ID CVE-2005-3276
Summary The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information.
References
Vulnerable Configurations
  • Linux Kernel 2.6.0
    cpe:2.3:o:linux:linux_kernel:2.6.0
  • Linux Kernel 2.6.1
    cpe:2.3:o:linux:linux_kernel:2.6.1
  • Linux Kernel 2.6.2
    cpe:2.3:o:linux:linux_kernel:2.6.2
  • Linux Kernel 2.6.3
    cpe:2.3:o:linux:linux_kernel:2.6.3
  • Linux Kernel 2.6.4
    cpe:2.3:o:linux:linux_kernel:2.6.4
  • Linux Kernel 2.6.5
    cpe:2.3:o:linux:linux_kernel:2.6.5
  • Linux Kernel 2.6.6
    cpe:2.3:o:linux:linux_kernel:2.6.6
  • Linux Kernel 2.6.7
    cpe:2.3:o:linux:linux_kernel:2.6.7
  • Linux Kernel 2.6.8
    cpe:2.3:o:linux:linux_kernel:2.6.8
  • Linux Kernel 2.6.8.1
    cpe:2.3:o:linux:linux_kernel:2.6.8.1
  • cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20
    cpe:2.3:o:linux:linux_kernel:2.6.9:2.6.20
  • Linux Kernel 2.6.10
    cpe:2.3:o:linux:linux_kernel:2.6.10
  • Linux Kernel 2.6.11
    cpe:2.3:o:linux:linux_kernel:2.6.11
  • Linux Kernel 2.6.11.1
    cpe:2.3:o:linux:linux_kernel:2.6.11.1
  • Linux Kernel 2.6.11.2
    cpe:2.3:o:linux:linux_kernel:2.6.11.2
  • Linux Kernel 2.6.11.3
    cpe:2.3:o:linux:linux_kernel:2.6.11.3
  • Linux Kernel 2.6.11.4
    cpe:2.3:o:linux:linux_kernel:2.6.11.4
  • Linux Kernel 2.6.11.5
    cpe:2.3:o:linux:linux_kernel:2.6.11.5
  • Linux Kernel 2.6.11.6
    cpe:2.3:o:linux:linux_kernel:2.6.11.6
  • Linux Kernel 2.6.11.7
    cpe:2.3:o:linux:linux_kernel:2.6.11.7
  • Linux Kernel 2.6.11.8
    cpe:2.3:o:linux:linux_kernel:2.6.11.8
  • Linux Kernel 2.6.11.9
    cpe:2.3:o:linux:linux_kernel:2.6.11.9
  • Linux Kernel 2.6.11.10
    cpe:2.3:o:linux:linux_kernel:2.6.11.10
  • Linux Kernel 2.6.11.11
    cpe:2.3:o:linux:linux_kernel:2.6.11.11
  • Linux Kernel 2.6.11.12
    cpe:2.3:o:linux:linux_kernel:2.6.11.12
  • Linux Kernel 2.6.12
    cpe:2.3:o:linux:linux_kernel:2.6.12
  • Linux Kernel 2.6.12.1
    cpe:2.3:o:linux:linux_kernel:2.6.12.1
  • Linux Kernel 2.6.12.2
    cpe:2.3:o:linux:linux_kernel:2.6.12.2
  • Linux Kernel 2.6.12.3
    cpe:2.3:o:linux:linux_kernel:2.6.12.3
  • Linux Kernel 2.6.12.4
    cpe:2.3:o:linux:linux_kernel:2.6.12.4
  • Linux Kernel 2.6.13
    cpe:2.3:o:linux:linux_kernel:2.6.13
CVSS
Base: 2.1 (as of 21-10-2005 - 08:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0101.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21977
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21977
    title CentOS 4 : kernel (CESA-2006:0101)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-220.NASL
    description Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update: The kernel on x86_64 platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug which allows a local user to cause a DoS (CVE-2005-1764). The KEYCTL_JOIN_SESSION_KEYRING operation in versions prior to 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a DoS (semaphore hang) via a new session keyring with an empty name string, a long name string, the key quota reached, or ENOMEM (CVE-2005-2098). Kernels prior to 2.6.12.5 do not properly destroy a keyring that is not instantiated properly, allowing a local user or remote attacker to cause a DoS (oops) via a keyring with a payload that is not empty (CVE-2005-2099). An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456). The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457). inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with 'improper tables' (CVE-2005-2458). The huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a NULL pointer dereference (CVE-2005-2459). A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490). The raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492). A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800). The ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872). The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from NULL dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). The sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053). Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055). drm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179). The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180). Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181). The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257). Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posix- timers than specified by the quota for a single user (CVE-2005-3271). The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273). A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (NULL dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274). The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275). The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate
    last seen 2017-10-29
    modified 2014-08-22
    plugin id 20451
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20451
    title MDKSA-2005:220 : kernel
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0101.NASL
    description Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : - a flaw in network IGMP processing that a allowed a remote user on the local network to cause a denial of service (disabling of multicast reports) if the system is running multicast applications (CVE-2002-2185, moderate) - a flaw which allowed a local user to write to firmware on read-only opened /dev/cdrom devices (CVE-2004-1190, moderate) - a flaw in gzip/zlib handling internal to the kernel that may allow a local user to cause a denial of service (crash) (CVE-2005-2458, low) - a flaw in procfs handling during unloading of modules that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2709, moderate) - a flaw in the SCSI procfs interface that allowed a local user to cause a denial of service (crash) (CVE-2005-2800, moderate) - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl that allowed a local user to cause a denial of service (crash) (CVE-2005-3044, important) - a race condition when threads share memory mapping that allowed local users to cause a denial of service (deadlock) (CVE-2005-3106, important) - a flaw when trying to mount a non-hfsplus filesystem using hfsplus that allowed local users to cause a denial of service (crash) (CVE-2005-3109, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) - a flaw in mq_open system call that allowed a local user to cause a denial of service (crash) (CVE-2005-3356, important) - a flaw in set_mempolicy that allowed a local user on some 64-bit architectures to cause a denial of service (crash) (CVE-2005-3358, important) - a flaw in the auto-reap of child processes that allowed a local user to cause a denial of service (crash) (CVE-2005-3784, important) - a flaw in the IPv6 flowlabel code that allowed a local user to cause a denial of service (crash) (CVE-2005-3806, important) - a flaw in network ICMP processing that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3848, important) - a flaw in file lease time-out handling that allowed a local user to cause a denial of service (log file overflow) (CVE-2005-3857, moderate) - a flaw in network IPv6 xfrm handling that allowed a local user to cause a denial of service (memory exhaustion) (CVE-2005-3858, important) - a flaw in procfs handling that allowed a local user to read kernel memory (CVE-2005-4605, important) All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 20732
    published 2006-01-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20732
    title RHEL 4 : kernel (RHSA-2006:0101)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-922.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2004-2302 A race condition in the sysfs filesystem allows local users to read kernel memory and cause a denial of service (crash). - CVE-2005-0756 Alexander Nyberg discovered that the ptrace() system call does not properly verify addresses on the amd64 architecture which can be exploited by a local attacker to crash the kernel. - CVE-2005-0757 A problem in the offset handling in the xattr file system code for ext3 has been discovered that may allow users on 64-bit systems that have access to an ext3 filesystem with extended attributes to cause the kernel to crash. - CVE-2005-1265 Chris Wright discovered that the mmap() function could create illegal memory maps that could be exploited by a local user to crash the kernel or potentially execute arbitrary code. - CVE-2005-1761 A vulnerability on the IA-64 architecture can lead local attackers to overwrite kernel memory and crash the kernel. - CVE-2005-1762 A vulnerability has been discovered in the ptrace() system call on the amd64 architecture that allows a local attacker to cause the kernel to crash. - CVE-2005-1763 A buffer overflow in the ptrace system call for 64-bit architectures allows local users to write bytes into arbitrary kernel memory. - CVE-2005-1765 Zou Nan Hai has discovered that a local user could cause the kernel to hang on the amd64 architecture after invoking syscall() with specially crafted arguments. - CVE-2005-1767 A vulnerability has been discovered in the stack segment fault handler that could allow a local attacker to cause a stack exception that will lead the kernel to crash under certain circumstances. - CVE-2005-2456 Balazs Scheidler discovered that a local attacker could call setsockopt() with an invalid xfrm_user policy message which would cause the kernel to write beyond the boundaries of an array and crash. - CVE-2005-2458 Vladimir Volovich discovered a bug in the zlib routines which are also present in the Linux kernel and allows remote attackers to crash the kernel. - CVE-2005-2459 Another vulnerability has been discovered in the zlib routines which are also present in the Linux kernel and allows remote attackers to crash the kernel. - CVE-2005-2548 Peter Sandstrom noticed that snmpwalk from a remote host could cause a denial of service (kernel oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument. - CVE-2005-2801 Andreas Gruenbacher discovered a bug in the ext2 and ext3 file systems. When data areas are to be shared among two inodes not all information were compared for equality, which could expose wrong ACLs for files. - CVE-2005-2872 Chad Walstrom discovered that the ipt_recent kernel module on 64-bit processors such as AMD64 allows remote attackers to cause a denial of service (kernel panic) via certain attacks such as SSH brute force. - CVE-2005-3105 The mprotect code on Itanium IA-64 Montecito processors does not properly maintain cache coherency as required by the architecture, which allows local users to cause a denial of service and possibly corrupt data by modifying PTE protections. - CVE-2005-3106 A race condition in the thread management may allow local users to cause a denial of service (deadlock) when threads are sharing memory and waiting for a thread that has just performed an exec. - CVE-2005-3107 When one thread is tracing another thread that shares the same memory map a local user could cause a denial of service (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state. - CVE-2005-3108 A bug in the ioremap() system call has been discovered on the amd64 architecture that could allow local users to cause a denial of service or an information leak when performing a lookup of a non-existent memory page. - CVE-2005-3109 The HFS and HFS+ (hfsplus) modules allow local attackers to cause a denial of service (oops) by using hfsplus to mount a filesystem that is not hfsplus. - CVE-2005-3110 A race condition in the ebtables netfilter module on an SMP system running under high load may allow remote attackers to cause a denial of service (crash). - CVE-2005-3271 Roland McGrath discovered that exec() does not properly clear posix-timers in multi-threaded environments, which results in a resource leak and could allow a large number of multiple local users to cause a denial of service by using more posix-timers than specified by the quota for a single user. - CVE-2005-3272 The kernel allows remote attackers to poison the bridge forwarding table using frames that have already been dropped by filtering, which can cause the bridge to forward spoofed packets. - CVE-2005-3273 The ioctl for the packet radio ROSE protocol does not properly verify the arguments when setting a new router, which allows attackers to trigger out-of-bounds errors. - CVE-2005-3274 A race condition on SMP systems allows local users to cause a denial of service (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired. - CVE-2005-3275 An error in the NAT code allows remote attackers to cause a denial of service (memory corruption) by causing two packets for the same protocol to be NATed at the same time, which leads to memory corruption. - CVE-2005-3276 A missing memory cleanup in the thread handling routines before copying data into userspace allows a user process to obtain sensitive information. This update also contains a number of corrections for issues that turned out to have no security implication afterwards.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22788
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22788
    title Debian DSA-922-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-219.NASL
    description Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update : An integer overflow in vc_resize (CVE-2004-1333). A race condition in the sysfs_read_file and sysfs_write_file functions in 2.6.10 and earlier allows local users to read kernel memory and cause a DoS (crash) via large offsets in sysfs files (CVE-2004-2302). An integer signedness error in scsi_ioctl.c (CVE-2005-0180). Netfilter allows a local user to cause a DoS (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice (CVE-2005-0210). A DoS in pkt_ioctl in pktcdvc.c (CVE-2005-1589). An array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456). The zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457). inflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with 'improper tables' (CVE-2005-2458). The huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a NULL pointer dereference (CVE-2005-2459). A stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490). vlan_dev.c in version 2.6.8 allows remote attackers to cause a DoS (oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument (CVE-2005-2548). The kernel does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via ipv4/ip_sockglue.c and ipv6/ipv6_sockglue.c (CVE-2005-2555). A memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800). xattr.c in the ext2 and ext3 file system code does not properly compare the name_index fields when sharing xattr blocks which could prevent ACLs from being applied (CVE-2005-2801). The ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872). The ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873). Multiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044). The sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053). Versions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055). The Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180). Kernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181). The VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257). Exec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posix- timers than specified by the quota for a single user (CVE-2005-3271). The rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273). A race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274). The NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275). The sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276). The following non-security fixes are also applied : Driver updates were made to the aic97xx and sata_sil modules. Support was added for ATI ipx400 chipsets, for IDE and sound. A build problem with icecream on the x86_64 platform was fixed. The pin1 APIC timer on RS480-based motherboards was disabled. The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20450
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20450
    title Mandrake Linux Security Advisory : kernel (MDKSA-2005:219)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0144.NASL
    description Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the seventh regular update. This security advisory has been rated as having moderate security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the seventh regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the bnx2, dell_rbu, and megaraid_sas device drivers - support for multi-core, multi-threaded Intel Itanium processors - upgrade of the SATA subsystem to include ATAPI and SMART support - optional tuning via the new numa_memory_allocator, arp_announce, and printk_ratelimit sysctls There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the VM subsystem, NPTL handling, autofs4, the USB subsystem, CPU enumeration, and 32-bit-exec-mode handling on 64-bit architectures. The following device drivers have been upgraded to new versions : aacraid -------- 1.1.5-2412 bnx2 ----------- 1.4.30 (new) dell_rbu ------- 2.1 (new) e1000 ---------- 6.1.16-k3 emulex --------- 7.3.3 fusion --------- 2.06.16.02 ipmi ----------- 35.11 megaraid2 ------ v2.10.10.1 megaraid_sas --- 00.00.02.00 (new) tg3 ------------ 3.43RH The following security bugs were fixed in this update : - a flaw in gzip/zlib handling internal to the kernel that allowed a local user to cause a denial of service (crash) (CVE-2005-2458,low) - a flaw in ext3 EA/ACL handling of attribute sharing that allowed a local user to gain privileges (CVE-2005-2801, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21882
    published 2006-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21882
    title CentOS 3 : kernel (CESA-2006:0144)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0144.NASL
    description Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the seventh regular update. This security advisory has been rated as having moderate security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. This is the seventh regular kernel update to Red Hat Enterprise Linux 3. New features introduced by this update include : - addition of the bnx2, dell_rbu, and megaraid_sas device drivers - support for multi-core, multi-threaded Intel Itanium processors - upgrade of the SATA subsystem to include ATAPI and SMART support - optional tuning via the new numa_memory_allocator, arp_announce, and printk_ratelimit sysctls There were many bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 3. There were numerous driver updates and security fixes (elaborated below). Other key areas affected by fixes in this update include the networking subsystem, the VM subsystem, NPTL handling, autofs4, the USB subsystem, CPU enumeration, and 32-bit-exec-mode handling on 64-bit architectures. The following device drivers have been upgraded to new versions : aacraid -------- 1.1.5-2412 bnx2 ----------- 1.4.30 (new) dell_rbu ------- 2.1 (new) e1000 ---------- 6.1.16-k3 emulex --------- 7.3.3 fusion --------- 2.06.16.02 ipmi ----------- 35.11 megaraid2 ------ v2.10.10.1 megaraid_sas --- 00.00.02.00 (new) tg3 ------------ 3.43RH The following security bugs were fixed in this update : - a flaw in gzip/zlib handling internal to the kernel that allowed a local user to cause a denial of service (crash) (CVE-2005-2458,low) - a flaw in ext3 EA/ACL handling of attribute sharing that allowed a local user to gain privileges (CVE-2005-2801, moderate) - a minor info leak with the get_thread_area() syscall that allowed a local user to view uninitialized kernel stack data (CVE-2005-3276, low) Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 21089
    published 2006-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21089
    title RHEL 3 : kernel (RHSA-2006:0144)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-219-1.NASL
    description Al Viro discovered a race condition in the /proc file handler of network devices. A local attacker could exploit this by opening any file in /proc/sys/net/ipv4/conf// and waiting until that interface was shut down. Under certain circumstances this could lead to a kernel crash or even arbitrary code execution with full kernel privileges. (CVE-2005-2709) Tetsuo Handa discovered a local Denial of Service vulnerability in the udp_v6_get_port() function. On computers which use IPv6, a local attacker could exploit this to trigger an infinite loop in the kernel. (CVE-2005-2973) Harald Welte discovered a Denial of Service vulnerability in the USB devio driver. A local attacker could exploit this by sending an 'USB Request Block' (URB) and terminating the sending process before the arrival of the answer, which left an invalid pointer and caused a kernel crash. (CVE-2005-3055) Pavel Roskin discovered an information leak in the Orinoco wireless card driver. When increasing the buffer length for storing data, the buffer was not padded with zeros, which exposed a random part of the system memory to the user. (CVE-2005-3180) A resource leak has been discovered in the handling of POSIX timers in the exec() function. This could be exploited to a Denial of Service attack by a group of local users. This vulnerability only affects Ubuntu 4.10. (CVE-2005-3271) Stephen Hemming discovered a weakness in the network bridge driver. Packets which had already been dropped by the packet filter could poison the forwarding table, which could be exploited to make the bridge forward spoofed packages. This vulnerability only affects Ubuntu 4.10 and 5.04. (CVE-2005-3272) David S. Miller discovered a buffer overflow in the rose_rt_ioctl() function. By calling the function with a large 'ngidis' argument, a local attacker could cause a kernel crash. This vulnerability only affects Ubuntu 4.10 and 5.04. (CVE-2005-3273) Neil Horman discovered a race condition in the connection timer handling. This allowed a local attacker to set up an expiration handler which modified the connection list while the list still being traversed, which could result in a kernel crash. This vulnerability only affects multiprocessor (SMP) systems. (CVE-2005-3274) Patrick McHardy noticed a logic error in the network address translation (NAT) connection tracker. A remote attacker could exploit this by causing two packets for the same protocol to be NATed at the same time, which resulted in a kernel crash. (CVE-2005-3275) Paolo Giarrusso discovered an information leak in the sys_get_thread_area(). The returned structure was not properly cleared, which exposed a small amount of kernel memory to userspace programs. This could possibly expose confidential data. (CVE-2005-3276). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-26
    plugin id 65105
    published 2013-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65105
    title Ubuntu 4.10 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-219-1)
oval via4
accepted 2013-04-29T04:21:49.951-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information.
family unix
id oval:org.mitre.oval:def:9748
status accepted
submitted 2010-07-09T03:56:16-04:00
title The sys_get_thread_area function in process.c in Linux 2.6 before 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which might allow a user process to obtain sensitive information.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2006:0101
  • rhsa
    id RHSA-2006:0144
refmap via4
bid 15527
confirm
debian DSA-922
fedora
  • FLSA:157459-1
  • FLSA:157459-2
  • FLSA:157459-3
mandrake
  • MDKSA-2005:218
  • MDKSA-2005:219
  • MDKSA-2005:220
secunia
  • 17826
  • 18056
  • 18510
  • 19252
ubuntu USN-219-1
Last major update 19-02-2017 - 00:09
Published 20-10-2005 - 21:02
Last modified 19-10-2018 - 11:35
Back to Top