4.21-32.0.1.EL.i686.rpm c3334ea418483f996ebeeb162ed70cef kernel-source-2.4.21-32.0.1.EL.i386.rpm cddaf98d731e7f56a3de6d99d526368c kernel-unsupported-2.4.21-32.0.1.EL.athlon.rpm 3eda75e78526882c03fd1dc10547aeed kernel-unsupported-2.4.21-32.0.1.EL.i686.rpm b472ffdcda9b6f22464a16065380dfb9 IA-64: kernel-2.4.21-32.0.1.EL.ia64.rpm c10a00a0548076ea502106afac33e63a kernel-doc-2.4.21-32.0.1.EL.ia64.rpm 0ba08af2b5d5f5b1c00250e6d350e793 kernel-source-2.4.21-32.0.1.EL.ia64.rpm d275d6c615cb3412e45aa4d78ace1749 kernel-unsupported-2.4.21-32.0.1.EL.ia64.rpm d678c9224c56f5bc1e83cdaddf90b419 x86_64: kernel-2.4.21-32.0.1.EL.ia32e.rpm d532f04df3c0564483d86dd4e1705096 kernel-2.4.21-32.0.1.EL.x86_64.rpm 8a2779b71f5d106f65a45857f0632755 kernel-doc-2.4.21-32.0.1.EL.x86_64.rpm e5c7ea7acd1a1f66ce323d709ad193e9 kernel-smp-2.4.21-32.0.1.EL.x86_64.rpm bc742330f75227eb12797af9ff926f47 kernel-smp-unsupported-2.4.21-32.0.1.EL.x86_64.rpm c1f5b201f8f558e8630e849f6d51e596 kernel-source-2.4.21-32.0.1.EL.x86_64.rpm 1d6e7647f79c50e46dd536ace43fa781 kernel-unsupported-2.4.21-32.0.1.EL.ia32e.rpm 8520b785bb89fb1d2727e5d3dabd90d1 kernel-unsupported-2.4.21-32.0.1.EL.x86_64.rpm cf1d9a17cd60efea252f414a537b7feb (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 126411 - CAN-2004-0491 mlock accounting issue 141394 - Memory corruption with kernel 2.4.21-27.EL 141905 - kernel 2.4.21-25.ELsmp panic (kscand) 142802 - CAN-2005-0176 unlock someone elses ipc memory 149087 - Kernel panic regression in 2.4.21-27.0.2.ELsmp 157451 - CAN-2005-1263 Linux kernel ELF core dump crash vulnerability References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263 Keywords errata, kernel, security, taroon -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2005:472-05 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-199: HP OpenView Event Correlation Services (OV ECS) Remote Unauthorized Privileged Code Execution, Denial of Service (DoS) P-200: Apple Security Update 2005-005 CIACTech05-001: Operation of the Sinit/Calypso Worm P-201: iTunes MPEG4 Parsing Buffer Overflow P-202: Web View in Windows Explorer Vulnerability P-203: Cisco FWSM TCP ACL Bypass Vulnerability P-204: ncpfs Security Update P-205: Mac OS X 10.4.1 Update P-206: Mozilla & Firefox Security Update P-207: Ethereal Security Update