CVE-2004-0883
CVSS6.4
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:49:39
NMCOPS    

[原文]Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function.


[CNNVD]Linux smbfs 多个 远程拒绝服务漏洞(CNNVD-200501-063)

        Linux Kernel smbfs是Linux内核支持的文件系统,用于共享应用。
        Linux Kernel 2.4及2.6中的smbfs存在多个漏洞,可导致拒绝服务或信息泄露。
        远程samba服务器可通过多种方式实施攻击,包括(1)返回远超过所请求的数据给smb_proc_read函数;(2)返回一个包含offset的samba包给smb_proc_readX函数;(3)发送一个特殊构造的TRANS2碎片包给smb_receive_trans2函数(4) 发送一个包含特殊头长度信息的samba包给smb_proc_readX_data函数;(5)发送一个特定offset的数据包给smb_receive_trans2函数。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:trustix:secure_linux:1.5Trustix Secure Linux 1.5
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:redhat:fedora_core:core_2.0
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.4.18::x86
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.6.9:2.6.20
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium_processor
cpe:/o:suse:suse_linux:9.2SuSE SuSE Linux 9.2
cpe:/o:suse:suse_linux:9.0::enterprise_server
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1
cpe:/o:linux:linux_kernel:2.6.8Linux Kernel 2.6.8
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:redhat:enterprise_linux:2.1::advanced_server_ia64
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/o:redhat:enterprise_linux:3.0::workstation_server
cpe:/o:redhat:enterprise_linux:2.1::workstation
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:linux:linux_kernel:2.6.6:rc1Linux Kernel 2.6.6 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.7:rc1Linux Kernel 2.6.7 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.8:rc1Linux Kernel 2.6.8 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.8:rc2Linux Kernel 2.6.8 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.8:rc3Linux Kernel 2.6.8 Release Candidate 3
cpe:/o:linux:linux_kernel:2.4.0:test2Linux Kernel 2.4.0 test2
cpe:/o:linux:linux_kernel:2.4.0:test3Linux Kernel 2.4.0 test3
cpe:/o:linux:linux_kernel:2.4.0:test8Linux Kernel 2.4.0 test8
cpe:/o:linux:linux_kernel:2.4.23_ow2
cpe:/o:linux:linux_kernel:2.4.0:test9Linux Kernel 2.4.0 test9
cpe:/o:linux:linux_kernel:2.4.0:test6Linux Kernel 2.4.0 test6
cpe:/o:linux:linux_kernel:2.4.0:test7Linux Kernel 2.4.0 test7
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4
cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:linux:linux_kernel:2.4.27:pre5Linux Kernel 2.4.27 pre5
cpe:/o:linux:linux_kernel:2.4.27:pre3Linux Kernel 2.4.27 pre3
cpe:/o:linux:linux_kernel:2.4.0:test4Linux Kernel 2.4.0 test4
cpe:/o:linux:linux_kernel:2.4.0:test5Linux Kernel 2.4.0 test5
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:linux:linux_kernel:2.4.27:pre4Linux Kernel 2.4.27 pre4
cpe:/o:linux:linux_kernel:2.4.21:pre4Linux Kernel 2.4.21 pre4
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.4.21:pre7Linux Kernel 2.4.21 pre7
cpe:/o:linux:linux_kernel:2.4.23:pre9Linux Kernel 2.4.23 pre9
cpe:/o:linux:linux_kernel:2.4.0:test12Linux Kernel 2.4.0 test12
cpe:/o:linux:linux_kernel:2.4.0:test11Linux Kernel 2.4.0 test11
cpe:/o:linux:linux_kernel:2.4.0:test1Linux Kernel 2.4.0 test1
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/o:redhat:enterprise_linux:2.1::workstation_ia64
cpe:/o:redhat:linux_advanced_workstation:2.1::ia64
cpe:/o:linux:linux_kernel:2.4.0:test10Linux Kernel 2.4.0 test10
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:redhat:enterprise_linux:3.0::advanced_server
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/o:linux:linux_kernel:2.4.24_ow1
cpe:/o:suse:suse_linux:1.0::desktop
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:linux:linux_kernel:2.4.18:pre1Linux Kernel 2.4.18 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre2Linux Kernel 2.4.18 pre2
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:linux:linux_kernel:2.4.19:pre1Linux Kernel 2.4.19 pre1
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/o:linux:linux_kernel:2.4.19:pre2Linux Kernel 2.4.19 pre2
cpe:/o:redhat:fedora_core:core_3.0
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.18:pre6Linux Kernel 2.4.18 pre6
cpe:/o:linux:linux_kernel:2.4.18:pre3Linux Kernel 2.4.18 pre3
cpe:/o:linux:linux_kernel:2.4.27:pre1Linux Kernel 2.4.27 pre1
cpe:/o:linux:linux_kernel:2.4.18:pre4Linux Kernel 2.4.18 pre4
cpe:/o:linux:linux_kernel:2.4.19:pre5Linux Kernel 2.4.19 pre5
cpe:/o:linux:linux_kernel:2.4.27:pre2Linux Kernel 2.4.27 pre2
cpe:/o:linux:linux_kernel:2.4.19:pre6Linux Kernel 2.4.19 pre6
cpe:/o:linux:linux_kernel:2.4.21:pre1Linux Kernel 2.4.21 pre1
cpe:/o:linux:linux_kernel:2.4.19:pre3Linux Kernel 2.4.19 pre3
cpe:/o:linux:linux_kernel:2.4.18:pre7Linux Kernel 2.4.18 pre7
cpe:/o:linux:linux_kernel:2.4.19:pre4Linux Kernel 2.4.19 pre4
cpe:/o:linux:linux_kernel:2.4.18:pre8Linux Kernel 2.4.18 pre8
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server_ia64
cpe:/o:linux:linux_kernel:2.4.18:pre5Linux Kernel 2.4.18 pre5
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.4.27Linux Kernel 2.4.27
cpe:/o:linux:linux_kernel:2.4.26Linux Kernel 2.4.26
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.6_test9_cvs
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10330Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0883
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0883
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-063
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110072140811965&w=2
(UNKNOWN)  BUGTRAQ  20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities
http://marc.info/?l=bugtraq&m=110082989725345&w=2
(UNKNOWN)  BUGTRAQ  20041118 [USN-30-1] Linux kernel vulnerabilities
http://security.e-matters.de/advisories/142004.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/142004.html
http://www.debian.org/security/2006/dsa-1067
(UNKNOWN)  DEBIAN  DSA-1067
http://www.debian.org/security/2006/dsa-1069
(UNKNOWN)  DEBIAN  DSA-1069
http://www.debian.org/security/2006/dsa-1070
(UNKNOWN)  DEBIAN  DSA-1070
http://www.debian.org/security/2006/dsa-1082
(UNKNOWN)  DEBIAN  DSA-1082
http://www.kb.cert.org/vuls/id/726198
(UNKNOWN)  CERT-VN  VU#726198
http://www.mandriva.com/security/advisories?name=MDKSA-2005:022
(UNKNOWN)  MANDRAKE  MDKSA-2005:022
http://www.redhat.com/support/errata/RHSA-2004-504.html
(UNKNOWN)  REDHAT  RHSA-2004:504
http://www.redhat.com/support/errata/RHSA-2004-505.html
(UNKNOWN)  REDHAT  RHSA-2004:505
http://www.redhat.com/support/errata/RHSA-2004-537.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:537
http://www.securityfocus.com/bid/11695
(VENDOR_ADVISORY)  BID  11695
http://xforce.iss.net/xforce/xfdb/18134
(UNKNOWN)  XF  linux-smb-response-dos(18134)
http://xforce.iss.net/xforce/xfdb/18135
(VENDOR_ADVISORY)  XF  linux-smbprocreadxdata-dos(18135)
http://xforce.iss.net/xforce/xfdb/18136
(UNKNOWN)  XF  linux-smbreceivetrans2-dos(18136)
https://bugzilla.fedora.us/show_bug.cgi?id=2336
(UNKNOWN)  FEDORA  FLSA:2336

- 漏洞信息

Linux smbfs 多个 远程拒绝服务漏洞
中危 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        Linux Kernel smbfs是Linux内核支持的文件系统,用于共享应用。
        Linux Kernel 2.4及2.6中的smbfs存在多个漏洞,可导致拒绝服务或信息泄露。
        远程samba服务器可通过多种方式实施攻击,包括(1)返回远超过所请求的数据给smb_proc_read函数;(2)返回一个包含offset的samba包给smb_proc_readX函数;(3)发送一个特殊构造的TRANS2碎片包给smb_receive_trans2函数(4) 发送一个包含特殊头长度信息的samba包给smb_proc_readX_data函数;(5)发送一个特定offset的数据包给smb_receive_trans2函数。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.kernel.org/

- 漏洞信息 (F46509)

Debian Linux Security Advisory 1070-1 (PacketStormID:F46509)
2006-05-22 00:00:00
Debian,Dann Frazier  debian.org
advisory,remote,denial of service,arbitrary,kernel,local,vulnerability
linux,debian
CVE-2004-0427,CVE-2005-0489,CVE-2004-0394,CVE-2004-0447,CVE-2004-0554,CVE-2004-0565,CVE-2004-0685,CVE-2005-0001,CVE-2004-0883,CVE-2004-0949,CVE-2004-1016,CVE-2004-1333,CVE-2004-0997,CVE-2004-1335,CVE-2004-1017,CVE-2005-0124,CVE-2005-0528,CVE-2003-0984
[点击下载]

Debian Security Advisory 1070-1 - Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1070-1                    security@debian.org
http://www.debian.org/security/               Martin Schulze, Dann Frazier
May 21th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.4.19,kernel-image-sparc-2.4,kernel-patch-2.4.19-mips
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE IDs        : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685  CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


 CVE-2004-0427

     A local denial of service vulnerability in do_fork() has been found.     

 CVE-2005-0489

     A local denial of service vulnerability in proc memory handling has
     been found.

 CVE-2004-0394

     A buffer overflow in the panic handling code has been found.

 CVE-2004-0447

     A local denial of service vulnerability through a null pointer
     dereference in the IA64 process handling code has been found.

 CVE-2004-0554

     A local denial of service vulnerability through an infinite loop in
     the signal handler code has been found.

 CVE-2004-0565

     An information leak in the context switch code has been found on
     the IA64 architecture.

 CVE-2004-0685

     Unsafe use of copy_to_user in USB drivers may disclose sensitive
     information.

 CVE-2005-0001

     A race condition in the i386 page fault handler may allow privilege
     escalation.

 CVE-2004-0883

     Multiple vulnerabilities in the SMB filesystem code may allow denial
     of service of information disclosure.

 CVE-2004-0949

     An information leak discovered in the SMB filesystem code.

 CVE-2004-1016

     A local denial of service vulnerability has been found in the SCM layer.

 CVE-2004-1333

     An integer overflow in the terminal code may allow a local denial of
     service vulnerability.

 CVE-2004-0997

     A local privilege escalation in the MIPS assembly code has been found.
 
 CVE-2004-1335
 
     A memory leak in the ip_options_get() function may lead to denial of
     service.
      
 CVE-2004-1017

     Multiple overflows exist in the io_edgeport driver which might be usable
     as a denial of service attack vector.
 
 CVE-2005-0124

     Bryan Fulton reported a bounds checking bug in the coda_pioctl function
     which may allow local users to execute arbitrary code or trigger a denial
     of service attack.

 CVE-2005-0528

     A local privilege escalation in the mremap function has been found

 CVE-2003-0984

     Inproper initialization of the RTC may disclose information.

 CVE-2004-1070

     Insufficient input sanitising in the load_elf_binary() function may
     lead to privilege escalation.

 CVE-2004-1071

     Incorrect error handling in the binfmt_elf loader may lead to privilege
     escalation.

 CVE-2004-1072

     A buffer overflow in the binfmt_elf loader may lead to privilege
     escalation or denial of service.

 CVE-2004-1073

     The open_exec function may disclose information.

 CVE-2004-1074

     The binfmt code is vulnerable to denial of service through malformed
     a.out binaries.

 CVE-2004-0138

     A denial of service vulnerability in the ELF loader has been found.

 CVE-2004-1068

     A programming error in the unix_dgram_recvmsg() function may lead to
     privilege escalation.

 CVE-2004-1234

     The ELF loader is vulnerable to denial of service through malformed
     binaries.

 CVE-2005-0003

     Crafted ELF binaries may lead to privilege escalation, due to 
     insufficient checking of overlapping memory regions.

 CVE-2004-1235

     A race condition in the load_elf_library() and binfmt_aout() functions
     may allow privilege escalation.

 CVE-2005-0504

     An integer overflow in the Moxa driver may lead to privilege escalation.

 CVE-2005-0384

     A remote denial of service vulnerability has been found in the PPP
     driver.

 CVE-2005-0135

     An IA64 specific local denial of service vulnerability has been found
     in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                     Debian 3.0 (woody)
     Source                          2.4.19-4
     Sun Sparc architecture          26woody1
     Little endian MIPS architecture 0.020911.1.woody5


We recommend that you upgrade your kernel package immediately and reboot
the machine.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-sparc-2.4_26woody1.dsc
      Size/MD5 checksum:      692 27f44a0eec5837b0b01d26c6cff392be
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-sparc-2.4_26woody1.tar.gz
      Size/MD5 checksum:    27768 6c719a6343c9ea0dad44a736b3842504
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody5.dsc
      Size/MD5 checksum:      792 d7c89c90fad77944ca1c5a18327f31dd
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody5.tar.gz
      Size/MD5 checksum:  1013866 21b4b677a7a319442c8fe8a4c72eb4c2
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody3.dsc
      Size/MD5 checksum:      672 4c353db091e8edc4395e46cf8d39ec42
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody3.diff.gz
      Size/MD5 checksum:    71071 7012adde9ba9a573e1be66f0d258721a
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19.orig.tar.gz
      Size/MD5 checksum: 32000211 237896fbb45ae652cc9c5cecc9b746da

  Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-headers-2.4.18-sparc_22woody1_all.deb
      Size/MD5 checksum:  1521850 75d23c7c54094b1d25d3b708fd644407
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-headers-2.4.19-sparc_26woody1_all.deb
      Size/MD5 checksum:  1547874 c6881b25e3a5967e0f6f9c351fb88962
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody5_all.deb
      Size/MD5 checksum:  1014564 0e89364c2816f5f4519256a8ea367ab6
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-doc-2.4.19_2.4.19-4.woody3_all.deb
      Size/MD5 checksum:  1785490 c66cef9e87d9a89caeee02af31e3c96d
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody3_all.deb
      Size/MD5 checksum: 25902158 321403201a198371fd55c9b8ac4583f7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.18-sun4u_22woody1_sparc.deb
      Size/MD5 checksum:  3923058 db7bbd997410667bec4ac713d81d60ea
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.18-sun4u-smp_22woody1_sparc.deb
      Size/MD5 checksum:  4044796 106fcb86485531d96b4fdada61b71405
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.19-sun4u_26woody1_sparc.deb
      Size/MD5 checksum:  3831424 347b0c290989f0cc99f3b336c156f61d
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.19-sun4u-smp_26woody1_sparc.deb
      Size/MD5 checksum:  3952220 f7dd8326c0ae0b0dee7c46e24023d0a2

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:  3890804 7348a8cd3961190aa2a19f562c96fe2f
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:  2080618 d52d00e7097ae0c8f4ccb6f34656361d
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:  2080830 db7141d3c0d86a43659176f974599cc2
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:    15816 c31e3b72d6eac6f3f99f75ea838e0bf9

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEcAc/Xm3vHE4uyloRAtGHAJoC9+1ELp5vTYgL4SDsNOIndI5rqQCePabu
rmancVBp6F2Nfh1PHQQrOTk=
=7GeM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F46508)

Debian Linux Security Advisory 1069-1 (PacketStormID:F46508)
2006-05-22 00:00:00
Debian,Dann Frazier  debian.org
advisory,remote,denial of service,arbitrary,kernel,local,vulnerability
linux,debian
CVE-2004-0427,CVE-2005-0489,CVE-2004-0394,CVE-2004-0447,CVE-2004-0554,CVE-2004-0565,CVE-2004-0685,CVE-2005-0001,CVE-2004-0883,CVE-2004-0949,CVE-2004-1016,CVE-2004-1333,CVE-2004-0997,CVE-2004-1335,CVE-2004-1017,CVE-2005-0124,CVE-2005-0528,CVE-2003-0984
[点击下载]

Debian Security Advisory 1069-1 - Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1069-1                    security@debian.org
http://www.debian.org/security/               Martin Schulze, Dann Frazier
May 20th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.4.18,kernel-image-2.4.18-1-alpha,kernel-image-2.4.18-1-i386,kernel-image-2.4.18-hppa,kernel-image-2.4.18-powerpc-xfs,kernel-patch-2.4.18-powerpc,kernel-patch-benh
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE IDs        : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685  CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


 CVE-2004-0427

     A local denial of service vulnerability in do_fork() has been found.     

 CVE-2005-0489

     A local denial of service vulnerability in proc memory handling has
     been found.

 CVE-2004-0394

     A buffer overflow in the panic handling code has been found.

 CVE-2004-0447

     A local denial of service vulnerability through a null pointer
     dereference in the IA64 process handling code has been found.

 CVE-2004-0554

     A local denial of service vulnerability through an infinite loop in
     the signal handler code has been found.

 CVE-2004-0565

     An information leak in the context switch code has been found on
     the IA64 architecture.

 CVE-2004-0685

     Unsafe use of copy_to_user in USB drivers may disclose sensitive
     information.

 CVE-2005-0001

     A race condition in the i386 page fault handler may allow privilege
     escalation.

 CVE-2004-0883

     Multiple vulnerabilities in the SMB filesystem code may allow denial
     of service of information disclosure.

 CVE-2004-0949

     An information leak discovered in the SMB filesystem code.

 CVE-2004-1016

     A local denial of service vulnerability has been found in the SCM layer.

 CVE-2004-1333

     An integer overflow in the terminal code may allow a local denial of
     service vulnerability.

 CVE-2004-0997

     A local privilege escalation in the MIPS assembly code has been found.
 
 CVE-2004-1335
 
     A memory leak in the ip_options_get() function may lead to denial of
     service.
      
 CVE-2004-1017

     Multiple overflows exist in the io_edgeport driver which might be usable
     as a denial of service attack vector.
 
 CVE-2005-0124

     Bryan Fulton reported a bounds checking bug in the coda_pioctl function
     which may allow local users to execute arbitrary code or trigger a denial
     of service attack.

 CVE-2005-0528

     A local privilege escalation in the mremap function has been found

 CVE-2003-0984

     Inproper initialization of the RTC may disclose information.

 CVE-2004-1070

     Insufficient input sanitising in the load_elf_binary() function may
     lead to privilege escalation.

 CVE-2004-1071

     Incorrect error handling in the binfmt_elf loader may lead to privilege
     escalation.

 CVE-2004-1072

     A buffer overflow in the binfmt_elf loader may lead to privilege
     escalation or denial of service.

 CVE-2004-1073

     The open_exec function may disclose information.

 CVE-2004-1074

     The binfmt code is vulnerable to denial of service through malformed
     a.out binaries.

 CVE-2004-0138

     A denial of service vulnerability in the ELF loader has been found.

 CVE-2004-1068

     A programming error in the unix_dgram_recvmsg() function may lead to
     privilege escalation.

 CVE-2004-1234

     The ELF loader is vulnerable to denial of service through malformed
     binaries.

 CVE-2005-0003

     Crafted ELF binaries may lead to privilege escalation, due to 
     insufficient checking of overlapping memory regions.

 CVE-2004-1235

     A race condition in the load_elf_library() and binfmt_aout() functions
     may allow privilege escalation.

 CVE-2005-0504

     An integer overflow in the Moxa driver may lead to privilege escalation.

 CVE-2005-0384

     A remote denial of service vulnerability has been found in the PPP
     driver.

 CVE-2005-0135

     An IA64 specific local denial of service vulnerability has been found
     in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                     Debian 3.0 (woody)
     Source                          2.4.18-14.4
     Alpha architecture              2.4.18-15woody1
     Intel IA-32 architecture        2.4.18-13.2
     HP Precision architecture       62.4 
     PowerPC architecture            2.4.18-1woody6
     PowerPC architecture/XFS        20020329woody1            
     PowerPC architecture/benh       20020304woody1
     Sun Sparc architecture          22woody1    

We recommend that you upgrade your kernel package immediately and reboot
the machine.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEb9YGXm3vHE4uyloRAkhXAJ0e1RmUxVZSbQICFa/j07oKPfWRVwCeMrhj
wYGegwosZg6xi3oI77opLQY=
=eu/T
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F46506)

Debian Linux Security Advisory 1067-1 (PacketStormID:F46506)
2006-05-22 00:00:00
Debian,Dann Frazier  debian.org
advisory,remote,denial of service,arbitrary,kernel,local,vulnerability
linux,debian
CVE-2004-0427,CVE-2005-0489,CVE-2004-0394,CVE-2004-0447,CVE-2004-0554,CVE-2004-0565,CVE-2004-0685,CVE-2005-0001,CVE-2004-0883,CVE-2004-0949,CVE-2004-1016,CVE-2004-1333,CVE-2004-0997,CVE-2004-1335,CVE-2004-1017,CVE-2005-0124,CVE-2005-0528,CVE-2003-0984
[点击下载]

Debian Security Advisory 1067-1 - Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1067-1                    security@debian.org
http://www.debian.org/security/               Martin Schulze, Dann Frazier
May 20th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.4.16,kernel-image-2.4.16-lart,kernel-image-2.4.16-riscpc,kernel-image-2.4.16-netwinder
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE IDs        : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685  CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


 CVE-2004-0427

     A local denial of service vulnerability in do_fork() has been found.     

 CVE-2005-0489

     A local denial of service vulnerability in proc memory handling has
     been found.

 CVE-2004-0394

     A buffer overflow in the panic handling code has been found.

 CVE-2004-0447

     A local denial of service vulnerability through a null pointer
     dereference in the IA64 process handling code has been found.

 CVE-2004-0554

     A local denial of service vulnerability through an infinite loop in
     the signal handler code has been found.

 CVE-2004-0565

     An information leak in the context switch code has been found on
     the IA64 architecture.

 CVE-2004-0685

     Unsafe use of copy_to_user in USB drivers may disclose sensitive
     information.

 CVE-2005-0001

     A race condition in the i386 page fault handler may allow privilege
     escalation.

 CVE-2004-0883

     Multiple vulnerabilities in the SMB filesystem code may allow denial
     of service of information disclosure.

 CVE-2004-0949

     An information leak discovered in the SMB filesystem code.

 CVE-2004-1016

     A local denial of service vulnerability has been found in the SCM layer.

 CVE-2004-1333

     An integer overflow in the terminal code may allow a local denial of
     service vulnerability.

 CVE-2004-0997

     A local privilege escalation in the MIPS assembly code has been found.
 
 CVE-2004-1335
 
     A memory leak in the ip_options_get() function may lead to denial of
     service.
      
 CVE-2004-1017

     Multiple overflows exist in the io_edgeport driver which might be usable
     as a denial of service attack vector.
 
 CVE-2005-0124

     Bryan Fulton reported a bounds checking bug in the coda_pioctl function
     which may allow local users to execute arbitrary code or trigger a denial
     of service attack.

 CVE-2005-0528

     A local privilege escalation in the mremap function has been found

 CVE-2003-0984

     Inproper initialization of the RTC may disclose information.

 CVE-2004-1070

     Insufficient input sanitising in the load_elf_binary() function may
     lead to privilege escalation.

 CVE-2004-1071

     Incorrect error handling in the binfmt_elf loader may lead to privilege
     escalation.

 CVE-2004-1072

     A buffer overflow in the binfmt_elf loader may lead to privilege
     escalation or denial of service.

 CVE-2004-1073

     The open_exec function may disclose information.

 CVE-2004-1074

     The binfmt code is vulnerable to denial of service through malformed
     a.out binaries.

 CVE-2004-0138

     A denial of service vulnerability in the ELF loader has been found.

 CVE-2004-1068

     A programming error in the unix_dgram_recvmsg() function may lead to
     privilege escalation.

 CVE-2004-1234

     The ELF loader is vulnerable to denial of service through malformed
     binaries.

 CVE-2005-0003

     Crafted ELF binaries may lead to privilege escalation, due to 
     insufficient checking of overlapping memory regions.

 CVE-2004-1235

     A race condition in the load_elf_library() and binfmt_aout() functions
     may allow privilege escalation.

 CVE-2005-0504

     An integer overflow in the Moxa driver may lead to privilege escalation.

 CVE-2005-0384

     A remote denial of service vulnerability has been found in the PPP
     driver.

 CVE-2005-0135

     An IA64 specific local denial of service vulnerability has been found
     in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                     Debian 3.0 (woody)
     Source                          2.4.16-1woody2
     arm/lart                        20040419woody1
     arm/netwinder                   20040419woody1
     arm/riscpc                      20040419woody1

We recommend that you upgrade your kernel package immediately and reboot
the machine.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040419woody1.dsc
      Size/MD5 checksum:      655 cbaba3ab1ea1f99557d717bb19908dc8
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040419woody1.tar.gz
      Size/MD5 checksum:    16628 c10d76a01d03e58049b594270d7fd7c5
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040419woody1.dsc
      Size/MD5 checksum:      693 be25ede481365d969f465a0356bfe047
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040419woody1.tar.gz
      Size/MD5 checksum:    21947 12d6a2977ba7683e48e92293e4a87cf6
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040419woody1.dsc
      Size/MD5 checksum:      661 6895c73dc50b56d48588e3f053fbcc05
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040419woody1.tar.gz
      Size/MD5 checksum:    19300 3e60e7aa88e553221264f1b004d9091d
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16-1woody3.dsc
      Size/MD5 checksum:      680 81e8e543d617f8464a222767e18aa261
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16-1woody3.diff.gz
      Size/MD5 checksum:    46430 d164de27560966cb695141de9b004e7e
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16.orig.tar.gz
      Size/MD5 checksum: 29364642 8e42e72848dc5098b6433d66d5cacffc

  ARM architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040419woody1_arm.deb
      Size/MD5 checksum:   718814 87806c13fa914865ecc00f784c64a8f4
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-headers-2.4.16_20040419woody1_arm.deb
      Size/MD5 checksum:  3437272 3061b1a8212d2538bdbffa9609300322
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040419woody1_arm.deb
      Size/MD5 checksum:  6675192 b588a74f3b53c06ef3ffb26218c6e191
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040419woody1_arm.deb
      Size/MD5 checksum:  2914360 3df4986a2bfa64ddea35cb2b76d390a5

  Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-doc-2.4.16_2.4.16-1woody3_all.deb
      Size/MD5 checksum:  1718004 b458e950b6aabb99a781f507c2015dd3
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16-1woody3_all.deb
      Size/MD5 checksum: 23820868 3001c4af6222fa22ecba3053a146e248

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbtDmXm3vHE4uyloRAhZsAJ0Uw7DM7RtiBSmWWskg8FXq0do5TACeMk43
Y8lxItKTeEpmOE/9asuJ6UU=
=fM5d
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F35087)

142004.txt (PacketStormID:F35087)
2004-11-20 00:00:00
Stefan Esser  security.e-matters.de
advisory,overflow,kernel,vulnerability
linux
CVE-2004-0883,CVE-2004-0949
[点击下载]

During an audit of the smb filesystem implementation within Linux several vulnerabilities were discovered ranging from out of bounds read accesses to kernel level buffer overflows. The 2.4 series up to 2.4.27 is affected and the 2.6 series up to 2.6.9 is affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                           e-matters GmbH
                          www.e-matters.de

                      -= Security  Advisory =-



     Advisory: Linux 2.x smbfs multiple remote vulnerabilities
 Release Date: 2004/11/17
Last Modified: 2004/11/17
       Author: Stefan Esser [s.esser@e-matters.de]

  Application: Linux 2.4 <= 2.4.27
               Linux 2.6 <= 2.6.9
     Severity: Several vulnerabilities within smbfs allow
               crashing the kernel or leaking kernel memory
	       with the help of the smb server
         Risk: Moderately Critical
Vendor Status: Vendor has released a bugfixed version.
    Reference: http://security.e-matters.de/advisories/142004.html


Overview:

   Linux is a clone of the operating system Unix, written from scratch 
   by Linus Torvalds with assistance from a loosely-knit team of hackers
   across the Net. It aims towards POSIX and Single UNIX Specification 
   compliance.

   During an audit of the smb filesystem implementation within Linux
   several vulnerabilities were discovered ranging from out of bounds 
   read accesses to kernel level buffer overflows.

   To exploit any of these vulnerabilities an attacker needs control
   over the answers of the connected smb server. This could be achieved
   by man in the middle attacks or by taking over the smb server with
   f.e. the recently disclosed vulnerability in Samba 3.x
   
   While any of these vulnerabilities can be easily used as remote
   denial of service exploits against Linux systems, it is unclear if 
   it is possible for a skilled local or remote attacker to use any of 
   the possible bufferoverflows for arbitrary code execution in kernel 
   space.


Details:

   [ 01 - smb_proc_read(X) malicious data count overflow ]
   
   Affected Kernels: 2.4
   
   When receiving the answer to a read(X) request the Linux 2.4 kernel
   trusts the returned data count and copies exactly that amound of
   bytes into the output buffer. This means any call to the read
   syscall on a smb filesystem could result in an overflow withing
   kernel memory if the connected smb server returns more data than
   requested. While this is a trivial to exploit DOS vulnerability
   it is unclear if it can be used by a skilled attacker to execute
   arbitrary code.
   
   [ 02 - smb_proc_readX malicious data offset information leak ]
   
   Affected Kernels: 2.4
   
   When receiving the answer to a readX request the Linux 2.4 kernel
   does not properly bounds check the supplied data offset. The check
   in place can fail because of a signedness issue. This means that
   a local attacker can leak kernel memory simply by issuing the read
   syscall on a smb filesystem when the connected server returns a
   data offset from outside the packet. This can of course also lead
   to a kernel crash when unallocated memory is accessed.
   
   [ 03 - smb_receive_trans2 defragmentation overflow ]
   
   Affected Kernels: 2.4
   
   At the end of the TRANS2 defragmentation process the complete
   packet is moved to another place if a certain condition is true.
   In combination with [07] and the fact that the counters are not
   bounds checked befory coyping the data this can result in a 
   kernel memory overflow.
   
   [ 04 - smb_proc_readX_data malicious data offset DOS ]
   
   Affected Kernels: 2.6
   
   The server supplied data offset is decremented by the header size
   and then used as offset within the packet. While the supplied
   offset is checked against an upper bound it may have underflowed
   and therefore point outside the allocated memory. Any access to
   that memory could result in a crash.
   
   [ 05 - smb_receive_trans2 malicious parm/data offset info leak/DOS ]
   
   Affected Kernels: 2.4, 2.6
   
   Both versions of the kernel do not properly bounds check the 
   server supplied packet based offset of the parameters/data sent.
   This results in smbfs copying data from memory outside the received
   smb fragment into the receiving buffer. This can leak kernel memory
   to the calling function or result in a DOS because of accesses to
   unallocated memory.
   
   [ 06 - smb_recv_trans2 missing fragment information leak ]
   
   Affected Kernels: 2.4, 2.6
   
   The defragmentation process of TRANS2 SMB packets does not properly
   initialize the receiving buffer. An attacker may f.e. send several
   thousand times the first byte of a packet until the received data
   count reaches the expected total and so leakes the rest of the
   uninitialised receiving buffer to the calling function.

   [ 07 - smb_recv_trans2 fragment resending leads to invalid counters ]
   
   Affected Kernels: 2.4, 2.6
   
   The defragmentation termination condition is that atleast the
   expected parameter count and at least the expected data count is 
   reached. By using the fragment resending technique an attacker
   can increase one of those counters to an arbitrary high value.
   

Proof of Concept:

   e-matters is not going to release exploits for any of these
   vulnerabilities to the public.


Disclosure Timeline:

   25. September 2004 - Made initial contact with the Linux Developers
   27. September 2004 - Contacted vendor-sec about this issue
   22. October   2004 - Sent the 2nd round of smbfs vulnerabilities to
                        both parties
   27. October   2004 - Sent final patchset for 2.4 and 2.6 kernel
                        to the developers
   11. November  2004 - Linux 2.4.28-rc3 containing the final patchset
                        was made available by the developers
   17. November  2004 - Linux 2.4.28 released
   17. November  2004 - Public Disclosure


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-0883 to the issues 01-05 and the name
   CAN-2004-0949 to the issues 06, 07.


Recommendation:

   Anyone using smbfs with Linux should upgrade as soon as possible
   to the new kernels.


GPG-Key:

   http://security.e-matters.de/gpg_key.asc

   pub  1024D/3004C4BC 2004-05-17 e-matters GmbH - Securityteam
   Key fingerprint = 3FFB 7C86 7BE8 6981 D1DA  A71A 6F7D 572D 3004 C4BC


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBm4syb31XLTAExLwRAtnTAJ9R8g5O75dA1zHNAdvI3Q6QuHTjhACfUqd7
pD65DUSyi0vyGsfypop1NoI=
=KJBQ
-----END PGP SIGNATURE-----

    

- 漏洞信息

11981
Linux Kernel smb Filesystem smb_proc_read(X) Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-11-18 2004-09-25
Unknow Unknow

- 解决方案

Upgrade to version 2.4.28 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Linux Kernel SMBFS Multiple Remote Vulnerabilities
Design Error 11695
Yes Yes
2004-11-17 12:00:00 2007-01-17 07:20:00
Stefan Esser disclosed these vulnerabilities.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Linux 1.5
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Linux kernel 2.4.27 -pre5
Linux kernel 2.4.27 -pre4
Linux kernel 2.4.27 -pre3
Linux kernel 2.4.27 -pre2
Linux kernel 2.4.27 -pre1
Linux kernel 2.4.27
Linux kernel 2.4.26
Linux kernel 2.4.25
Linux kernel 2.4.24 -ow1
Linux kernel 2.4.24
Linux kernel 2.4.23 -pre9
Linux kernel 2.4.23 -ow2
Linux kernel 2.4.23
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.4.21 pre7
Linux kernel 2.4.21 pre4
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Linux kernel 2.4.21 pre1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
+ CRUX CRUX Linux 1.0
+ Gentoo Linux 1.4
+ Gentoo Linux 1.2
+ RedHat Linux 9.0 i386
+ Slackware Linux 9.0
+ WOLK WOLK 4.4 s
Linux kernel 2.4.19 -pre6
Linux kernel 2.4.19 -pre5
Linux kernel 2.4.19 -pre4
Linux kernel 2.4.19 -pre3
Linux kernel 2.4.19 -pre2
Linux kernel 2.4.19 -pre1
Linux kernel 2.4.19
Linux kernel 2.4.18 pre-8
Linux kernel 2.4.18 pre-7
Linux kernel 2.4.18 pre-6
Linux kernel 2.4.18 pre-5
Linux kernel 2.4.18 pre-4
Linux kernel 2.4.18 pre-3
Linux kernel 2.4.18 pre-2
Linux kernel 2.4.18 pre-1
Linux kernel 2.4.18 x86
Linux kernel 2.4.18
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
+ S.u.S.E. Linux 7.3
Linux kernel 2.4.9
Linux kernel 2.4.8
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
Linux kernel 2.4.3
Linux kernel 2.4.2
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
Linux kernel 2.4.1
Linux kernel 2.4 .0-test9
Linux kernel 2.4 .0-test8
Linux kernel 2.4 .0-test7
Linux kernel 2.4 .0-test6
Linux kernel 2.4 .0-test5
Linux kernel 2.4 .0-test4
Linux kernel 2.4 .0-test3
Linux kernel 2.4 .0-test2
Linux kernel 2.4 .0-test12
Linux kernel 2.4 .0-test11
Linux kernel 2.4 .0-test10
Linux kernel 2.4 .0-test1
Linux kernel 2.4
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Linux kernel 2.4.28
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0

- 不受影响的程序版本

Linux kernel 2.4.28
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0

- 漏洞讨论

The Linux kernel is reported prone to multiple remote vulnerabilities in the SMBFS network filesystem.

These vulnerabilities may lead to the execution of attacker-supplied machine code, information disclosure of kernel memory, or crashes of the kernel, denying service to legitimate users.

Versions of the kernel in both the 2.4 and the 2.6 series are reported prone to various issues.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released version 2.4.28 of the Linux kernel to address these issues.

Please see the referenced advisories for information on obtaining and applying the appropriate updates.


Linux kernel 2.4 .0-test3

Linux kernel 2.4 .0-test7

Linux kernel 2.4

Linux kernel 2.4 .0-test11

Linux kernel 2.4 .0-test4

Linux kernel 2.4 .0-test1

Linux kernel 2.4 .0-test9

Linux kernel 2.4.1

Linux kernel 2.4.10

Linux kernel 2.4.11

Linux kernel 2.4.12

Linux kernel 2.4.13

Linux kernel 2.4.15

Linux kernel 2.4.17

Linux kernel 2.4.18 pre-8

Linux kernel 2.4.18 pre-7

Linux kernel 2.4.18 pre-3

Linux kernel 2.4.18 pre-2

Linux kernel 2.4.18 pre-5

Linux kernel 2.4.18 pre-1

Linux kernel 2.4.19 -pre4

Linux kernel 2.4.19 -pre1

Linux kernel 2.4.19 -pre5

Linux kernel 2.4.19 -pre3

Linux kernel 2.4.2

Linux kernel 2.4.20

Linux kernel 2.4.21

Linux kernel 2.4.21 pre1

Linux kernel 2.4.21 pre4

Linux kernel 2.4.21 pre7

Linux kernel 2.4.22

Linux kernel 2.4.23 -ow2

Linux kernel 2.4.23 -pre9

Linux kernel 2.4.25

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站