Bugtraq mailing list archives

Linux 2.0.34pre10: Summary of fixed vulnerabilities

From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Mon, 20 Apr 1998 20:39:50 +0100

I'm not sure if it's known, but I haven't found anything about it.
No matter, there's something strange in net/ipv4/ip_fragment.h (it's
probably Alan's fault):


Not sure whose, but yes its a bug. Putting NETDEBUG around it is correct.
Its impact on my box was pretty minimal - slow down a bit and entries
of the form

Message repeated 500000 times

in the syslog.

Both of these are fixed in 2.0.34pre10 which should become 2.0.34 very soon

I've also attached relevant release notes items. Not all of these will
be known to bugtraq and I will not be answering queries about them until
a while after 2.0.34 is out. If I've missed any others please let me know
so I can have them nailed before 2.0.34.

Thanks go out to all the folks bugtraq & otherwise who've contributed bug
reports and fixes. Less thanks to the guys who didnt bother telling people
first 8)

If people can report bugs to the authors of software first before bugtraq
it does help as with all vendors. Do put a time limit on your period of
early notification it speeds every vendor up 8). I'm quite happy to organise
having something fixed on the quiet so as not spoil your thunder of being
first on bugtraq with the bug.

Bug Fixes

   Fragment handling bug  [Remote DoS]  BUGTRAQ
          A bug in fragment handling that could cause a kernel crash has
          been fixed.

   MM Corruption        [theoretical remote DoS]
          A bug in which 2.0.33 could suffer memory corruption and
          possible crashes under very high load has been fixed.

   LDT Leak             [local DoS]
          A situation which DOSemu and Wine could leak memory used for
          LDT tables has been fixed.

   Floppy Driver        [local DoS, needs root/setuid]
          A bug in which the floppy driver could crash when its interrupt
          or DMA resources were not available has been fixed. This was an
          extremely abnormal situation but a real bug.

   Inode count overrun  [local giving root access] BUGTRAQ
          A bug in which a specifically malicious program could cause an
          inode count overrun has been fixed.

   Obscure serial race [local DoS needs setuid app]
          An obscure race in the serial driver has been removed.

   Quota crash [requires misconfigurations of setuid apps] BUGTRAQ
          A very obscure situation in which the quota subsystem performed
          an invalid seek on the quota database has been fixed.

   Memory corruption on clone [local DoS]
          A bug causing memory corruption when mmaping memory during a
          clone in specific situations has been fixed.

   Possible overflow on Alpha [local DoS]
          A possible integer overflow on group handling for the Alpha
          platform has been fixed.

   Socket crashes [local DoS]
          A possible socket layer crash with AX.25/NetROM/ROSE/X.25 has
          been fixed in 2.0.34

   RAW socket handling  [Crash only if root does something at the time]
          A small bug in raw socket handling which could cause a crash in
          very obscure situations has been fixed.

   Loading bogus modules [Crash, DoS] BUGTRAQ
          A situation existed in earlier kernels where a user process
          could cause a module to be loaded. It was possible to exploit
          this to load modules that the administrator had installed but
          did not wish loaded. Fixed in 2.0.34. Note that this means only
          superuser processes can load network interfaces.

   TCP listened to ICMP source quench [limited impairment of connections]
          This is no longer 'good practice' and we also backed off twice
          once from the error and once from the drop. This was primarily
          needed to handle 3COM office connect routers which appear to
          send source quench (its been obsolete for years so they should
          not) and without rate limiting (also not allowed).

   Window searching [possible connection attacks]
          An obscure quirk allowing a third party to discover the current
          window for a TCP connection has been fixed.

   Unsafe temporary file [local root breach requires timing with the make]
                                BUGTRAQ
          The 'make config' script used an unsafe temporary file. It now
          uses a file in its working directory.

Alan

Current thread:

Re: APC UPS PowerChute PLUS exploit..., (continued)
- Re: APC UPS PowerChute PLUS exploit... Chris Liljenstolpe - Network Engineer (Apr 12)
  - Re: APC UPS PowerChute PLUS exploit... Iain P.C. Moffat (Apr 13)
  - IRIX LicenseManager(1M) Vulnerabilities SGI Security Coordinator (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Rick Perry (Apr 13)
- Re: APC UPS PowerChute PLUS exploit... Pascal Gienger (Apr 14)
  - Re: APC UPS PowerChute PLUS exploit... Scott Stone (Apr 14)
  - New possible exploit for 2.0.33 (kfree_skb error) Paul (Apr 15)
    - Re: New possible exploit for 2.0.33 (kfree_skb error) Alan Cox (Apr 15)
    - Linux 2.0.33 vulnerability: fragment patterns Alan Cox (Apr 16)
    - Linux 2.0.33 vulnerability: oversized packets Michal Zalewski (Apr 17)
    - Linux 2.0.34pre10: Summary of fixed vulnerabilities Alan Cox (Apr 20)
    - Re: Linux 2.0.33 vulnerability: oversized packets Jon Lewis (Apr 20)
    - Re: Linux 2.0.33 vulnerability: oversized packets Krzysztof G. Baranowski (Apr 21)
    - code to crash cistron's radius Hamdi Tounsi (Apr 21)
    - nestea v2. The program that DoS's 2.0.33s The Tree of Life (Apr 18)
    - xdm problems Thomas Roessler (Apr 16)
    - Re: xdm problems Matthieu Herrb (Apr 20)
    - SECURITY: procps 1.2.7 fixes security hole Aleph One (Apr 20)
  - syndrop / modified version Ted Hickman [Network Admin] (Apr 15)
- Re: APC UPS PowerChute PLUS exploit... Carl Dunham (Apr 21)