Hi,
here is the fourth hotfix for 2.4.32 and older kernels. There are 9 new
fixes, 5 of which are security-related, 1 memory leak, and 3 minor bugs :
- 2.4.32-CVE-2006-0741-always-check-that-rips-are-canonical-1 (Andi Kleen)
- 2.4.32-CVE-2006-1524-fix-shm-mprotect-1 (Hugh Dickins)
- 2.4.32-CVE-2006-1056-i386-x86_64-x87-information-leak-1 (Andi Kleen)
- 2.4.32-via-rhine-zero-pad-short-packets-1 (Craig Brind)
- 2.4.32-CVE-2006-1864-smbfs-escape-chroot-1 (Olaf Kirch)
- 2.4.32-netfilter-ipt_recent-memleak-1 (Jesper Juhl)
- 2.4.32-nfs-cache-consistency-with-mmap-1 (Jeff Layton)
- 2.4.32-vlan_ioctl-missing-checks-1 (Mika Kukkonen)
- 2.4.32-quota_v2-module-taints-the-kernel-1 (Marek Szuba)
This leads to the following number of patches per kernel :
Version | New | Total
--------+-----+------
2.4.28 | 9 | 170
2.4.29 | 9 | 167
2.4.30 | 9 | 101
2.4.31 | 9 | 88
2.4.32 | 9 | 38
--------+-----+------
Please note that two of those patches are not in mainline yet (merged at the
last minute) : the SMBFS fix (CVE-2006-1864, which is fixed in 2.6.16.14) and
the ipt_recent memory leak.
I've built it with all modules on x86-smp but not booted it yet. The detailed
changelog follows.
Please use the links below to download it :
hotfixes home : http://linux.exosec.net/kernel/2.4-hf/
last version : http://linux.exosec.net/kernel/2.4-hf/LATEST/LATEST/
RSS feed : http://linux.exosec.net/kernel/hf.xml
build results : http://bugsplatter.mine.nu/test/linux-2.4/ (Grant's site)
GIT : http://w.ods.org/kernel/2.4/patches-2.4-hf.git/
GITWEB : http://w.ods.org/git/?p=patches-2.4-hf.git;a=summary
Changelog from 2.4.32-hf32.3 to 2.4.32-hf32.4
---------------------------------------
'+' = added ; '-' = removed
+ 2.4.32-CVE-2006-0741-always-check-that-rips-are-canonical-1 (Andi Kleen)
This works around a problem in handling non canonical RIPs on SYSRET on
Intel CPUs. They report the #GP on the SYSRET, not the next instruction
as Linux expects it. With these changes this path should never see a non
canonical user RIP. This is CVE-2006-0741. Roughly based on a patch by
Ernie Petrides, but redone by AK.
+ 2.4.32-CVE-2006-1524-fix-shm-mprotect-1 (Hugh Dickins)
shmat stop mprotect from giving write permission to a readonly
attachment.
+ 2.4.32-CVE-2006-1056-i386-x86_64-x87-information-leak-1 (Andi Kleen)
AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
when an exception is pending. This means the value leak through context
switches and allow processes to observe some x87 instruction state of
other processes. This is CVE-2006-1056. The problem was discovered
originally by Jan Beulich. Richard Brunner provided the basic code for
the workarounds with contributions from Jan.
+ 2.4.32-via-rhine-zero-pad-short-packets-1 (Craig Brind)
Fixes Rhine I cards disclosing fragments of previously transmitted
frames in new transmissions.
Before transmission, any socket buffer (skb) shorter than the ethernet
minimum length of 60 bytes was zero-padded. On Rhine I cards the data
can later be copied into an aligned transmission buffer without copying
this padding. This resulted in the transmission of the frame with the
extra bytes beyond the provided content leaking the previous contents of
this buffer on to the network. Now zero-padding is repeated in the local
aligned buffer if one is used.
+ 2.4.32-CVE-2006-1864-smbfs-escape-chroot-1 (Olaf Kirch)
Initial work and description from Olaf Kirch for kernel 2.6 :
Mark Moseley reported that a chroot environment on a SMB share can be
left via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix
is for smbfs (CVE-2006-1864). Steven French <[email protected]> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest. Back-ported from 2.6 to 2.4
by Willy Tarreau.
+ 2.4.32-netfilter-ipt_recent-memleak-1 (Jesper Juhl)
The Coverity checker spotted that we may leak 'hold' in
net/ipv4/netfilter/ipt_recent.c::checkentry() when the following
is true :
if (!curr_table->status_proc) {
...
if(!curr_table) {
...
return 0; <-- here we leak.
Simply moving an existing vfree(hold); up a bit avoids the possible leak.
+ 2.4.32-nfs-cache-consistency-with-mmap-1 (Jeff Layton)
A customer of Red Hat reported a problem with cache invalidation when
using mmapped files over NFS with the 2.4 kernel. This patch fixes this
by checking whether the clean_pages list for the inode is empty after
invalidate_inode_pages is called. If it's not then we set a flag so on
the next pass through it automatically flags the data as invalid.
+ 2.4.32-vlan_ioctl-missing-checks-1 (Mika Kukkonen)
In vlan_ioctl_handler() the code misses couple checks for
error return values. The same patch was merged into 2.6.
+ 2.4.32-quota_v2-module-taints-the-kernel-1 (Marek Szuba)
Apparently the quota_v2 module in 2.4 still lacks the licence macro
and taints the kernel, even though the same module in 2.6 is correctly
tagged as GPL. In case it makes things any easier, I am enclosing an
appropriate patch.
--
Willy Tarreau - http://w.ods.org/
EXOSEC - ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS
N°Indigo: 0 825 075 510 - Accueil: +33 1 72 89 72 30 - Fax: +33 1 72 89 80 19
Site web : http://www.exosec.fr/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]