[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Linux 2.0.34pre10: Summary of fixed vulnerabilities (fwd)
Upcoming Linux 2.0.34 kernel, here are the bug fixes (from Alan Cox)
The latest patch level is 2.0.34pre11 , available at:
ftp://ftp.uk.linux.org/pub/linux/incoming/patch-2.0.34pre11b.gz
--Ariel
Bug Fixes
Fragment handling bug [Remote DoS] BUGTRAQ
A bug in fragment handling that could cause a kernel crash has
been fixed.
MM Corruption [theoretical remote DoS]
A bug in which 2.0.33 could suffer memory corruption and
possible crashes under very high load has been fixed.
LDT Leak [local DoS]
A situation which DOSemu and Wine could leak memory used for
LDT tables has been fixed.
Floppy Driver [local DoS, needs root/setuid]
A bug in which the floppy driver could crash when its interrupt
or DMA resources were not available has been fixed. This was an
extremely abnormal situation but a real bug.
Inode count overrun [local giving root access] BUGTRAQ
A bug in which a specifically malicious program could cause an
inode count overrun has been fixed.
Obscure serial race [local DoS needs setuid app]
An obscure race in the serial driver has been removed.
Quota crash [requires misconfigurations of setuid apps] BUGTRAQ
A very obscure situation in which the quota subsystem performed
an invalid seek on the quota database has been fixed.
Memory corruption on clone [local DoS]
A bug causing memory corruption when mmaping memory during a
clone in specific situations has been fixed.
Possible overflow on Alpha [local DoS]
A possible integer overflow on group handling for the Alpha
platform has been fixed.
Socket crashes [local DoS]
A possible socket layer crash with AX.25/NetROM/ROSE/X.25 has
been fixed in 2.0.34
RAW socket handling [Crash only if root does something at the time]
A small bug in raw socket handling which could cause a crash in
very obscure situations has been fixed.
Loading bogus modules [Crash, DoS] BUGTRAQ
A situation existed in earlier kernels where a user process
could cause a module to be loaded. It was possible to exploit
this to load modules that the administrator had installed but
did not wish loaded. Fixed in 2.0.34. Note that this means only
superuser processes can load network interfaces.
TCP listened to ICMP source quench [limited impairment of connections]
This is no longer 'good practice' and we also backed off twice
once from the error and once from the drop. This was primarily
needed to handle 3COM office connect routers which appear to
send source quench (its been obsolete for years so they should
not) and without rate limiting (also not allowed).
Window searching [possible connection attacks]
An obscure quirk allowing a third party to discover the current
window for a TCP connection has been fixed.
Unsafe temporary file [local root breach requires timing with the make]
BUGTRAQ
The 'make config' script used an unsafe temporary file. It now
uses a file in its working directory.
Alan