CVE-2005-0001
CVSS6.9
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:07:24
NMCOPS    

[原文]Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion.


[CNNVD]Linux Kernel i386 SMP页错误处理器特权提升漏洞(CNNVD-200505-612)

        Linux Kernel是一款开放源代码操作系统。
        Linux Kernel页错误处理器代码存在安全问题,本地攻击者可以利用这个漏洞提升特权。

- CVSS (基础分值)

CVSS分值: 6.9 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:redhat:enterprise_linux:4.0::advanced_server
cpe:/o:linux:linux_kernel:2.6.10Linux Kernel 2.6.10
cpe:/o:linux:linux_kernel:2.4.1Linux Kernel 2.4.1
cpe:/o:linux:linux_kernel:2.4.0Linux Kernel 2.4.0
cpe:/o:linux:linux_kernel:2.2.7Linux Kernel 2.2.7
cpe:/o:linux:linux_kernel:2.4.5Linux Kernel 2.4.5
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.4.4Linux Kernel 2.4.4
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:redhat:enterprise_linux_desktop:4.0Red Hat Desktop 4.0
cpe:/o:linux:linux_kernel:2.4.3Linux Kernel 2.4.3
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.4.2Linux Kernel 2.4.2
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.6.9:2.6.20
cpe:/o:trustix:secure_linux:2Trustix Secure Enterprise Linux 2
cpe:/o:redhat:enterprise_linux:3.0::advanced_server
cpe:/o:linux:linux_kernel:2.6.8Linux Kernel 2.6.8
cpe:/o:redhat:enterprise_linux:4.0::enterprise_server
cpe:/o:linux:linux_kernel:2.4.12Linux Kernel 2.4.12
cpe:/o:trustix:secure_linux:2.2Trustix Secure Linux 2.2
cpe:/o:linux:linux_kernel:2.4.11Linux Kernel 2.4.11
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:linux:linux_kernel:2.4.19Linux Kernel 2.4.19
cpe:/o:linux:linux_kernel:2.4.14Linux Kernel 2.4.14
cpe:/o:linux:linux_kernel:2.4.13Linux Kernel 2.4.13
cpe:/o:linux:linux_kernel:2.4.16Linux Kernel 2.4.16
cpe:/o:linux:linux_kernel:2.4.15Linux Kernel 2.4.15
cpe:/o:linux:linux_kernel:2.4.10Linux Kernel 2.4.10
cpe:/o:redhat:enterprise_linux:3.0::workstation_server
cpe:/o:redhat:enterprise_linux:4.0::workstation
cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:linux:linux_kernel:2.4.18Linux Kernel 2.4.18
cpe:/o:linux:linux_kernel:2.4.17Linux Kernel 2.4.17
cpe:/o:linux:linux_kernel:2.4.23Linux Kernel 2.4.23
cpe:/o:linux:linux_kernel:2.4.22Linux Kernel 2.4.22
cpe:/o:linux:linux_kernel:2.4.25Linux Kernel 2.4.25
cpe:/o:linux:linux_kernel:2.4.24Linux Kernel 2.4.24
cpe:/o:linux:linux_kernel:2.4.27Linux Kernel 2.4.27
cpe:/o:linux:linux_kernel:2.4.26Linux Kernel 2.4.26
cpe:/o:linux:linux_kernel:2.4.21Linux Kernel 2.4.21
cpe:/o:linux:linux_kernel:2.4.20Linux Kernel 2.4.20
cpe:/o:linux:linux_kernel:2.4.9Linux Kernel 2.4.9
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.4.8Linux Kernel 2.4.8
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.4.29Linux Kernel 2.4.29
cpe:/o:linux:linux_kernel:2.4.7Linux Kernel 2.4.7
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.4.28Linux Kernel 2.4.28
cpe:/o:linux:linux_kernel:2.4.6Linux Kernel 2.4.6
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10322Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 throu...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0001
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0001
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-612
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930
(UNKNOWN)  CONECTIVA  CLA-2005:930
http://isec.pl/vulnerabilities/isec-0022-pagefault.txt
(UNKNOWN)  MISC  http://isec.pl/vulnerabilities/isec-0022-pagefault.txt
http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030826.html
(UNKNOWN)  FULLDISC  20050112 Linux kernel i386 SMP page fault handler privilege escalation
http://marc.info/?l=bugtraq&m=110554694522719&w=2
(UNKNOWN)  BUGTRAQ  20050112 Linux kernel i386 SMP page fault handler privilege escalation
http://marc.info/?l=bugtraq&m=110581146702951&w=2
(UNKNOWN)  BUGTRAQ  20050114 [USN-60-0] Linux kernel vulnerabilities
http://securitytracker.com/id?1012862
(UNKNOWN)  SECTRACK  1012862
http://www.debian.org/security/2006/dsa-1067
(UNKNOWN)  DEBIAN  DSA-1067
http://www.debian.org/security/2006/dsa-1069
(UNKNOWN)  DEBIAN  DSA-1069
http://www.debian.org/security/2006/dsa-1070
(UNKNOWN)  DEBIAN  DSA-1070
http://www.debian.org/security/2006/dsa-1082
(UNKNOWN)  DEBIAN  DSA-1082
http://www.mandriva.com/security/advisories?name=MDKSA-2005:022
(UNKNOWN)  MANDRAKE  MDKSA-2005:022
http://www.redhat.com/support/errata/RHSA-2005-016.html
(UNKNOWN)  REDHAT  RHSA-2005:016
http://www.redhat.com/support/errata/RHSA-2005-017.html
(UNKNOWN)  REDHAT  RHSA-2005:017
http://www.redhat.com/support/errata/RHSA-2005-043.html
(UNKNOWN)  REDHAT  RHSA-2005:043
http://www.redhat.com/support/errata/RHSA-2005-092.html
(UNKNOWN)  REDHAT  RHSA-2005:092
http://www.securityfocus.com/bid/12244
(UNKNOWN)  BID  12244
http://www.trustix.org/errata/2005/0001/
(UNKNOWN)  TRUSTIX  2005-0001
http://xforce.iss.net/xforce/xfdb/18849
(UNKNOWN)  XF  linux-fault-handler-gain-privileges(18849)
https://bugzilla.fedora.us/show_bug.cgi?id=2336
(UNKNOWN)  FEDORA  FLSA:2336

- 漏洞信息

Linux Kernel i386 SMP页错误处理器特权提升漏洞
中危 竞争条件
2005-05-02 00:00:00 2007-02-07 00:00:00
本地  
        Linux Kernel是一款开放源代码操作系统。
        Linux Kernel页错误处理器代码存在安全问题,本地攻击者可以利用这个漏洞提升特权。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.kernel.org/

- 漏洞信息 (F46509)

Debian Linux Security Advisory 1070-1 (PacketStormID:F46509)
2006-05-22 00:00:00
Debian,Dann Frazier  debian.org
advisory,remote,denial of service,arbitrary,kernel,local,vulnerability
linux,debian
CVE-2004-0427,CVE-2005-0489,CVE-2004-0394,CVE-2004-0447,CVE-2004-0554,CVE-2004-0565,CVE-2004-0685,CVE-2005-0001,CVE-2004-0883,CVE-2004-0949,CVE-2004-1016,CVE-2004-1333,CVE-2004-0997,CVE-2004-1335,CVE-2004-1017,CVE-2005-0124,CVE-2005-0528,CVE-2003-0984
[点击下载]

Debian Security Advisory 1070-1 - Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1070-1                    security@debian.org
http://www.debian.org/security/               Martin Schulze, Dann Frazier
May 21th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.4.19,kernel-image-sparc-2.4,kernel-patch-2.4.19-mips
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE IDs        : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685  CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


 CVE-2004-0427

     A local denial of service vulnerability in do_fork() has been found.     

 CVE-2005-0489

     A local denial of service vulnerability in proc memory handling has
     been found.

 CVE-2004-0394

     A buffer overflow in the panic handling code has been found.

 CVE-2004-0447

     A local denial of service vulnerability through a null pointer
     dereference in the IA64 process handling code has been found.

 CVE-2004-0554

     A local denial of service vulnerability through an infinite loop in
     the signal handler code has been found.

 CVE-2004-0565

     An information leak in the context switch code has been found on
     the IA64 architecture.

 CVE-2004-0685

     Unsafe use of copy_to_user in USB drivers may disclose sensitive
     information.

 CVE-2005-0001

     A race condition in the i386 page fault handler may allow privilege
     escalation.

 CVE-2004-0883

     Multiple vulnerabilities in the SMB filesystem code may allow denial
     of service of information disclosure.

 CVE-2004-0949

     An information leak discovered in the SMB filesystem code.

 CVE-2004-1016

     A local denial of service vulnerability has been found in the SCM layer.

 CVE-2004-1333

     An integer overflow in the terminal code may allow a local denial of
     service vulnerability.

 CVE-2004-0997

     A local privilege escalation in the MIPS assembly code has been found.
 
 CVE-2004-1335
 
     A memory leak in the ip_options_get() function may lead to denial of
     service.
      
 CVE-2004-1017

     Multiple overflows exist in the io_edgeport driver which might be usable
     as a denial of service attack vector.
 
 CVE-2005-0124

     Bryan Fulton reported a bounds checking bug in the coda_pioctl function
     which may allow local users to execute arbitrary code or trigger a denial
     of service attack.

 CVE-2005-0528

     A local privilege escalation in the mremap function has been found

 CVE-2003-0984

     Inproper initialization of the RTC may disclose information.

 CVE-2004-1070

     Insufficient input sanitising in the load_elf_binary() function may
     lead to privilege escalation.

 CVE-2004-1071

     Incorrect error handling in the binfmt_elf loader may lead to privilege
     escalation.

 CVE-2004-1072

     A buffer overflow in the binfmt_elf loader may lead to privilege
     escalation or denial of service.

 CVE-2004-1073

     The open_exec function may disclose information.

 CVE-2004-1074

     The binfmt code is vulnerable to denial of service through malformed
     a.out binaries.

 CVE-2004-0138

     A denial of service vulnerability in the ELF loader has been found.

 CVE-2004-1068

     A programming error in the unix_dgram_recvmsg() function may lead to
     privilege escalation.

 CVE-2004-1234

     The ELF loader is vulnerable to denial of service through malformed
     binaries.

 CVE-2005-0003

     Crafted ELF binaries may lead to privilege escalation, due to 
     insufficient checking of overlapping memory regions.

 CVE-2004-1235

     A race condition in the load_elf_library() and binfmt_aout() functions
     may allow privilege escalation.

 CVE-2005-0504

     An integer overflow in the Moxa driver may lead to privilege escalation.

 CVE-2005-0384

     A remote denial of service vulnerability has been found in the PPP
     driver.

 CVE-2005-0135

     An IA64 specific local denial of service vulnerability has been found
     in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                     Debian 3.0 (woody)
     Source                          2.4.19-4
     Sun Sparc architecture          26woody1
     Little endian MIPS architecture 0.020911.1.woody5


We recommend that you upgrade your kernel package immediately and reboot
the machine.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-sparc-2.4_26woody1.dsc
      Size/MD5 checksum:      692 27f44a0eec5837b0b01d26c6cff392be
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-sparc-2.4_26woody1.tar.gz
      Size/MD5 checksum:    27768 6c719a6343c9ea0dad44a736b3842504
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody5.dsc
      Size/MD5 checksum:      792 d7c89c90fad77944ca1c5a18327f31dd
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody5.tar.gz
      Size/MD5 checksum:  1013866 21b4b677a7a319442c8fe8a4c72eb4c2
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody3.dsc
      Size/MD5 checksum:      672 4c353db091e8edc4395e46cf8d39ec42
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody3.diff.gz
      Size/MD5 checksum:    71071 7012adde9ba9a573e1be66f0d258721a
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19.orig.tar.gz
      Size/MD5 checksum: 32000211 237896fbb45ae652cc9c5cecc9b746da

  Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-headers-2.4.18-sparc_22woody1_all.deb
      Size/MD5 checksum:  1521850 75d23c7c54094b1d25d3b708fd644407
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-headers-2.4.19-sparc_26woody1_all.deb
      Size/MD5 checksum:  1547874 c6881b25e3a5967e0f6f9c351fb88962
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody5_all.deb
      Size/MD5 checksum:  1014564 0e89364c2816f5f4519256a8ea367ab6
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-doc-2.4.19_2.4.19-4.woody3_all.deb
      Size/MD5 checksum:  1785490 c66cef9e87d9a89caeee02af31e3c96d
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.19/kernel-source-2.4.19_2.4.19-4.woody3_all.deb
      Size/MD5 checksum: 25902158 321403201a198371fd55c9b8ac4583f7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.18-sun4u_22woody1_sparc.deb
      Size/MD5 checksum:  3923058 db7bbd997410667bec4ac713d81d60ea
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.18-sun4u-smp_22woody1_sparc.deb
      Size/MD5 checksum:  4044796 106fcb86485531d96b4fdada61b71405
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.19-sun4u_26woody1_sparc.deb
      Size/MD5 checksum:  3831424 347b0c290989f0cc99f3b336c156f61d
    http://security.debian.org/pool/updates/main/k/kernel-image-sparc-2.4/kernel-image-2.4.19-sun4u-smp_26woody1_sparc.deb
      Size/MD5 checksum:  3952220 f7dd8326c0ae0b0dee7c46e24023d0a2

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:  3890804 7348a8cd3961190aa2a19f562c96fe2f
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:  2080618 d52d00e7097ae0c8f4ccb6f34656361d
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:  2080830 db7141d3c0d86a43659176f974599cc2
    http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody5_mips.deb
      Size/MD5 checksum:    15816 c31e3b72d6eac6f3f99f75ea838e0bf9

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEcAc/Xm3vHE4uyloRAtGHAJoC9+1ELp5vTYgL4SDsNOIndI5rqQCePabu
rmancVBp6F2Nfh1PHQQrOTk=
=7GeM
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F46508)

Debian Linux Security Advisory 1069-1 (PacketStormID:F46508)
2006-05-22 00:00:00
Debian,Dann Frazier  debian.org
advisory,remote,denial of service,arbitrary,kernel,local,vulnerability
linux,debian
CVE-2004-0427,CVE-2005-0489,CVE-2004-0394,CVE-2004-0447,CVE-2004-0554,CVE-2004-0565,CVE-2004-0685,CVE-2005-0001,CVE-2004-0883,CVE-2004-0949,CVE-2004-1016,CVE-2004-1333,CVE-2004-0997,CVE-2004-1335,CVE-2004-1017,CVE-2005-0124,CVE-2005-0528,CVE-2003-0984
[点击下载]

Debian Security Advisory 1069-1 - Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1069-1                    security@debian.org
http://www.debian.org/security/               Martin Schulze, Dann Frazier
May 20th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.4.18,kernel-image-2.4.18-1-alpha,kernel-image-2.4.18-1-i386,kernel-image-2.4.18-hppa,kernel-image-2.4.18-powerpc-xfs,kernel-patch-2.4.18-powerpc,kernel-patch-benh
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE IDs        : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685  CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


 CVE-2004-0427

     A local denial of service vulnerability in do_fork() has been found.     

 CVE-2005-0489

     A local denial of service vulnerability in proc memory handling has
     been found.

 CVE-2004-0394

     A buffer overflow in the panic handling code has been found.

 CVE-2004-0447

     A local denial of service vulnerability through a null pointer
     dereference in the IA64 process handling code has been found.

 CVE-2004-0554

     A local denial of service vulnerability through an infinite loop in
     the signal handler code has been found.

 CVE-2004-0565

     An information leak in the context switch code has been found on
     the IA64 architecture.

 CVE-2004-0685

     Unsafe use of copy_to_user in USB drivers may disclose sensitive
     information.

 CVE-2005-0001

     A race condition in the i386 page fault handler may allow privilege
     escalation.

 CVE-2004-0883

     Multiple vulnerabilities in the SMB filesystem code may allow denial
     of service of information disclosure.

 CVE-2004-0949

     An information leak discovered in the SMB filesystem code.

 CVE-2004-1016

     A local denial of service vulnerability has been found in the SCM layer.

 CVE-2004-1333

     An integer overflow in the terminal code may allow a local denial of
     service vulnerability.

 CVE-2004-0997

     A local privilege escalation in the MIPS assembly code has been found.
 
 CVE-2004-1335
 
     A memory leak in the ip_options_get() function may lead to denial of
     service.
      
 CVE-2004-1017

     Multiple overflows exist in the io_edgeport driver which might be usable
     as a denial of service attack vector.
 
 CVE-2005-0124

     Bryan Fulton reported a bounds checking bug in the coda_pioctl function
     which may allow local users to execute arbitrary code or trigger a denial
     of service attack.

 CVE-2005-0528

     A local privilege escalation in the mremap function has been found

 CVE-2003-0984

     Inproper initialization of the RTC may disclose information.

 CVE-2004-1070

     Insufficient input sanitising in the load_elf_binary() function may
     lead to privilege escalation.

 CVE-2004-1071

     Incorrect error handling in the binfmt_elf loader may lead to privilege
     escalation.

 CVE-2004-1072

     A buffer overflow in the binfmt_elf loader may lead to privilege
     escalation or denial of service.

 CVE-2004-1073

     The open_exec function may disclose information.

 CVE-2004-1074

     The binfmt code is vulnerable to denial of service through malformed
     a.out binaries.

 CVE-2004-0138

     A denial of service vulnerability in the ELF loader has been found.

 CVE-2004-1068

     A programming error in the unix_dgram_recvmsg() function may lead to
     privilege escalation.

 CVE-2004-1234

     The ELF loader is vulnerable to denial of service through malformed
     binaries.

 CVE-2005-0003

     Crafted ELF binaries may lead to privilege escalation, due to 
     insufficient checking of overlapping memory regions.

 CVE-2004-1235

     A race condition in the load_elf_library() and binfmt_aout() functions
     may allow privilege escalation.

 CVE-2005-0504

     An integer overflow in the Moxa driver may lead to privilege escalation.

 CVE-2005-0384

     A remote denial of service vulnerability has been found in the PPP
     driver.

 CVE-2005-0135

     An IA64 specific local denial of service vulnerability has been found
     in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                     Debian 3.0 (woody)
     Source                          2.4.18-14.4
     Alpha architecture              2.4.18-15woody1
     Intel IA-32 architecture        2.4.18-13.2
     HP Precision architecture       62.4 
     PowerPC architecture            2.4.18-1woody6
     PowerPC architecture/XFS        20020329woody1            
     PowerPC architecture/benh       20020304woody1
     Sun Sparc architecture          22woody1    

We recommend that you upgrade your kernel package immediately and reboot
the machine.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEb9YGXm3vHE4uyloRAkhXAJ0e1RmUxVZSbQICFa/j07oKPfWRVwCeMrhj
wYGegwosZg6xi3oI77opLQY=
=eu/T
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F46506)

Debian Linux Security Advisory 1067-1 (PacketStormID:F46506)
2006-05-22 00:00:00
Debian,Dann Frazier  debian.org
advisory,remote,denial of service,arbitrary,kernel,local,vulnerability
linux,debian
CVE-2004-0427,CVE-2005-0489,CVE-2004-0394,CVE-2004-0447,CVE-2004-0554,CVE-2004-0565,CVE-2004-0685,CVE-2005-0001,CVE-2004-0883,CVE-2004-0949,CVE-2004-1016,CVE-2004-1333,CVE-2004-0997,CVE-2004-1335,CVE-2004-1017,CVE-2005-0124,CVE-2005-0528,CVE-2003-0984
[点击下载]

Debian Security Advisory 1067-1 - Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1067-1                    security@debian.org
http://www.debian.org/security/               Martin Schulze, Dann Frazier
May 20th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : kernel-source-2.4.16,kernel-image-2.4.16-lart,kernel-image-2.4.16-riscpc,kernel-image-2.4.16-netwinder
Vulnerability  : several
Problem-Type   : local/remote
Debian-specific: no
CVE IDs        : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685  CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


 CVE-2004-0427

     A local denial of service vulnerability in do_fork() has been found.     

 CVE-2005-0489

     A local denial of service vulnerability in proc memory handling has
     been found.

 CVE-2004-0394

     A buffer overflow in the panic handling code has been found.

 CVE-2004-0447

     A local denial of service vulnerability through a null pointer
     dereference in the IA64 process handling code has been found.

 CVE-2004-0554

     A local denial of service vulnerability through an infinite loop in
     the signal handler code has been found.

 CVE-2004-0565

     An information leak in the context switch code has been found on
     the IA64 architecture.

 CVE-2004-0685

     Unsafe use of copy_to_user in USB drivers may disclose sensitive
     information.

 CVE-2005-0001

     A race condition in the i386 page fault handler may allow privilege
     escalation.

 CVE-2004-0883

     Multiple vulnerabilities in the SMB filesystem code may allow denial
     of service of information disclosure.

 CVE-2004-0949

     An information leak discovered in the SMB filesystem code.

 CVE-2004-1016

     A local denial of service vulnerability has been found in the SCM layer.

 CVE-2004-1333

     An integer overflow in the terminal code may allow a local denial of
     service vulnerability.

 CVE-2004-0997

     A local privilege escalation in the MIPS assembly code has been found.
 
 CVE-2004-1335
 
     A memory leak in the ip_options_get() function may lead to denial of
     service.
      
 CVE-2004-1017

     Multiple overflows exist in the io_edgeport driver which might be usable
     as a denial of service attack vector.
 
 CVE-2005-0124

     Bryan Fulton reported a bounds checking bug in the coda_pioctl function
     which may allow local users to execute arbitrary code or trigger a denial
     of service attack.

 CVE-2005-0528

     A local privilege escalation in the mremap function has been found

 CVE-2003-0984

     Inproper initialization of the RTC may disclose information.

 CVE-2004-1070

     Insufficient input sanitising in the load_elf_binary() function may
     lead to privilege escalation.

 CVE-2004-1071

     Incorrect error handling in the binfmt_elf loader may lead to privilege
     escalation.

 CVE-2004-1072

     A buffer overflow in the binfmt_elf loader may lead to privilege
     escalation or denial of service.

 CVE-2004-1073

     The open_exec function may disclose information.

 CVE-2004-1074

     The binfmt code is vulnerable to denial of service through malformed
     a.out binaries.

 CVE-2004-0138

     A denial of service vulnerability in the ELF loader has been found.

 CVE-2004-1068

     A programming error in the unix_dgram_recvmsg() function may lead to
     privilege escalation.

 CVE-2004-1234

     The ELF loader is vulnerable to denial of service through malformed
     binaries.

 CVE-2005-0003

     Crafted ELF binaries may lead to privilege escalation, due to 
     insufficient checking of overlapping memory regions.

 CVE-2004-1235

     A race condition in the load_elf_library() and binfmt_aout() functions
     may allow privilege escalation.

 CVE-2005-0504

     An integer overflow in the Moxa driver may lead to privilege escalation.

 CVE-2005-0384

     A remote denial of service vulnerability has been found in the PPP
     driver.

 CVE-2005-0135

     An IA64 specific local denial of service vulnerability has been found
     in the unw_unwind_to_user() function.

The following matrix explains which kernel version for which architecture
fix the problems mentioned above:

                                     Debian 3.0 (woody)
     Source                          2.4.16-1woody2
     arm/lart                        20040419woody1
     arm/netwinder                   20040419woody1
     arm/riscpc                      20040419woody1

We recommend that you upgrade your kernel package immediately and reboot
the machine.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get dist-upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040419woody1.dsc
      Size/MD5 checksum:      655 cbaba3ab1ea1f99557d717bb19908dc8
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040419woody1.tar.gz
      Size/MD5 checksum:    16628 c10d76a01d03e58049b594270d7fd7c5
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040419woody1.dsc
      Size/MD5 checksum:      693 be25ede481365d969f465a0356bfe047
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040419woody1.tar.gz
      Size/MD5 checksum:    21947 12d6a2977ba7683e48e92293e4a87cf6
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040419woody1.dsc
      Size/MD5 checksum:      661 6895c73dc50b56d48588e3f053fbcc05
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040419woody1.tar.gz
      Size/MD5 checksum:    19300 3e60e7aa88e553221264f1b004d9091d
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16-1woody3.dsc
      Size/MD5 checksum:      680 81e8e543d617f8464a222767e18aa261
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16-1woody3.diff.gz
      Size/MD5 checksum:    46430 d164de27560966cb695141de9b004e7e
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16.orig.tar.gz
      Size/MD5 checksum: 29364642 8e42e72848dc5098b6433d66d5cacffc

  ARM architecture:

    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-lart/kernel-image-2.4.16-lart_20040419woody1_arm.deb
      Size/MD5 checksum:   718814 87806c13fa914865ecc00f784c64a8f4
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-headers-2.4.16_20040419woody1_arm.deb
      Size/MD5 checksum:  3437272 3061b1a8212d2538bdbffa9609300322
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-netwinder/kernel-image-2.4.16-netwinder_20040419woody1_arm.deb
      Size/MD5 checksum:  6675192 b588a74f3b53c06ef3ffb26218c6e191
    http://security.debian.org/pool/updates/main/k/kernel-image-2.4.16-riscpc/kernel-image-2.4.16-riscpc_20040419woody1_arm.deb
      Size/MD5 checksum:  2914360 3df4986a2bfa64ddea35cb2b76d390a5

  Architecture independent components:

    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-doc-2.4.16_2.4.16-1woody3_all.deb
      Size/MD5 checksum:  1718004 b458e950b6aabb99a781f507c2015dd3
    http://security.debian.org/pool/updates/main/k/kernel-source-2.4.16/kernel-source-2.4.16_2.4.16-1woody3_all.deb
      Size/MD5 checksum: 23820868 3001c4af6222fa22ecba3053a146e248

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbtDmXm3vHE4uyloRAhZsAJ0Uw7DM7RtiBSmWWskg8FXq0do5TACeMk43
Y8lxItKTeEpmOE/9asuJ6UU=
=fM5d
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F35833)

Openwall Linux Kernel Patch (PacketStormID:F35833)
2005-01-22 00:00:00
Solar Designer  openwall.com
overflow,kernel
linux
CVE-2004-1235,CVE-2005-0001
[点击下载]

The Openwall Linux kernel patch is a collection of security hardening features for the Linux kernel which can stop most 'cookbook' buffer overflow exploits. The patch can also add more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction.

- 漏洞信息 (F35760)

stackgrow2.c (PacketStormID:F35760)
2005-01-16 00:00:00
Christophe Devine  
exploit,proof of concept
linux
CVE-2005-0001
[点击下载]

Full version of the expand_stack SMP race proof of concept exploit that makes use of a locally exploitable flaw in the Linux page fault handler code.

- 漏洞信息 (F35708)

stackgrow.c (PacketStormID:F35708)
2005-01-15 00:00:00
Christophe Devine  
exploit,proof of concept
linux
CVE-2005-0001
[点击下载]

expand_stack SMP race proof of concept exploit that makes use of a locally exploitable flaw in the Linux page fault handler code.

- 漏洞信息 (F35707)

isec-0022-pagefault.txt (PacketStormID:F35707)
2005-01-15 00:00:00
Paul Starzetz  isec.pl
advisory,root
linux
CVE-2005-0001
[点击下载]

A locally exploitable flaw has been found in the Linux page fault handler code that allows users to gain root privileges if running on multiprocessor machine.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis:  Linux kernel i386 SMP page fault handler privilege escalation
Product:   Linux kernel
Version:   2.2 up to and including 2.2.27-rc1, 2.4 up to and including
           2.4.29-rc1, 2.6 up to and including 2.6.10
Vendor:    http://www.kernel.org/
URL:       http://isec.pl/vulnerabilities/isec-0022-pagefault.txt
CVE:       CAN-2005-0001
Author:    Paul Starzetz <ihaquer@isec.pl>
Date:      Jan 12, 2005


Issue:
======

Locally  exploitable flaw has been found in the Linux page fault handler
code  that  allows  users  to  gain  root  privileges  if   running   on
multiprocessor machine.


Details:
========

The  Linux  kernel is the core software component of a Linux environment
and is responsible  for  handling  of  machine  resources.  One  of  the
functions  of  an operating system kernel is handling of virtual memory.
On Linux virtual memory is provided on demand if an application accesses
virtual memory areas.

One  of  the core components of the Linux VM subsystem is the page fault
handler that is called if applications  try  to  access  virtual  memory
currently not physically mapped or not available in their address space.

The page fault handler has the function to properly identify the type of
the  requested  virtual memory access and take the appropriate action to
allow or deny application's VM request. Actions taken may also include a
stack expansion if the access goes just below application's actual stack
limit.

An exploitable race condition exists in the page fault  handler  if  two
concurrent  threads  sharing the same virtual memory space request stack
expansion at the same time. It is  only  exploitable  on  multiprocessor
machines (that also includes systems with hyperthreading).


Discussion:
===========

The   vulnerable   code   resides   for   the   i386   architecture   in
arch/i386/mm/fault.c in your kernel source code tree:

[186]  down_read(&mm->mmap_sem);

       vma = find_vma(mm, address);
       if (!vma)
              goto bad_area;
       if (vma->vm_start <= address)
              goto good_area;
       if (!(vma->vm_flags & VM_GROWSDOWN))
              goto bad_area;
       if (error_code & 4) {
              /*
               * accessing the stack below %esp is always a bug.
               * The "+ 32" is there due to some instructions (like
               * pusha) doing post-decrement on the stack and that
               * doesn't show up until later..
               */
[*]           if (address + 32 < regs->esp)
                     goto bad_area;
       }
       if (expand_stack(vma, address))
              goto bad_area;

where the line number has been given for the kernel 2.4.28 version.

Since the page fault handler is executed  with  the  mmap_sem  semaphore
held  for  reading  only,  two  concurrent threads may enter the section
after the line 186.

The checks following line 186 ensure that the VM request is valid and in
case  it  goes  just below the actual stack limit [*], that the stack is
expanded  accordingly.  On  Linux  the  notion  of  stack  includes  any
VM_GROWSDOWN  virtual memory area, that is, it need not to be the actual
process's stack.

The exploitable race condition scenario looks as follows:


A. thread_1 accesses a VM_GROWSDOWN area just below its actual  starting
address, lets call it fault_1,

B.  thread_2  accesses  the same area at address fault_2 where fault_2 +
PAGE_SIZE <= fault_1, that is:

[   NOPAGE    ] [fault_1      ] [     VMA     ]  --->  higher  addresses
[fault_2      ] [   NOPAGE    ] [     VMA     ]

where  one  [] bracket pair stands for a page frame in the application's
page table.

C. if thread_2 is slightly faster than thread_1 following happens:

[   PAGE2     ] [PAGE1                VMA     ]


that is, the stack is first expanded inside the expand_stack()  function
to  cover  fault_2,  however  it is right after 'expanded' to cover only
fault_1 since the necessary checks have already been  passed.  In  other
words,  the process's page table includes now two page references (PTEs)
but only one is covered by the virtual memory  area  descriptor  (namely
only page1). The race window is very small but it is exploitable.

Once  the  reference  to page2 is available in the page table, it can be
freely read or written by both threads. It will also not be released  to
the virtual memory management on process termination. Similar techniques
like in

http://www.isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt

may be further used to inject these  lost  page  frames  into  a  setuid
application  in  order  to gain elevated privileges (due to kmod this is
also possible without any executable setuid binaries).


Impact:
=======

Unprivileged local users can gain  elevated  (root)  privileges  on  SMP
machines.


Credits:
========

Paul  Starzetz  <ihaquer@isec.pl>  has  identified the vulnerability and
performed further research. RedHat reported that a customer also pointed
out  some  problems  with the page fault handler on SMP about 20.12.2004
and they  already  included  a  patch  for  this  vulnerability  in  the
kernel-2.4.21-27.EL  release,  however  the  bug  did not make it to the
security division.

COPYING, DISTRIBUTION, AND MODIFICATION OF INFORMATION PRESENTED HERE IS
ALLOWED ONLY WITH EXPRESS PERMISSION OF ONE OF THE AUTHORS.


Disclaimer:
===========

This  document and all the information it contains are provided "as is",
for educational purposes only, without warranty  of  any  kind,  whether
express or implied.

The  authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of  the  information   provided  in
this  document.  Liability  claims regarding damage caused by the use of
any information provided, including any kind  of  information  which  is
incomplete or incorrect, will therefore be rejected.


Appendix:
=========

A proof of  concept code won't be disclosed now.  Special thanks goes to
OSDL and Marcelo Tosatti for providing a SMP testbed.

- --
Paul Starzetz
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB5RakC+8U3Z5wpu4RAvdWAKDV1BKNP79FTdQndsacDrbBdnnCXQCg5Dd9
VBbPtRVVhmlzmoGx0DfHgCU=
=2VKr
-----END PGP SIGNATURE-----


    

- 漏洞信息

12914
Linux Kernel Multiprocessor Page Fault Handler Race Condition
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

Linux Kernel contains a flaw that may allow a malicious user to execute arbitrary code with root privileges on multi-processor systems. The issue is caused by the page fault handler and is triggered when two threads, which share the same virtual memory space, request a stack expansion simultaneously. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-01-13 Unknow
2005-01-13 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Linux Kernel Symmetrical Multiprocessing Page Fault Local Privilege Escalation Vulnerability
Race Condition Error 12244
No Yes
2005-01-12 12:00:00 2007-01-17 09:31:00
Discovery of this issue is credited to Paul Starzetz <ihaquer@isec.pl>.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Linux kernel 2.6.10
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6
Linux kernel 2.4.29 -rc1
Linux kernel 2.4.28
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Linux kernel 2.4.27
Linux kernel 2.4.26
Linux kernel 2.4.25
Linux kernel 2.4.24
Linux kernel 2.4.23
+ Trustix Secure Linux 2.0
Linux kernel 2.4.22
+ Devil-Linux Devil-Linux 1.0.5
+ Devil-Linux Devil-Linux 1.0.4
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Red Hat Fedora Core1
+ Slackware Linux 9.1
Linux kernel 2.4.21
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ SuSE SUSE Linux Enterprise Server 8
Linux kernel 2.4.20
Linux kernel 2.4.19
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux 8.1
+ Slackware Linux -current
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
Linux kernel 2.4.18 x86
Linux kernel 2.4.18
+ Astaro Security Linux 2.0 23
+ Astaro Security Linux 2.0 16
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Linux 8.0
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Linux Office Server
+ S.u.S.E. Linux Openexchange Server
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. SuSE eMail Server 3.1
+ S.u.S.E. SuSE eMail Server III
+ SuSE SUSE Linux Enterprise Server 8
+ SuSE SUSE Linux Enterprise Server 7
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Linux kernel 2.4.17
Linux kernel 2.4.16
Linux kernel 2.4.15
Linux kernel 2.4.14
Linux kernel 2.4.13
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
Linux kernel 2.4.12
+ Conectiva Linux 7.0
Linux kernel 2.4.11
Linux kernel 2.4.10
Linux kernel 2.4.9
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Linux kernel 2.4.8
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.7
+ RedHat Linux 7.2
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1
Linux kernel 2.4.6
Linux kernel 2.4.5
+ Slackware Linux 8.0
Linux kernel 2.4.4
+ S.u.S.E. Linux 7.2
Linux kernel 2.4.3
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
Linux kernel 2.4.2
Linux kernel 2.4.1
Linux kernel 2.4
Linux kernel 2.2.27 -rc1
Linux kernel 2.2.26
Linux kernel 2.2.25
Linux kernel 2.2.24
Linux kernel 2.2.23
Linux kernel 2.2.22
Linux kernel 2.2.21
Linux kernel 2.2.20
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Linux kernel 2.2.19
Linux kernel 2.2.18
+ Caldera OpenLinux 2.4
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.1 alpha
+ S.u.S.E. Linux 6.1
+ S.u.S.E. Linux 6.0
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Slackware Linux 7.1
+ Slackware Linux 7.0
+ Slackware Linux 4.0
+ Wirex Immunix OS 7.0 -Beta
+ Wirex Immunix OS 7.0
+ Wirex Immunix OS 6.2
Linux kernel 2.2.17
+ Mandriva Linux Mandrake 7.2
+ S.u.S.E. Linux 7.0
+ Trustix Secure Linux 1.2
Linux kernel 2.2.16 pre6
Linux kernel 2.2.16
Linux kernel 2.2.15 pre20
Linux kernel 2.2.15 pre16
Linux kernel 2.2.15
Linux kernel 2.2.14
+ Red Hat Linux 6.2
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
+ Sun Cobalt RaQ 4
Linux kernel 2.2.13
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.3
Linux kernel 2.2.12
Linux kernel 2.2.11
Linux kernel 2.2.10
Linux kernel 2.2.9
Linux kernel 2.2.8
Linux kernel 2.2.7
Linux kernel 2.2.6
Linux kernel 2.2.5
Linux kernel 2.2.4
Linux kernel 2.2.3
Linux kernel 2.2.2
Linux kernel 2.2.1
Linux kernel 2.2
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0

- 漏洞讨论

A local privilege-escalation vulnerability affects the page-fault handler of the Linux Kernel on symmetric multiprocessor (SMP) computers. This issue is due to a race-condition error that may allow an attacker to gain superuser privileges.

A malicious local attacker may exploit this issue to gain superuser privileges on an affected computer.

- 漏洞利用

Christophe Devine has supplied the following proof-of-concept exploit ('stackgrow.c'). An additional exploit ('expand_stack.c') was supplied by Christophe Devine and Julien Tinnes:

- 解决方案

Please see the referenced advisories for information on obtaining and applying the appropriate updates.


Linux kernel 2.4.17

Linux kernel 2.4.18

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站