ID CVE-2004-1235
Summary Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.
References
Vulnerable Configurations
  • Avaya MN100
    cpe:2.3:a:avaya:mn100
  • Avaya Network Routing
    cpe:2.3:a:avaya:network_routing
  • Avaya Converged Communications Server 2.0
    cpe:2.3:h:avaya:converged_communications_server:2.0
  • cpe:2.3:h:avaya:s8710:r2.0.0
    cpe:2.3:h:avaya:s8710:r2.0.0
  • cpe:2.3:h:avaya:s8710:r2.0.1
    cpe:2.3:h:avaya:s8710:r2.0.1
  • cpe:2.3:o:avaya:modular_messaging_message_storage_server:1.1
    cpe:2.3:o:avaya:modular_messaging_message_storage_server:1.1
  • cpe:2.3:o:avaya:modular_messaging_message_storage_server:2.0
    cpe:2.3:o:avaya:modular_messaging_message_storage_server:2.0
  • Linux Kernel 2.4.0
    cpe:2.3:o:linux:linux_kernel:2.4.0
  • Linux Kernel 2.4.0 test1
    cpe:2.3:o:linux:linux_kernel:2.4.0:test1
  • Linux Kernel 2.4.0 test10
    cpe:2.3:o:linux:linux_kernel:2.4.0:test10
  • Linux Kernel 2.4.0 test11
    cpe:2.3:o:linux:linux_kernel:2.4.0:test11
  • Linux Kernel 2.4.0 test12
    cpe:2.3:o:linux:linux_kernel:2.4.0:test12
  • Linux Kernel 2.4.0 test2
    cpe:2.3:o:linux:linux_kernel:2.4.0:test2
  • Linux Kernel 2.4.0 test3
    cpe:2.3:o:linux:linux_kernel:2.4.0:test3
  • Linux Kernel 2.4.0 test4
    cpe:2.3:o:linux:linux_kernel:2.4.0:test4
  • Linux Kernel 2.4.0 test5
    cpe:2.3:o:linux:linux_kernel:2.4.0:test5
  • Linux Kernel 2.4.0 test6
    cpe:2.3:o:linux:linux_kernel:2.4.0:test6
  • Linux Kernel 2.4.0 test7
    cpe:2.3:o:linux:linux_kernel:2.4.0:test7
  • Linux Kernel 2.4.0 test8
    cpe:2.3:o:linux:linux_kernel:2.4.0:test8
  • Linux Kernel 2.4.0 test9
    cpe:2.3:o:linux:linux_kernel:2.4.0:test9
  • Linux Kernel 2.4.1
    cpe:2.3:o:linux:linux_kernel:2.4.1
  • Linux Kernel 2.4.2
    cpe:2.3:o:linux:linux_kernel:2.4.2
  • Linux Kernel 2.4.3
    cpe:2.3:o:linux:linux_kernel:2.4.3
  • Linux Kernel 2.4.4
    cpe:2.3:o:linux:linux_kernel:2.4.4
  • Linux Kernel 2.4.5
    cpe:2.3:o:linux:linux_kernel:2.4.5
  • Linux Kernel 2.4.6
    cpe:2.3:o:linux:linux_kernel:2.4.6
  • Linux Kernel 2.4.7
    cpe:2.3:o:linux:linux_kernel:2.4.7
  • Linux Kernel 2.4.8
    cpe:2.3:o:linux:linux_kernel:2.4.8
  • Linux Kernel 2.4.9
    cpe:2.3:o:linux:linux_kernel:2.4.9
  • Linux Kernel 2.4.10
    cpe:2.3:o:linux:linux_kernel:2.4.10
  • Linux Kernel 2.4.11
    cpe:2.3:o:linux:linux_kernel:2.4.11
  • Linux Kernel 2.4.12
    cpe:2.3:o:linux:linux_kernel:2.4.12
  • Linux Kernel 2.4.13
    cpe:2.3:o:linux:linux_kernel:2.4.13
  • Linux Kernel 2.4.14
    cpe:2.3:o:linux:linux_kernel:2.4.14
  • Linux Kernel 2.4.15
    cpe:2.3:o:linux:linux_kernel:2.4.15
  • Linux Kernel 2.4.16
    cpe:2.3:o:linux:linux_kernel:2.4.16
  • Linux Kernel 2.4.17
    cpe:2.3:o:linux:linux_kernel:2.4.17
  • Linux Kernel 2.4.18
    cpe:2.3:o:linux:linux_kernel:2.4.18
  • cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
    cpe:2.3:o:linux:linux_kernel:2.4.18:-:x86
  • Linux Kernel 2.4.18 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre1
  • Linux Kernel 2.4.18 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre2
  • Linux Kernel 2.4.18 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre3
  • Linux Kernel 2.4.18 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre4
  • Linux Kernel 2.4.18 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre5
  • Linux Kernel 2.4.18 pre6
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre6
  • Linux Kernel 2.4.18 pre7
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre7
  • Linux Kernel 2.4.18 pre8
    cpe:2.3:o:linux:linux_kernel:2.4.18:pre8
  • Linux Kernel 2.4.19
    cpe:2.3:o:linux:linux_kernel:2.4.19
  • Linux Kernel 2.4.19 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre1
  • Linux Kernel 2.4.19 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre2
  • Linux Kernel 2.4.19 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre3
  • Linux Kernel 2.4.19 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre4
  • Linux Kernel 2.4.19 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre5
  • Linux Kernel 2.4.19 pre6
    cpe:2.3:o:linux:linux_kernel:2.4.19:pre6
  • Linux Kernel 2.4.20
    cpe:2.3:o:linux:linux_kernel:2.4.20
  • Linux Kernel 2.4.21
    cpe:2.3:o:linux:linux_kernel:2.4.21
  • Linux Kernel 2.4.21 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre1
  • Linux Kernel 2.4.21 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre4
  • Linux Kernel 2.4.21 pre7
    cpe:2.3:o:linux:linux_kernel:2.4.21:pre7
  • Linux Kernel 2.4.22
    cpe:2.3:o:linux:linux_kernel:2.4.22
  • Linux Kernel 2.4.23
    cpe:2.3:o:linux:linux_kernel:2.4.23
  • Linux Kernel 2.4.23 pre9
    cpe:2.3:o:linux:linux_kernel:2.4.23:pre9
  • cpe:2.3:o:linux:linux_kernel:2.4.23_ow2
    cpe:2.3:o:linux:linux_kernel:2.4.23_ow2
  • Linux Kernel 2.4.24
    cpe:2.3:o:linux:linux_kernel:2.4.24
  • cpe:2.3:o:linux:linux_kernel:2.4.24_ow1
    cpe:2.3:o:linux:linux_kernel:2.4.24_ow1
  • Linux Kernel 2.4.25
    cpe:2.3:o:linux:linux_kernel:2.4.25
  • Linux Kernel 2.4.26
    cpe:2.3:o:linux:linux_kernel:2.4.26
  • Linux Kernel 2.4.27
    cpe:2.3:o:linux:linux_kernel:2.4.27
  • Linux Kernel 2.4.27 pre1
    cpe:2.3:o:linux:linux_kernel:2.4.27:pre1
  • Linux Kernel 2.4.27 pre2
    cpe:2.3:o:linux:linux_kernel:2.4.27:pre2
  • Linux Kernel 2.4.27 pre3
    cpe:2.3:o:linux:linux_kernel:2.4.27:pre3
  • Linux Kernel 2.4.27 pre4
    cpe:2.3:o:linux:linux_kernel:2.4.27:pre4
  • Linux Kernel 2.4.27 pre5
    cpe:2.3:o:linux:linux_kernel:2.4.27:pre5
  • Linux Kernel 2.4.28
    cpe:2.3:o:linux:linux_kernel:2.4.28
  • Linux Kernel 2.4.29 rc2
    cpe:2.3:o:linux:linux_kernel:2.4.29:rc2
  • Linux Kernel 2.6.0
    cpe:2.3:o:linux:linux_kernel:2.6.0
  • Linux Kernel 2.6 test1
    cpe:2.3:o:linux:linux_kernel:2.6.0:test1
  • Linux Kernel 2.6 test10
    cpe:2.3:o:linux:linux_kernel:2.6.0:test10
  • Linux Kernel 2.6 test11
    cpe:2.3:o:linux:linux_kernel:2.6.0:test11
  • Linux Kernel 2.6 test2
    cpe:2.3:o:linux:linux_kernel:2.6.0:test2
  • Linux Kernel 2.6 test3
    cpe:2.3:o:linux:linux_kernel:2.6.0:test3
  • Linux Kernel 2.6 test4
    cpe:2.3:o:linux:linux_kernel:2.6.0:test4
  • Linux Kernel 2.6 test5
    cpe:2.3:o:linux:linux_kernel:2.6.0:test5
  • Linux Kernel 2.6 test6
    cpe:2.3:o:linux:linux_kernel:2.6.0:test6
  • Linux Kernel 2.6 test7
    cpe:2.3:o:linux:linux_kernel:2.6.0:test7
  • Linux Kernel 2.6 test8
    cpe:2.3:o:linux:linux_kernel:2.6.0:test8
  • Linux Kernel 2.6 test9
    cpe:2.3:o:linux:linux_kernel:2.6.0:test9
  • Linux Kernel 2.6.1
    cpe:2.3:o:linux:linux_kernel:2.6.1
  • Linux Kernel 2.6.1 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.1:rc1
  • Linux Kernel 2.6.1 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.1:rc2
  • Linux Kernel 2.6.2
    cpe:2.3:o:linux:linux_kernel:2.6.2
  • Linux Kernel 2.6.3
    cpe:2.3:o:linux:linux_kernel:2.6.3
  • Linux Kernel 2.6.4
    cpe:2.3:o:linux:linux_kernel:2.6.4
  • Linux Kernel 2.6.5
    cpe:2.3:o:linux:linux_kernel:2.6.5
  • Linux Kernel 2.6.6
    cpe:2.3:o:linux:linux_kernel:2.6.6
  • Linux Kernel 2.6.6 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.6:rc1
  • Linux Kernel 2.6.7
    cpe:2.3:o:linux:linux_kernel:2.6.7
  • Linux Kernel 2.6.7 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.7:rc1
  • Linux Kernel 2.6.8
    cpe:2.3:o:linux:linux_kernel:2.6.8
  • Linux Kernel 2.6.8 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.8:rc1
  • Linux Kernel 2.6.8 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.8:rc2
  • Linux Kernel 2.6.8 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.8:rc3
  • cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20
    cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20
  • Linux Kernel 2.6.10
    cpe:2.3:o:linux:linux_kernel:2.6.10
  • Linux Kernel 2.6.10 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.10:rc2
  • cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs
    cpe:2.3:o:linux:linux_kernel:2.6_test9_cvs
  • MandrakeSoft Mandrake Linux 9.2
    cpe:2.3:o:mandrakesoft:mandrake_linux:9.2
  • cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:-:amd64
    cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:-:amd64
  • MandrakeSoft Mandrake Linux 10.0
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:-:amd64
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:-:amd64
  • MandrakeSoft Mandrake Linux 10.1
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.1
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.1:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.1:-:x86_64
  • MandrakeSoft Mandrake Linux Corporate Server 2.1
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1
  • cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1:-:x86_64
  • MandrakeSoft Mandrake Corporate Server 3.0
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:3.0
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_servers
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_servers
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:4.0:-:workstation
  • Red Hat Desktop 3.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:3.0
  • Red Hat Desktop 4.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:4.0
  • cpe:2.3:o:redhat:fedora_core:core_1.0
    cpe:2.3:o:redhat:fedora_core:core_1.0
  • cpe:2.3:o:redhat:fedora_core:core_2.0
    cpe:2.3:o:redhat:fedora_core:core_2.0
  • cpe:2.3:o:redhat:fedora_core:core_3.0
    cpe:2.3:o:redhat:fedora_core:core_3.0
  • cpe:2.3:o:redhat:linux:7.3:-:i386
    cpe:2.3:o:redhat:linux:7.3:-:i386
  • cpe:2.3:o:redhat:linux:9.0:-:i386
    cpe:2.3:o:redhat:linux:9.0:-:i386
  • cpe:2.3:o:suse:suse_linux:1.0:-:desktop
    cpe:2.3:o:suse:suse_linux:1.0:-:desktop
  • cpe:2.3:o:suse:suse_linux:8:-:enterprise_server
    cpe:2.3:o:suse:suse_linux:8:-:enterprise_server
  • SuSE SuSE Linux 8.1
    cpe:2.3:o:suse:suse_linux:8.1
  • SuSE SuSE Linux 8.2
    cpe:2.3:o:suse:suse_linux:8.2
  • SuSE SuSE Linux 9.0
    cpe:2.3:o:suse:suse_linux:9.0
  • cpe:2.3:o:suse:suse_linux:9.0:-:enterprise_server
    cpe:2.3:o:suse:suse_linux:9.0:-:enterprise_server
  • SuSE SuSE Linux 9.1
    cpe:2.3:o:suse:suse_linux:9.1
  • SuSE SuSE Linux 9.2
    cpe:2.3:o:suse:suse_linux:9.2
  • cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ia64
    cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ia64
  • cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ppc
    cpe:2.3:o:ubuntu:ubuntu_linux:4.1:-:ppc
  • cpe:2.3:a:avaya:intuity_audix:-:lx
    cpe:2.3:a:avaya:intuity_audix:-:lx
  • MandrakeSoft Mandrake Multi Network Firewall 8.2
    cpe:2.3:a:mandrakesoft:mandrake_multi_network_firewall:8.2
  • cpe:2.3:h:avaya:s8300:r2.0.0
    cpe:2.3:h:avaya:s8300:r2.0.0
  • cpe:2.3:h:avaya:s8300:r2.0.1
    cpe:2.3:h:avaya:s8300:r2.0.1
  • cpe:2.3:h:avaya:s8500:r2.0.0
    cpe:2.3:h:avaya:s8500:r2.0.0
  • cpe:2.3:h:avaya:s8500:r2.0.1
    cpe:2.3:h:avaya:s8500:r2.0.1
  • cpe:2.3:h:avaya:s8700:r2.0.0
    cpe:2.3:h:avaya:s8700:r2.0.0
  • cpe:2.3:h:avaya:s8700:r2.0.1
    cpe:2.3:h:avaya:s8700:r2.0.1
  • Conectiva Linux 10.0
    cpe:2.3:o:conectiva:linux:10.0
CVSS
Base: 6.2 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Linux Kernel <= 2.4.29-rc2 uselib() Privilege Elevation. CVE-2004-1235. Local exploit for linux platform
    id EDB-ID:744
    last seen 2016-01-31
    modified 2005-01-07
    published 2005-01-07
    reporter Paul Starzetz
    source https://www.exploit-db.com/download/744/
    title Linux Kernel <= 2.4.29-rc2 - uselib Privilege Elevation
  • description Linux Kernel 2.4 uselib() Privilege Elevation Exploit. CVE-2004-1235. Local exploit for linux platform
    id EDB-ID:778
    last seen 2016-01-31
    modified 2005-01-27
    published 2005-01-27
    reporter Tim Hsu
    source https://www.exploit-db.com/download/778/
    title Linux Kernel 2.4 - uselib Privilege Elevation Exploit
  • description Linux Kernel 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit. CVE-2004-1235. Local exploit for linux platform
    id EDB-ID:895
    last seen 2016-01-31
    modified 2005-03-22
    published 2005-03-22
    reporter sd
    source https://www.exploit-db.com/download/895/
    title Linux Kernel 2.4.x / 2.6.x - uselib Local Privilege Escalation Exploit
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-013.NASL
    description This update rebases the kernel to match the upstream 2.6.10 release, and adds a number of security fixes by means of adding the latest -ac patch. CVE-2004-1235 Paul Starzetz from isec.pl found a problem in the binary format loaders uselib() function that could lead to potential priveledge escalation. http://isec.pl/vulnerabilities/isec-0021-uselib.txt NO-CAN-ASSIGNED Brad Spengler found several problems. - An integer overflow in the random poolsize sysctl handler. - SCSI ioctl integer overflow and information leak. - RLIMIT_MEMLOCK bypass and unprivileged user DoS. NO-CAN-ASSIGNED Coverity Inc. found a number of bugs with their automated source checker in coda, xfs, network bridging, rose network protocol, and the sdla wan driver. http://linuxbugs.coverity.com Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16133
    published 2005-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16133
    title Fedora Core 3 : kernel-2.6.10-1.737_FC3 (2005-013)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2005_003.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2005:003 (kernel). Several exploitable security problems were identified and fixed in the Linux kernel, the core of every SUSE Linux product. - Due to missing locking in the sys_uselib system call a local attacker can gain root access. This was found by Paul Starzetz and is tracked by the Mitre CVE ID CVE-2004-1235. - Paul Starzetz also found a race condition in SMP page table handling which could lead to a local attacker gaining root access on SMP machines. This is tracked by the Mitre CVE ID CVE-2005-0001. - A local denial of service was found in the auditing subsystem which have lead a local attacker crashing the machine. This was reported and fixed by Redhat. - The sendmsg / cmsg fix from the previous kernel update was faulty on 64bit systems with 32bit compatibility layer and could lead to 32bit applications not working correctly on those 64bit systems. - The smbfs security fixes from a before-previous kernel update were faulty for some file write cases. - A local denial of service with Direct I/O access to NFS file systems could lead a local attacker to crash a machine with NFS mounts. - grsecurity reported a signed integer problem in the SCSI ioctl handling which had a missing boundary check. Due to C language specifics, this evaluation was not correct and there actually is no problem in this code. The signed / unsigned mismatch was fixed nevertheless. - Several more small non security problems were fixed. NOTE: Two days ago we released the Service Pack 1 for the SUSE Linux Enterprise Server 9. This kernel update contains fixes for the SUSE Linux Enterprise Server 9 GA version kernel line. A fix for the Service Pack 1 version line will be available shortly.
    last seen 2019-02-21
    modified 2016-01-14
    plugin id 16307
    published 2005-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16307
    title SUSE-SA:2005:003: kernel
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-014.NASL
    description This update rebases the kernel to match the upstream 2.6.10 release, and adds a number of security fixes by means of adding the latest -ac patch. CVE-2004-1235 Paul Starzetz from isec.pl found a problem in the binary format loaders uselib() function that could lead to potential priveledge escalation. http://isec.pl/vulnerabilities/isec-0021-uselib.txt NO-CAN-ASSIGNED Brad Spengler found several problems. - An integer overflow in the random poolsize sysctl handler. - SCSI ioctl integer overflow and information leak. - RLIMIT_MEMLOCK bypass and unprivileged user DoS. NO-CAN-ASSIGNED Coverity Inc. found a number of bugs with their automated source checker in coda, xfs, network bridging, rose network protocol, and the sdla wan driver. http://linuxbugs.coverity.com Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16134
    published 2005-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16134
    title Fedora Core 2 : kernel-2.6.10-1.8_FC2 (2005-014)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-57-1.NASL
    description Paul Starzetz discovered a race condition in the ELF library and a.out binary format loaders, which can be locally exploited in several different ways to gain root privileges. (CAN-2004-1235) Liang Bin found a design flaw in the capability module. After this module was loaded on demand in a running system, all unprivileged user space processes got all kernel capabilities (thus essentially root privileges). This is mitigated by the fact that the capability module is loaded very early in the boot process of a standard Ubuntu system, when no unprivileged user processes are yet running. (CAN-2004-1337) Finally, this update fixes a memory leak in the ip_conntrack_ftp iptables module. However, it is believed that this is not exploitable. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-08-18
    plugin id 20675
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20675
    title Ubuntu 4.10 : linux-source-2.6.8.1 vulnerabilities (USN-57-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-092.NASL
    description Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues : iSEC Security Research discovered multiple vulnerabilities in the IGMP functionality. These flaws could allow a local user to cause a denial of service (crash) or potentially gain privileges. Where multicast applications are being used on a system, these flaws may also allow remote users to cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1137 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. (CVE-2005-0001) iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. (CVE-2004-1235) A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architecture was discovered. A local user could use this flaw to write to privileged IO ports. (CVE-2005-0204) The Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) or possibly modify the video output. (CVE-2004-1056) OGAWA Hirofumi discovered incorrect tables sizes being used in the filesystem Native Language Support ASCII translation table. This could lead to a denial of service (system crash). (CVE-2005-0177) Michael Kerrisk discovered a flaw in the 2.6.9 kernel which allows users to unlock arbitrary shared memory segments. This flaw could lead to applications not behaving as expected. (CVE-2005-0176) Improvements in the POSIX signal and tty standards compliance exposed a race condition. This flaw can be triggered accidentally by threaded applications or deliberately by a malicious user and can result in a denial of service (crash) or in occasional cases give access to a small random chunk of kernel memory. (CVE-2005-0178) The PaX team discovered a flaw in mlockall introduced in the 2.6.9 kernel. An unprivileged user could use this flaw to cause a denial of service (CPU and memory consumption or crash). (CVE-2005-0179) Brad Spengler discovered multiple flaws in sg_scsi_ioctl in the 2.6 kernel. An unprivileged user may be able to use this flaw to cause a denial of service (crash) or possibly other actions. (CVE-2005-0180) Kirill Korotaev discovered a missing access check regression in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch. On systems using the hugemem kernel, a local unprivileged user could use this flaw to cause a denial of service (crash). (CVE-2005-0090) A flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch can allow syscalls to read and write arbitrary kernel memory. On systems using the hugemem kernel, a local unprivileged user could use this flaw to gain privileges. (CVE-2005-0091) An additional flaw in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch was discovered. On x86 systems using the hugemem kernel, a local unprivileged user may be able to use this flaw to cause a denial of service (crash). (CVE-2005-0092) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 17183
    published 2005-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17183
    title RHEL 4 : kernel (RHSA-2005:092)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-043.NASL
    description Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for several security issues : iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1235 to this issue. A flaw was discovered where an executable could cause a VMA overlap leading to a crash. A local user could trigger this flaw by creating a carefully crafted a.out binary on 32-bit systems or a carefully crafted ELF binary on Itanium systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0003 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0001 to this issue. A patch that coincidentally fixed this issue was committed to the Update 4 kernel release in December 2004. Therefore Red Hat Enterprise Linux 3 kernels provided by RHBA-2004:550 and subsequent updates are not vulnerable to this issue. A flaw in the system call filtering code in the audit subsystem included in Red Hat Enterprise Linux 3 allowed a local user to cause a crash when auditing was enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1237 to this issue. Olaf Kirch discovered that the recent security fixes for cmsg_len handling (CVE-2004-1016) broke 32-bit compatibility on 64-bit platforms such as AMD64 and Intel EM64T. A patch to correct this issue is included. A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 16211
    published 2005-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16211
    title RHEL 3 : kernel (RHSA-2005:043)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-016.NASL
    description Updated kernel packages that fix several security issues in Red Hat Enterprise Linux 2.1 are now available. The Linux kernel handles the basic functions of the operating system. This advisory includes fixes for the following security issues : iSEC Security Research discovered a VMA handling flaw in the uselib(2) system call of the Linux kernel. A local user could make use of this flaw to gain elevated (root) privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1235 to this issue. iSEC Security Research discovered a flaw in the page fault handler code that could lead to local users gaining elevated (root) privileges on multiprocessor machines. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0001 to this issue. iSEC Security Research and Georgi Guninski independently discovered a flaw in the scm_send function in the auxiliary message layer. A local user could create a carefully crafted auxiliary message which could cause a denial of service (system hang). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1016 to this issue. Kirill Korotaev found a flaw in load_elf_binary affecting kernels prior to 2.4.26. A local user could create a carefully crafted binary in such a way that it would cause a denial of service (system crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1234 to this issue. These packages also fix issues in the io_edgeport driver (CVE-2004-1017), a memory leak in ip_options_get (CVE-2004-1335), and missing VM_IO flags in some drivers (CVE-2004-1057). A recent Internet Draft by Fernando Gont recommended that ICMP Source Quench messages be ignored by hosts. A patch to ignore these messages is included. All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 16244
    published 2005-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16244
    title RHEL 2.1 : kernel (RHSA-2005:016)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-022.NASL
    description A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory : - Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CVE-2004-0814) - Richard Hart found an integer underflow problem in the iptables firewall logging rules that can allow a remote attacker to crash the machine by using a specially crafted IP packet. This is only possible, however, if firewalling is enabled. The problem only affects 2.6 kernels and was fixed upstream in 2.6.8 (CVE-2004-0816) - Stefan Esser found several remote DoS confitions in the smbfs file system. This could be exploited by a hostile SMB server (or an attacker injecting packets into the network) to crash the client systems (CVE-2004-0883 and CVE-2004-0949) - Paul Starzetz and Georgi Guninski reported, independently, that bad argument handling and bad integer arithmetics in the IPv4 sendmsg handling of control messages could lead to a local attacker crashing the machine. The fixes were done by Herbert Xu (CVE-2004-1016) - Rob Landley discovered a race condition in the handling of /proc/.../cmdline where, under rare circumstances, a user could read the environment variables of another process that was still spawning leading to the potential disclosure of sensitive information such as passwords (CVE-2004-1058) - Paul Starzetz reported that the missing serialization in unix_dgram_recvmsg() which was added to kernel 2.4.28 can be used by a local attacker to gain elevated (root) privileges (CVE-2004-1068) - Ross Kendall Axe discovered a possible kernel panic (DoS) while sending AF_UNIX network packets if certain SELinux-related kernel options were enabled. By default the CONFIG_SECURITY_NETWORK and CONFIG_SECURITY_SELINUX options are not enabled (CVE-2004-1069) - Paul Starzetz of isec.pl discovered several issues with the error handling of the ELF loader routines in the kernel. The fixes were provided by Chris Wright (CVE-2004-1070, CVE-2004-1071, CVE-2004-1072, CVE-2004-1073) - It was discovered that hand-crafted a.out binaries could be used to trigger a local DoS condition in both the 2.4 and 2.6 kernels. The fixes were done by Chris Wright (CVE-2004-1074) - Paul Starzetz found bad handling in the IGMP code which could lead to a local attacker being able to crash the machine. The fix was done by Chris Wright (CVE-2004-1137) - Jeremy Fitzhardinge discovered two buffer overflows in the sys32_ni_syscall() and sys32_vm86_warning() functions that could be used to overwrite kernel memory with attacker-supplied code resulting in privilege escalation (CVE-2004-1151) - Paul Starzetz found locally exploitable flaws in the binary format loader's uselib() function that could be abused to allow a local user to obtain root privileges (CVE-2004-1235) - Paul Starzetz found an exploitable flaw in the page fault handler when running on SMP machines (CVE-2005-0001) - A vulnerability in insert_vm_struct could allow a locla user to trigger BUG() when the user created a large vma that overlapped with arg pages during exec (CVE-2005-0003) - Paul Starzetz also found a number of vulnerabilities in the kernel binfmt_elf loader that could lead a local user to obtain elevated (root) privileges (isec-0017-binfmt_elf) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesoft.com/security/kernelupdate PLEASE NOTE: Mandrakelinux 10.0 users will need to upgrade to the latest module-init-tools package prior to upgrading their kernel. Likewise, MNF8.2 users will need to upgrade to the latest modutils package prior to upgrading their kernel.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 16259
    published 2005-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16259
    title Mandrake Linux Security Advisory : kernel (MDKSA-2005:022)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1070.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.19-4 Sun Sparc architecture 26woody1 Little endian MIPS architecture 0.020911.1.woody5
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22612
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22612
    title Debian DSA-1070-1 : kernel-source-2.4.19 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1069.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.18-14.4 Alpha architecture 2.4.18-15woody1 Intel IA-32 architecture 2.4.18-13.2 HP Precision architecture 62.4 PowerPC architecture 2.4.18-1woody6 PowerPC architecture/XFS 20020329woody1 PowerPC architecture/benh 20020304woody1 Sun Sparc architecture 22woody1
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22611
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22611
    title Debian DSA-1069-1 : kernel-source-2.4.18 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1082.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.1 (sarge) Source 2.4.17-1woody4 HP Precision architecture 32.5 Intel IA-64 architecture 011226.18 IBM S/390 architecture/image 2.4.17-2.woody.5 IBM S/390 architecture/patch 0.0.20020816-0.woody.4 PowerPC architecture (apus) 2.4.17-6 MIPS architecture 2.4.17-0.020226.2.woody7
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22624
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22624
    title Debian DSA-1082-1 : kernel-source-2.4.17 - several vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1067.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-0427 A local denial of service vulnerability in do_fork() has been found. - CVE-2005-0489 A local denial of service vulnerability in proc memory handling has been found. - CVE-2004-0394 A buffer overflow in the panic handling code has been found. - CVE-2004-0447 A local denial of service vulnerability through a NULL pointer dereference in the IA64 process handling code has been found. - CVE-2004-0554 A local denial of service vulnerability through an infinite loop in the signal handler code has been found. - CVE-2004-0565 An information leak in the context switch code has been found on the IA64 architecture. - CVE-2004-0685 Unsafe use of copy_to_user in USB drivers may disclose sensitive information. - CVE-2005-0001 A race condition in the i386 page fault handler may allow privilege escalation. - CVE-2004-0883 Multiple vulnerabilities in the SMB filesystem code may allow denial of service or information disclosure. - CVE-2004-0949 An information leak discovered in the SMB filesystem code. - CVE-2004-1016 A local denial of service vulnerability has been found in the SCM layer. - CVE-2004-1333 An integer overflow in the terminal code may allow a local denial of service vulnerability. - CVE-2004-0997 A local privilege escalation in the MIPS assembly code has been found. - CVE-2004-1335 A memory leak in the ip_options_get() function may lead to denial of service. - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector. - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack. - CVE-2003-0984 Inproper initialization of the RTC may disclose information. - CVE-2004-1070 Insufficient input sanitising in the load_elf_binary() function may lead to privilege escalation. - CVE-2004-1071 Incorrect error handling in the binfmt_elf loader may lead to privilege escalation. - CVE-2004-1072 A buffer overflow in the binfmt_elf loader may lead to privilege escalation or denial of service. - CVE-2004-1073 The open_exec function may disclose information. - CVE-2004-1074 The binfmt code is vulnerable to denial of service through malformed a.out binaries. - CVE-2004-0138 A denial of service vulnerability in the ELF loader has been found. - CVE-2004-1068 A programming error in the unix_dgram_recvmsg() function may lead to privilege escalation. - CVE-2004-1234 The ELF loader is vulnerable to denial of service through malformed binaries. - CVE-2005-0003 Crafted ELF binaries may lead to privilege escalation, due to insufficient checking of overlapping memory regions. - CVE-2004-1235 A race condition in the load_elf_library() and binfmt_aout() functions may allow privilege escalation. - CVE-2005-0504 An integer overflow in the Moxa driver may lead to privilege escalation. - CVE-2005-0384 A remote denial of service vulnerability has been found in the PPP driver. - CVE-2005-0135 An IA64 specific local denial of service vulnerability has been found in the unw_unwind_to_user() function. The following matrix explains which kernel version for which architecture fixes the problems mentioned above : Debian 3.0 (woody) Source 2.4.16-1woody2 arm/lart 20040419woody1 arm/netwinder 20040419woody1 arm/riscpc 20040419woody1
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22609
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22609
    title Debian DSA-1067-1 : kernel-source-2.4.16 - several vulnerabilities
oval via4
accepted 2013-04-29T04:20:19.373-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.
family unix
id oval:org.mitre.oval:def:9567
status accepted
submitted 2010-07-09T03:56:16-04:00
title Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.
version 23
packetstorm via4
data source https://packetstormsecurity.com/files/download/35641/isec-0021-uselib.txt
id PACKETSTORM:35641
last seen 2016-12-05
published 2005-01-07
reporter Paul Starzetz
source https://packetstormsecurity.com/files/35641/isec-0021-uselib.txt.html
title isec-0021-uselib.txt
redhat via4
advisories
  • rhsa
    id RHSA-2005:016
  • rhsa
    id RHSA-2005:017
  • rhsa
    id RHSA-2005:043
  • rhsa
    id RHSA-2005:092
refmap via4
bid 12190
bugtraq 20050107 Linux kernel sys_uselib local root vulnerability
conectiva CLA-2005:930
confirm http://www.securityfocus.com/advisories/7804
debian
  • DSA-1067
  • DSA-1069
  • DSA-1070
  • DSA-1082
fedora
  • FEDORA-2005-013
  • FEDORA-2005-014
  • FLSA:2336
mandrake MDKSA-2005:022
misc http://isec.pl/vulnerabilities/isec-0021-uselib.txt
secunia
  • 20162
  • 20163
  • 20202
  • 20338
suse SUSE-SR:2005:001
trustix 2005-0001
xf linux-uselib-gain-privileges(18800)
Last major update 17-10-2016 - 22:52
Published 14-04-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top