X-RDate: Tue, 21 Apr 1998 13:02:32 +0600 (YEKST)
X-UIDL: 35317d3400000096
Date: Mon, 20 Apr 1998 20:39:50 +0100
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: BUGTRAQ@NETSPACE.ORG
Subject: Linux 2.0.34pre10: Summary of fixed vulnerabilities
> I'm not sure if it's known, but I haven't found anything about it.
> No matter, there's something strange in net/ipv4/ip_fragment.h (it's
> probably Alan's fault):
Not sure whose, but yes its a bug. Putting NETDEBUG around it is correct.
Its impact on my box was pretty minimal - slow down a bit and entries
of the form
Message repeated 500000 times
in the syslog.
Both of these are fixed in 2.0.34pre10 which should become 2.0.34 very soon
I've also attached relevant release notes items. Not all of these will
be known to bugtraq and I will not be answering queries about them until
a while after 2.0.34 is out. If I've missed any others please let me know
so I can have them nailed before 2.0.34.
Thanks go out to all the folks bugtraq & otherwise who've contributed bug
reports and fixes. Less thanks to the guys who didnt bother telling people
first 8)
If people can report bugs to the authors of software first before bugtraq
it does help as with all vendors. Do put a time limit on your period of
early notification it speeds every vendor up 8). I'm quite happy to organise
having something fixed on the quiet so as not spoil your thunder of being
first on bugtraq with the bug.
Bug Fixes
Fragment handling bug [Remote DoS] BUGTRAQ
A bug in fragment handling that could cause a kernel crash has
been fixed.
MM Corruption [theoretical remote DoS]
A bug in which 2.0.33 could suffer memory corruption and
possible crashes under very high load has been fixed.
LDT Leak [local DoS]
A situation which DOSemu and Wine could leak memory used for
LDT tables has been fixed.
Floppy Driver [local DoS, needs root/setuid]
A bug in which the floppy driver could crash when its interrupt
or DMA resources were not available has been fixed. This was an
extremely abnormal situation but a real bug.
Inode count overrun [local giving root access] BUGTRAQ
A bug in which a specifically malicious program could cause an
inode count overrun has been fixed.
Obscure serial race [local DoS needs setuid app]
An obscure race in the serial driver has been removed.
Quota crash [requires misconfigurations of setuid apps] BUGTRAQ
A very obscure situation in which the quota subsystem performed
an invalid seek on the quota database has been fixed.
Memory corruption on clone [local DoS]
A bug causing memory corruption when mmaping memory during a
clone in specific situations has been fixed.
Possible overflow on Alpha [local DoS]
A possible integer overflow on group handling for the Alpha
platform has been fixed.
Socket crashes [local DoS]
A possible socket layer crash with AX.25/NetROM/ROSE/X.25 has
been fixed in 2.0.34
RAW socket handling [Crash only if root does something at the time]
A small bug in raw socket handling which could cause a crash in
very obscure situations has been fixed.
Loading bogus modules [Crash, DoS] BUGTRAQ
A situation existed in earlier kernels where a user process
could cause a module to be loaded. It was possible to exploit
this to load modules that the administrator had installed but
did not wish loaded. Fixed in 2.0.34. Note that this means only
superuser processes can load network interfaces.
TCP listened to ICMP source quench [limited impairment of connections]
This is no longer 'good practice' and we also backed off twice
once from the error and once from the drop. This was primarily
needed to handle 3COM office connect routers which appear to
send source quench (its been obsolete for years so they should
not) and without rate limiting (also not allowed).
Window searching [possible connection attacks]
An obscure quirk allowing a third party to discover the current
window for a TCP connection has been fixed.
Unsafe temporary file [local root breach requires timing with the make]
BUGTRAQ
The 'make config' script used an unsafe temporary file. It now
uses a file in its working directory.
Alan
