ID CVE-2006-5749
Summary The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4 does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash.
References
Vulnerable Configurations
  • Linux Kernel 2.4.34 rc3
    cpe:2.3:o:linux:linux_kernel:2.4.34:rc3
CVSS
Base: 1.7 (as of 04-01-2007 - 09:23)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-2705.NASL
    description This kernel update fixes the following security problems : - CVE-2006-5751: An integer overflow in the networking bridge ioctl starting with Kernel 2.6.7 could be used by local attackers to overflow kernel memory buffers and potentially escalate privileges [#222656] - CVE-2006-6106: Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field. [#227603] - CVE-2006-5749: The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux kernel does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. [#229619] - CVE-2006-5753: Unspecified vulnerability in the listxattr system call in Linux kernel, when a 'bad inode' is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges. [#230270] - CVE-2007-0006: The key serial number collision avoidance code in the key_alloc_serial function allows local users to cause a denial of service (crash) via vectors that trigger a null dereference. [#243003] - CVE-2007-0772: A remote denial of service problem on NFSv2 mounts with ACL enabled was fixed. [#244909] Furthermore, it catches up to the mainline kernel, version 2.6.18.8, and contains a large number of additional fixes for non security bugs.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27293
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27293
    title openSUSE 10 Security Update : kernel (kernel-2705)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-040.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4, as well as the 2.6 kernel, does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. (CVE-2006-5749) The listxattr syscall can corrupt user space under certain circumstances. The problem seems to be related to signed/unsigned conversion during size promotion. (CVE-2006-5753) The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause a denial of service (crash) via an ext3 stream with malformed data structures. (CVE-2006-6053) The mincore function in the Linux kernel before 2.4.33.6, as well as the 2.6 kernel, does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock. (CVE-2006-4814) The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - Add Ralink RT2571W/RT2671 WLAN USB support (rt73 module) - Fix sys_msync() to report -ENOMEM as before when an unmapped area falls within its range, and not to overshoot (LSB regression) - Avoid disk sector_t overflow for >2TB ext3 filesystem - USB: workaround to fix HP scanners detection (#26728) - USB: unusual_devs.h for Sony floppy (#28378) - Add preliminary ICH9 support - Add TI sd card reader support - Add RT61 driver - KVM update - Fix bttv vbi offset To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24653
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24653
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:040)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-012.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The __block_prepate_write function in the 2.6 kernel before 2.6.13 does not properly clear buffers during certain error conditions, which allows users to read portions of files that have been unlinked (CVE-2006-4813). The clip_mkip function of the ATM subsystem in the 2.6 kernel allows remote attackers to dause a DoS (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (CVE-2006-4997). The NFS lockd in the 2.6 kernel before 2.6.16 allows remote attackers to cause a DoS (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops and a deadlock (CVE-2006-5158). The seqfile handling in the 2.6 kernel up to 2.6.18 allows local users to cause a DoS (hang or oops) via unspecified manipulations that trigger an infinite loop while searching for flowlabels (CVE-2006-5619). A missing call to init_timer() in the isdn_ppp code of the Linux kernel can allow remote attackers to send a special kind of PPP pakcet which may trigger a kernel oops (CVE-2006-5749). An integer overflow in the 2.6 kernel prior to 2.6.18.4 could allow a local user to execute arbitrary code via a large maxnum value in an ioctl request (CVE-2006-5751). A race condition in the ISO9660 filesystem handling could allow a local user to cause a DoS (infinite loop) by mounting a crafted ISO9660 filesystem containing malformed data structures (CVE-2006-5757). A vulnerability in the bluetooth support could allow for overwriting internal CMTP and CAPI data structures via malformed packets (CVE-2006-6106). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels immediately and reboot to effect the fixes. In addition to these security fixes, other fixes have been included such as : - __bread oops fix - added e1000_ng (nineveh support) - added sata_svw (Broadcom SATA support) - added Marvell PATA chipset support - disabled mmconf on some broken hardware/BIOSes - use GENERICARCH and enable bigsmp apic model for tulsa machines To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 24628
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24628
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:012)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-2605.NASL
    description This kernel update fixes the following security problems : - The ftdi_sio driver allowed local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. This requires this driver to be loaded, which only happens if such a device is plugged in. (CVE-2006-2936) - A deadlock in mincore that could be caused by local attackers was fixed. (CVE-2006-4814) - Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field. (CVE-2006-6106) - The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux kernel does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. (CVE-2006-5749) - Unspecified vulnerability in the listxattr system call in Linux kernel, when a 'bad inode' is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges. (CVE-2006-5753) - A remote denial of service problem on NFSv2 mounts with ACL enabled was fixed. and the following non security bugs : - patches.xen/xen-x86_64-agp: add missing header [#222174] [#224170] - patches.fixes/dcache-race-during-umount: Fix dcache race during umount [#136310] [#151638] - patches.arch/x86_64-kdump-bootmem-fix: Handle reserve_bootmem_generic beyond end_pfn [#179093] - patches.fixes/rpc-no-paranoia: Ratelimit some messages from SUNRPC servers (nfsd) [#190178] - patches.fixes/nfs-lock-warning-removal: Remove useless warning about VFS being out of sync with lock manager [#192813] - patches.fixes/acpiphp-fix-ibm-hotplug-oops.patch: Fix acpiphp oops when hotplug is performed on an IBM 8864/6 [#203923] - patches.fixes/oom-child-kill-fix.patch: OOM: prevent OOM_DISABLE tasks from being killed when out of memory [#211859] - patches.drivers/alsa-control-warning-fix: Fix bogus kernel error messages from ALSA control.c [#212484] - patches.fixes/init_isolcpus.diff: sched: force /sbin/init off isolated cpus [#216799] - patches.fixes/ocfs2-network-send-lock.diff: fix regression that caused the idle timer not to be reset during packet processing [#216912] - patches.fixes/workqueue_cpu_deadlock-fix.diff: [PATCH] workqueue: fix deadlock when workqueue func takes the workqueue mutex [#217222] - patches.drivers/open-iscsi-handle-check-condition: Host lockups then Reboots when an iSCSI session is attempted [#219968] - patches.arch/ia64-fp-rate-limit: [ia64] Reduce overhead of FP exception logging messages. [#223314] - patches.arch/ia64-sn2-bte_unaligned_copy-overrun: [ia64] Avert transfer of extra cache line by bte_unaligned_copy(). [#224166] - patches.fixes/natsemi-long-cable-fix: natsemi: make cable length magic configurable [#225091] - patches.fixes/sunrpc-randomize-xids: SUNRPC: NFS_ROOT always uses the same XIDs [#225251] - patches.drivers/usb-funsoft-hwinfo.patch: USB: fix hwinfo issue with funsoft driver [#226661] patches.fixes/fix-ext3-kmalloc-flags-with-journal-handle .diff: ext3: use GFP_NOFS for allocations while holding journal handle [#228694] - patches.fixes/nfs-tcp-reconnect-on-error: RPC: Ensure that we disconnect TCP socket when client requests error out [#230210] - patches.fixes/sunrpc-listen-race: knfsd: Fix race that can disable NFS server. [#230287] patches.drivers/pci-quirk-1k-i-o-space-iobl_adr-fix-on-p 64h2.patch: PCI Quirk: 1k I/O space IOBL_ADR fix on P64H2 [#230365] - patches.drivers/ide-generic-fix-JMB-entries: [PATCH] ide-generic: fix JMB handling [#231218] [#207939] - patches.drivers/qla2xxx-block-error-handler: crash in qla2xxx driver during error recovery [#232957] - patches.fixes/loop_early_wakeup_fix.diff: Fix oops in loopback device during mount. [#232992] - patches.fixes/nfs-jiffie-wrap: Avoid extra GETATTR calls caused by 'jiffie wrap'. [#233155] - add patches.fixes/atalk_sendmsg-crash.patch Fix potential OOPS in atalk_sendmsg() [#235049] - patches.fixes/ext3_readdir_use_generic_readahead.diff: ext3_readdir: use generic readahead [#228682] [#235302] - patches.drivers/ide-fix-drive-side-80c-detection: [PATCH] ide: fix drive side 80c cable detection [#237164] - patches.fixes/xfs-kern-28000a-buffer-unwritten-new: Set the buffer new flag on writes to unwritten XFS extents. This fixes a corruption in preallocated files on XFS [#237908] - patches.drivers/ide-atiixp-fix-cable-detection: [PATCH] atiixp: fix cable detection [#241403] - patches.drivers/ide-atiixp-sb600-has-only-one-port: [PATCH] atiixp: SB600 has only one channel [#241403] - patches.fixes/md-avoid-bitmap-overflow: Avoid possible BUG_ON in md bitmap handling. [#242180] - patches.fixes/ocfs2-loop-aops-hack.diff: ocfs2/loop: forbid use of aops when inappropriate [#242200]
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 59122
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59122
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 2605)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-2635.NASL
    description This kernel update fixes the following security problems : - CVE-2006-2936: The ftdi_sio driver allowed local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. This requires this driver to be loaded, which only happens if such a device is plugged in. [#191836] - CVE-2006-4814: A deadlock in mincore that could be caused by local attackers was fixed. [#207667] - CVE-2006-6106: Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field. [#227603] - CVE-2006-5749: The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux kernel does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. [#229619] - CVE-2006-5753: Unspecified vulnerability in the listxattr system call in Linux kernel, when a 'bad inode' is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges. [#230270] - A remote denial of service problem on NFSv3 mounts with ACL enabled was fixed. [#244909] Furthermore, this kernel catches up to the SLE 10 state of the kernel, with massive additional fixes.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27292
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27292
    title openSUSE 10 Security Update : kernel (kernel-2635)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-416-1.NASL
    description Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented IPv6 packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has has already been fixed for Ubuntu 6.10 in USN-395-1; this is the corresponding fix for Ubuntu 6.06.(CVE-2006-4572) Doug Chapman discovered an improper lock handling in the mincore() function. A local attacker could exploit this to cause an eternal hang in the kernel, rendering the machine unusable. (CVE-2006-4814) Al Viro reported that the ISDN PPP module did not initialize the reset state timer. By sending specially crafted ISDN packets, a remote attacker could exploit this to crash the kernel. (CVE-2006-5749) Various syscalls (like listxattr()) misinterpreted the return value of return_EIO() when encountering bad inodes. By issuing particular system calls on a malformed file system, a local attacker could exploit this to crash the kernel. (CVE-2006-5753) The task switching code did not save and restore EFLAGS of processes. By starting a specially crafted executable, a local attacker could exploit this to eventually crash many other running processes. This only affects the amd64 platform. (CVE-2006-5755) A race condition was found in the grow_buffers() function. By mounting a specially crafted ISO9660 or NTFS file system, a local attacker could exploit this to trigger an infinite loop in the kernel, rendering the machine unusable. (CVE-2006-5757) A buffer overread was found in the zlib_inflate() function. By tricking an user into mounting a specially crafted file system which uses zlib compression (such as cramfs), this could be exploited to crash the kernel. (CVE-2006-5823) The ext3 file system driver did not properly handle corrupted data structures. By mounting a specially crafted ext3 file system, a local attacker could exploit this to crash the kernel. (CVE-2006-6053) The ext2 file system driver did not properly handle corrupted data structures. By mounting a specially crafted ext2 file system, a local attacker could exploit this to crash the kernel. (CVE-2006-6054) The hfs file system driver did not properly handle corrupted data structures. By mounting a specially crafted hfs file system, a local attacker could exploit this to crash the kernel. This only affects systems which enable SELinux (Ubuntu disables SELinux by default). (CVE-2006-6056) Several vulnerabilities have been found in the GFS2 file system driver. Since this driver has never actually worked in Ubuntu 6.10, it has been disabled. This only affects Ubuntu 6.10. (CVE-2006-6057) Marcel Holtman discovered several buffer overflows in the Bluetooth driver. By sending Bluetooth packets with specially crafted CAPI messages, a remote attacker could exploit these to crash the kernel. (CVE-2006-6106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28005
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28005
    title Ubuntu 5.10 / 6.06 LTS / 6.10 : linux-source-2.6.12/2.6.15/2.6.17 vulnerabilities (USN-416-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-2606.NASL
    description This kernel update fixes the following security problems : - The ftdi_sio driver allowed local users to cause a denial of service (memory consumption) by writing more data to the serial port than the hardware can handle, which causes the data to be queued. This requires this driver to be loaded, which only happens if such a device is plugged in. (CVE-2006-2936) - A deadlock in mincore that could be caused by local attackers was fixed. (CVE-2006-4814) - Multiple buffer overflows in the cmtp_recv_interopmsg function in the Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via CAPI messages with a large value for the length of the (1) manu (manufacturer) or (2) serial (serial number) field. (CVE-2006-6106) - The isdn_ppp_ccp_reset_alloc_state function in drivers/isdn/isdn_ppp.c in the Linux kernel does not call the init_timer function for the ISDN PPP CCP reset state timer, which has unknown attack vectors and results in a system crash. (CVE-2006-5749) - Unspecified vulnerability in the listxattr system call in Linux kernel, when a 'bad inode' is present, allows local users to cause a denial of service (data corruption) and possibly gain privileges. (CVE-2006-5753) - A remote denial of service problem on NFSv2 mounts with ACL enabled was fixed. and the following non security bugs : - patches.xen/xen-x86_64-agp: add missing header [#222174] [#224170] - patches.fixes/dcache-race-during-umount: Fix dcache race during umount [#136310] [#151638] - patches.arch/x86_64-kdump-bootmem-fix: Handle reserve_bootmem_generic beyond end_pfn [#179093] - patches.fixes/rpc-no-paranoia: Ratelimit some messages from SUNRPC servers (nfsd) [#190178] - patches.fixes/nfs-lock-warning-removal: Remove useless warning about VFS being out of sync with lock manager [#192813] - patches.fixes/acpiphp-fix-ibm-hotplug-oops.patch: Fix acpiphp oops when hotplug is performed on an IBM 8864/6 [#203923] - patches.fixes/oom-child-kill-fix.patch: OOM: prevent OOM_DISABLE tasks from being killed when out of memory [#211859] - patches.drivers/alsa-control-warning-fix: Fix bogus kernel error messages from ALSA control.c [#212484] - patches.fixes/init_isolcpus.diff: sched: force /sbin/init off isolated cpus [#216799] - patches.fixes/ocfs2-network-send-lock.diff: fix regression that caused the idle timer not to be reset during packet processing [#216912] - patches.fixes/workqueue_cpu_deadlock-fix.diff: [PATCH] workqueue: fix deadlock when workqueue func takes the workqueue mutex [#217222] - patches.drivers/open-iscsi-handle-check-condition: Host lockups then Reboots when an iSCSI session is attempted [#219968] - patches.arch/ia64-fp-rate-limit: [ia64] Reduce overhead of FP exception logging messages. [#223314] - patches.arch/ia64-sn2-bte_unaligned_copy-overrun: [ia64] Avert transfer of extra cache line by bte_unaligned_copy(). [#224166] - patches.fixes/natsemi-long-cable-fix: natsemi: make cable length magic configurable [#225091] - patches.fixes/sunrpc-randomize-xids: SUNRPC: NFS_ROOT always uses the same XIDs [#225251] - patches.drivers/usb-funsoft-hwinfo.patch: USB: fix hwinfo issue with funsoft driver [#226661] patches.fixes/fix-ext3-kmalloc-flags-with-journal-handle .diff: ext3: use GFP_NOFS for allocations while holding journal handle [#228694] - patches.fixes/nfs-tcp-reconnect-on-error: RPC: Ensure that we disconnect TCP socket when client requests error out [#230210] - patches.fixes/sunrpc-listen-race: knfsd: Fix race that can disable NFS server. [#230287] patches.drivers/pci-quirk-1k-i-o-space-iobl_adr-fix-on-p 64h2.patch: PCI Quirk: 1k I/O space IOBL_ADR fix on P64H2 [#230365] - patches.drivers/ide-generic-fix-JMB-entries: [PATCH] ide-generic: fix JMB handling [#231218] [#207939] - patches.drivers/qla2xxx-block-error-handler: crash in qla2xxx driver during error recovery [#232957] - patches.fixes/loop_early_wakeup_fix.diff: Fix oops in loopback device during mount. [#232992] - patches.fixes/nfs-jiffie-wrap: Avoid extra GETATTR calls caused by 'jiffie wrap'. [#233155] - add patches.fixes/atalk_sendmsg-crash.patch Fix potential OOPS in atalk_sendmsg() [#235049] - patches.fixes/ext3_readdir_use_generic_readahead.diff: ext3_readdir: use generic readahead [#228682] [#235302] - patches.drivers/ide-fix-drive-side-80c-detection: [PATCH] ide: fix drive side 80c cable detection [#237164] - patches.fixes/xfs-kern-28000a-buffer-unwritten-new: Set the buffer new flag on writes to unwritten XFS extents. This fixes a corruption in preallocated files on XFS [#237908] - patches.drivers/ide-atiixp-fix-cable-detection: [PATCH] atiixp: fix cable detection [#241403] - patches.drivers/ide-atiixp-sb600-has-only-one-port: [PATCH] atiixp: SB600 has only one channel [#241403] - patches.fixes/md-avoid-bitmap-overflow: Avoid possible BUG_ON in md bitmap handling. [#242180] - patches.fixes/ocfs2-loop-aops-hack.diff: ocfs2/loop: forbid use of aops when inappropriate [#242200]
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29486
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29486
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 2606)
refmap via4
bid
  • 21835
  • 21883
bugtraq 20070615 rPSA-2007-0124-1 kernel xen
confirm
mandriva
  • MDKSA-2007:012
  • MDKSA-2007:025
  • MDKSA-2007:040
secunia
  • 23529
  • 23609
  • 23752
  • 24098
  • 24100
  • 24547
  • 25226
  • 25683
  • 25691
suse
  • SUSE-SA:2007:018
  • SUSE-SA:2007:021
  • SUSE-SA:2007:030
  • SUSE-SA:2007:035
trustix 2007-0002
ubuntu USN-416-1
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 15-09-2010 - 01:30
Published 31-12-2006 - 00:00
Back to Top