ID CVE-2007-3104
Summary The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.
References
Vulnerable Configurations
  • Linux Kernel 2.6.0
    cpe:2.3:o:linux:linux_kernel:2.6.0
  • Red Hat Enterprise Linux 4.5
    cpe:2.3:o:redhat:enterprise_linux:4.5
CVSS
Base: 4.9 (as of 27-06-2007 - 12:25)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1428.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : This is an update to DSA 1428-1 which omitted a reference to CVE-2007-5904. - CVE-2007-3104 Eric Sandeen provided a backport of Tejun Heo's fix for a local denial of service vulnerability in sysfs. Under memory pressure, a dentry structure maybe reclaimed resulting in a bad pointer dereference causing an oops during a readdir. - CVE-2007-4997 Chris Evans discovered an issue with certain drivers that make use of the Linux kernel's ieee80211 layer. A remote user could generate a malicious 802.11 frame that could result in a denial of service (crash). The ipw2100 driver is known to be affected by this issue, while the ipw2200 is believed not to be. - CVE-2007-5500 Scott James Remnant diagnosed a coding error in the implementation of ptrace which could be used by a local user to cause the kernel to enter an infinite loop. - CVE-2007-5904 Przemyslaw Wegrzyn discovered an issue in the CIFS filesystem that could allow a malicious server to cause a denial of service (crash) by overflowing a buffer. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch5. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch.13etch5 user-mode-linux 2.6.18-1um-2etch.13etch5
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 29263
    published 2007-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29263
    title Debian DSA-1428-2 : linux-2.6 - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4745.NASL
    description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref'ing skb after it is potentially freed. - patches.xen/263-xfs-unmap.patch: xfs: eagerly remove vmap mappings to avoid upsetting Xen. - patches.xen/xen-i386-set-fixmap: i386/PAE: avoid temporarily inconsistent pte-s. - patches.xen/xen-isa-dma: Suppress all use of ISA DMA on Xen. - patches.xen/xen-x86-panic-smp, - patches.xen/xen-netback-alloc, - patches.xen/xen-split-pt-lock, - patches.xen/137-netfront-copy-release.patch, - patches.xen/141-driver-autoload.patch, - patches.xen/xen-balloon-max-target, - patches.xen/xen-balloon-min, - patches.xen/xen-i386-highpte, - patches.xen/xen-intel-agp, - patches.xen/xen-multicall-check, - patches.xen/xen-x86-dcr-fallback, - patches.xen/xen-x86-pXX_val, - patches.xen/xen-x86-performance: Adjust. - patches.arch/acpi_backport_video.c.patch: Backport video driver from 2.6.23-rc9 [#343660] - patches.arch/acpi_find_bcl_support.patch: Store brightness/video functionality of ACPI provided by BIOS [#343660]
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 59125
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59125
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4745)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2008-2005.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix utrace dead_engine ops race - fix ptrace_attach leak - CVE-2007-5093: kernel PWC driver DoS - CVE-2007-6282: IPSec ESP kernel panics - CVE-2007-6712: kernel: infinite loop in highres timers (kernel hang) - CVE-2008-1615: kernel: ptrace: Unprivileged crash on x86_64 %cs corruption - CVE-2008-1294: kernel: setrlimit(RLIMIT_CPUINFO) with zero value doesn't inherit properly across children - CVE-2008-2136: kernel: sit memory leak - CVE-2008-2812: kernel: NULL ptr dereference in multiple network drivers due to missing checks in tty code - restore linux-2.6-x86-clear-df-flag-for-signal-handlers.patch - restore linux-2.6-utrace.patch / linux-2.6-xen-utrace.patch - Kernel security erratas for OVM 2.1.2 from bz#5932 : - CVE-2007-6063: isdn: fix possible isdn_net buffer overflows - CVE-2007-3104 Null pointer to an inode in a dentry can cause an oops in sysfs_readdir - CVE-2008-0598: write system call vulnerability - CVE-2008-1375: kernel: race condition in dnotify - CVE-2008-0001: kernel: filesystem corruption by unprivileged user via directory truncation - CVE-2008-2358: dccp: sanity check feature length - CVE-2007-5938: NULL dereference in iwl driver - RHSA-2008:0508: kernel: [x86_64] The string instruction version didn't zero the output on exception. - kernel: clear df flag for signal handlers - fs: missing dput in do_lookup error leaks dentries - sysfs: fix condition check in sysfs_drop_dentry - sysfs: fix race condition around sd->s_dentry - ieee80211: off-by-two integer underflow
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 79447
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79447
    title OracleVM 2.1 : kernel (OVMSA-2008-2005)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-509-1.NASL
    description A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28113
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28113
    title Ubuntu 6.10 : linux-source-2.6.17 vulnerabilities (USN-509-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080123_KERNEL_ON_SL5_X.NASL
    description These new kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). An unprivileged local user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the Xen PAL emulation on Intel 64 platforms. A guest Hardware-assisted virtual machine (HVM) could read the arbitrary physical memory of the host system, which could make information available to unauthorized users. (CVE-2007-6416, Important) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file, potentially containing sensitive information. (CVE-2007-6206, Moderate) A buffer overflow flaw was found in the CIFS virtual file system. A remote,authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) A flaw was found in the 'sysfs_readdir' function. A local user could create a race condition which would cause a denial of service (kernel oops). (CVE-2007-3104, Moderate) As well, these updated packages fix the following bugs : - running the 'strace -f' command caused strace to hang, without displaying information about child processes. - unmounting an unresponsive, interruptable NFS mount, for example, one mounted with the 'intr' option, may have caused a system crash. - a bug in the s2io.ko driver prevented VLAN devices from being added. Attempting to add a device to a VLAN, for example, running the 'vconfig add [device-name] [vlan-id]' command caused vconfig to fail. - tux used an incorrect open flag bit. This caused problems when building packages in a chroot environment, such as mock, which is used by the koji build system.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60351
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60351
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4741.NASL
    description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref'ing skb after it is potentially freed. - patches.xen/263-xfs-unmap.patch: xfs: eagerly remove vmap mappings to avoid upsetting Xen. - patches.xen/xen-i386-set-fixmap: i386/PAE: avoid temporarily inconsistent pte-s. - patches.xen/xen-isa-dma: Suppress all use of ISA DMA on Xen. - patches.xen/xen-x86-panic-smp, - patches.xen/xen-netback-alloc, - patches.xen/xen-split-pt-lock, - patches.xen/137-netfront-copy-release.patch, - patches.xen/141-driver-autoload.patch, - patches.xen/xen-balloon-max-target, - patches.xen/xen-balloon-min, - patches.xen/xen-i386-highpte, - patches.xen/xen-intel-agp, - patches.xen/xen-multicall-check, - patches.xen/xen-x86-dcr-fallback, - patches.xen/xen-x86-pXX_val, - patches.xen/xen-x86-performance: Adjust. - patches.arch/acpi_backport_video.c.patch: Backport video driver from 2.6.23-rc9 [#343660] - patches.arch/acpi_find_bcl_support.patch: Store brightness/video functionality of ACPI provided by BIOS [#343660] Fixes for ia64 : - patches.fixes/fix-the-graphic-corruption-issue-on-ia64-machi nes.patch: Fix the graphic corruption issue on IA64 machines [#241041] Fixes for S/390 : - IBM Patchcluster 18 [#333421,#340129,#341000] - Problem-ID: 39323 - qeth: discard inbound packets with unknown header id - Problem-ID: 39542 - cio: Incorrect check for activity in cmf - Problem-ID: 38321 - kernel: Reboot of large z/VM guests takes a lot of time - Problem-ID: 40293 - kernel: pfault disabled - Problem-ID: 40296 - cio: change device sense procedure to work with PAV aliases - Problem-ID: 39981 - zfcp: Remove SCSI devices when removing complete adapter - Problem-ID: 40331 - zfcp: Deadlock when adding invalid LUN - Problem-ID: 40333 - zfcp: Reduce flood on hba trace - Fix kprobe on 'bc' instruction [#301563] For further description of the named Problem-IDs, please look to http://www-128.ibm.com/developerworks/linux/linux390/oct ober 2005_recommended.html
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29489
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29489
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4741)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-510-1.NASL
    description A flaw was discovered in the PPP over Ethernet implementation. Local attackers could manipulate ioctls and cause kernel memory consumption leading to a denial of service. (CVE-2007-2525) An integer underflow was discovered in the cpuset filesystem. If mounted, local attackers could obtain kernel memory using large file offsets while reading the tasks file. This could disclose sensitive data. (CVE-2007-2875) Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly validate certain states. A remote attacker could send a specially crafted packet causing a denial of service. (CVE-2007-2876) Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit systems. A local attacker could corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) A flaw was discovered in the usblcd driver. A local attacker could cause large amounts of kernel memory consumption, leading to a denial of service. (CVE-2007-3513) Zhongling Wen discovered that the h323 conntrack handler did not correctly handle certain bitfields. A remote attacker could send a specially crafted packet and cause a denial of service. (CVE-2007-3642) A flaw was discovered in the CIFS mount security checking. Remote attackers could spoof CIFS network traffic, which could lead a client to trust the connection. (CVE-2007-3843) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) The Direct Rendering Manager for the i915 driver could be made to write to arbitrary memory locations. An attacker with access to a running X11 session could send a specially crafted buffer and gain root privileges. (CVE-2007-3851) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28114
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28114
    title Ubuntu 7.04 : linux-source-2.6.20 vulnerabilities (USN-510-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070625_KERNEL_ON_SL4_X.NASL
    description These new kernel packages contain fixes for the security issues described below : - a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) - a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) - a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) - a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) - a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) - a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) - a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) - a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) - a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : - the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. - the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. - the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. - the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. NOTE1: From The Upstream Vendors release notes 'During PCI probing, Red Hat Enterprise Linux 4 Update 5 attempts to use information obtained from MCFG (memory-mapped PCI configuration space). On AMD-systems, this type of access does not work on some buses, as the kernel cannot parse the MCFG table. To work around this, add the parameter pci=conf1 or pci=nommconf on the kernel boot line in /etc/grub.conf. For example : title Red Hat Enterprise Linux AS (2.6.9-42.0.2.EL) root (hd0,0) kernel /vmlinuz-2.6.9-42.0.2.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet pci=conf1 initrd /initrd-2.6.9-42.0.2.EL.img Doing this instructs the kernel to use PCI Conf1 access instead of MCFG-based access.' NOTE2: From The Upstream Vendors Knowledge Base 'Why did the ordering of my NIC devices change in Red Hat Enterprise Linux 4.5? The 2.6.9-55 version of the Red Hat Enterprise Linux 4 kernel (Update 5) reverts to the 2.4 ordering of network interface cards (NICs) on certain systems. Note that if the 'HWADDR=MAC ADDRESS' line is present in the /etc/sysconfig/network-scripts/ifcfg-ethX files, the NIC ordering will not change. To restore the original 2.6 ordering, which is different from the 2.4 ordering, boot with the option pci=nobfsort '
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60215
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60215
    title Scientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0488.NASL
    description From Red Hat Security Advisory 2007:0488 : Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67520
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67520
    title Oracle Linux 4 : kernel (ELSA-2007-0488)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0089.NASL
    description Updated kernel packages that fix several security issues and several bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These new kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). An unprivileged local user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the Xen PAL emulation on Intel 64 platforms. A guest Hardware-assisted virtual machine (HVM) could read the arbitrary physical memory of the host system, which could make information available to unauthorized users. (CVE-2007-6416, Important) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file, potentially containing sensitive information. (CVE-2007-6206, Moderate) A buffer overflow flaw was found in the CIFS virtual file system. A remote,authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) A flaw was found in the 'sysfs_readdir' function. A local user could create a race condition which would cause a denial of service (kernel oops). (CVE-2007-3104, Moderate) As well, these updated packages fix the following bugs : * running the 'strace -f' command caused strace to hang, without displaying information about child processes. * unmounting an unresponsive, interruptable NFS mount, for example, one mounted with the 'intr' option, may have caused a system crash. * a bug in the s2io.ko driver prevented VLAN devices from being added. Attempting to add a device to a VLAN, for example, running the 'vconfig add [device-name] [vlan-id]' command caused vconfig to fail. * tux used an incorrect open flag bit. This caused problems when building packages in a chroot environment, such as mock, which is used by the koji build system. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 30090
    published 2008-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30090
    title RHEL 5 : kernel (RHSA-2008:0089)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0488.NASL
    description Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25605
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25605
    title RHEL 4 : kernel (RHSA-2007:0488)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4752.NASL
    description This kernel update fixes the following security problems : ++ CVE-2007-3104: The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. ++ CVE-2007-4997: A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. ++ CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. ++ CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. ++ CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. ++ CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. ++ CVE-2007-5904: Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. ++ CVE-2007-6063: Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 29880
    published 2008-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29880
    title openSUSE 10 Security Update : kernel (kernel-4752)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0089.NASL
    description From Red Hat Security Advisory 2008:0089 : Updated kernel packages that fix several security issues and several bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These new kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). An unprivileged local user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the Xen PAL emulation on Intel 64 platforms. A guest Hardware-assisted virtual machine (HVM) could read the arbitrary physical memory of the host system, which could make information available to unauthorized users. (CVE-2007-6416, Important) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file, potentially containing sensitive information. (CVE-2007-6206, Moderate) A buffer overflow flaw was found in the CIFS virtual file system. A remote,authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) A flaw was found in the 'sysfs_readdir' function. A local user could create a race condition which would cause a denial of service (kernel oops). (CVE-2007-3104, Moderate) As well, these updated packages fix the following bugs : * running the 'strace -f' command caused strace to hang, without displaying information about child processes. * unmounting an unresponsive, interruptable NFS mount, for example, one mounted with the 'intr' option, may have caused a system crash. * a bug in the s2io.ko driver prevented VLAN devices from being added. Attempting to add a device to a VLAN, for example, running the 'vconfig add [device-name] [vlan-id]' command caused vconfig to fail. * tux used an incorrect open flag bit. This caused problems when building packages in a chroot environment, such as mock, which is used by the koji build system. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67645
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67645
    title Oracle Linux 5 : kernel (ELSA-2008-0089)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0488.NASL
    description Updated kernel packages that fix several security issues and bugs in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the security issues described below : * a flaw in the connection tracking support for SCTP that allowed a remote user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-2876, Important) * a flaw in the mount handling routine for 64-bit systems that allowed a local user to cause denial of service (crash). (CVE-2006-7203, Important) * a flaw in the IPv4 forwarding base that allowed a local user to cause an out-of-bounds access. (CVE-2007-2172, Important) * a flaw in the PPP over Ethernet implementation that allowed a local user to cause a denial of service (memory consumption) by creating a socket using connect and then releasing it before the PPPIOCGCHAN ioctl has been called. (CVE-2007-2525, Important) * a flaw in the fput ioctl handling of 32-bit applications running on 64-bit platforms that allowed a local user to cause a denial of service (panic). (CVE-2007-0773, Important) * a flaw in the NFS locking daemon that allowed a local user to cause denial of service (deadlock). (CVE-2006-5158, Moderate) * a flaw in the sysfs_readdir function that allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104, Moderate) * a flaw in the core-dump handling that allowed a local user to create core dumps from unreadable binaries via PT_INTERP. (CVE-2007-0958, Low) * a flaw in the Bluetooth subsystem that allowed a local user to trigger an information leak. (CVE-2007-1353, Low) In addition, the following bugs were addressed : * the NFS could recurse on the same spinlock. Also, NFS, under certain conditions, did not completely clean up Posix locks on a file close, leading to mount failures. * the 32bit compatibility didn't return to userspace correct values for the rt_sigtimedwait system call. * the count for unused inodes could be incorrect at times, resulting in dirty data not being written to disk in a timely manner. * the cciss driver had an incorrect disk size calculation (off-by-one error) which prevented disk dumps. Red Hat would like to thank Ilja van Sprundel and the OpenVZ Linux kernel team for reporting issues fixed in this erratum. All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 25575
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25575
    title CentOS 4 : kernel (CESA-2007:0488)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-508-1.NASL
    description A buffer overflow was discovered in the Moxa serial driver. Local attackers could execute arbitrary code and gain root privileges. (CVE-2005-0504) A flaw was discovered in the IPv6 stack's handling of type 0 route headers. By sending a specially crafted IPv6 packet, a remote attacker could cause a denial of service between two IPv6 hosts. (CVE-2007-2242) A flaw in the sysfs_readdir function allowed a local user to cause a denial of service by dereferencing a NULL pointer. (CVE-2007-3104) A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. (CVE-2007-3105) It was discovered that certain setuid-root processes did not correctly reset process death signal handlers. A local user could manipulate this to send signals to processes they would not normally have access to. (CVE-2007-3848) It was discovered that the aacraid SCSI driver did not correctly check permissions on certain ioctls. A local attacker could cause a denial of service or gain privileges. (CVE-2007-4308). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28112
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28112
    title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-508-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0089.NASL
    description Updated kernel packages that fix several security issues and several bugs in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. These new kernel packages fix the following security issues : A flaw was found in the virtual filesystem (VFS). An unprivileged local user could truncate directories to which they had write permission; this could render the contents of the directory inaccessible. (CVE-2008-0001, Important) A flaw was found in the Xen PAL emulation on Intel 64 platforms. A guest Hardware-assisted virtual machine (HVM) could read the arbitrary physical memory of the host system, which could make information available to unauthorized users. (CVE-2007-6416, Important) A flaw was found in the way core dump files were created. If a local user can get a root-owned process to dump a core file into a directory, which the user has write access to, they could gain read access to that core file, potentially containing sensitive information. (CVE-2007-6206, Moderate) A buffer overflow flaw was found in the CIFS virtual file system. A remote,authenticated user could issue a request that could lead to a denial of service. (CVE-2007-5904, Moderate) A flaw was found in the 'sysfs_readdir' function. A local user could create a race condition which would cause a denial of service (kernel oops). (CVE-2007-3104, Moderate) As well, these updated packages fix the following bugs : * running the 'strace -f' command caused strace to hang, without displaying information about child processes. * unmounting an unresponsive, interruptable NFS mount, for example, one mounted with the 'intr' option, may have caused a system crash. * a bug in the s2io.ko driver prevented VLAN devices from being added. Attempting to add a device to a VLAN, for example, running the 'vconfig add [device-name] [vlan-id]' command caused vconfig to fail. * tux used an incorrect open flag bit. This caused problems when building packages in a chroot environment, such as mock, which is used by the koji build system. Red Hat Enterprise Linux 5 users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43672
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43672
    title CentOS 5 : kernel (CESA-2008:0089)
oval via4
accepted 2013-04-29T04:12:33.737-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.
family unix
id oval:org.mitre.oval:def:11233
status accepted
submitted 2010-07-09T03:56:16-04:00
title The sysfs_readdir function in the Linux kernel 2.6, as used in Red Hat Enterprise Linux (RHEL) 4.5 and other distributions, allows users to cause a denial of service (kernel OOPS) by dereferencing a null pointer to an inode in a dentry.
version 24
redhat via4
advisories
  • bugzilla
    id 243902
    title diskdump to cciss fails due to off-by-one size calculation
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488002
        • comment kernel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304003
      • AND
        • comment kernel-devel is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488004
        • comment kernel-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304005
      • AND
        • comment kernel-doc is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488022
        • comment kernel-doc is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304023
      • AND
        • comment kernel-hugemem is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488018
        • comment kernel-hugemem is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304021
      • AND
        • comment kernel-hugemem-devel is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488020
        • comment kernel-hugemem-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304019
      • AND
        • comment kernel-largesmp is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488014
        • comment kernel-largesmp is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304017
      • AND
        • comment kernel-largesmp-devel is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488016
        • comment kernel-largesmp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304013
      • AND
        • comment kernel-smp is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488012
        • comment kernel-smp is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304009
      • AND
        • comment kernel-smp-devel is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488006
        • comment kernel-smp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304015
      • AND
        • comment kernel-xenU is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488008
        • comment kernel-xenU is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304011
      • AND
        • comment kernel-xenU-devel is earlier than 0:2.6.9-55.0.2.EL
          oval oval:com.redhat.rhsa:tst:20070488010
        • comment kernel-xenU-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304007
    rhsa
    id RHSA-2007:0488
    released 2007-06-25
    severity Important
    title RHSA-2007:0488: kernel security update (Important)
  • rhsa
    id RHSA-2008:0089
rpms
  • kernel-0:2.6.9-55.0.2.EL
  • kernel-devel-0:2.6.9-55.0.2.EL
  • kernel-doc-0:2.6.9-55.0.2.EL
  • kernel-hugemem-0:2.6.9-55.0.2.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.2.EL
  • kernel-largesmp-0:2.6.9-55.0.2.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.2.EL
  • kernel-smp-0:2.6.9-55.0.2.EL
  • kernel-smp-devel-0:2.6.9-55.0.2.EL
  • kernel-xenU-0:2.6.9-55.0.2.EL
  • kernel-xenU-devel-0:2.6.9-55.0.2.EL
  • kernel-0:2.6.18-53.1.6.el5
  • kernel-PAE-0:2.6.18-53.1.6.el5
  • kernel-PAE-devel-0:2.6.18-53.1.6.el5
  • kernel-debug-0:2.6.18-53.1.6.el5
  • kernel-debug-devel-0:2.6.18-53.1.6.el5
  • kernel-devel-0:2.6.18-53.1.6.el5
  • kernel-doc-0:2.6.18-53.1.6.el5
  • kernel-headers-0:2.6.18-53.1.6.el5
  • kernel-kdump-0:2.6.18-53.1.6.el5
  • kernel-kdump-devel-0:2.6.18-53.1.6.el5
  • kernel-xen-0:2.6.18-53.1.6.el5
  • kernel-xen-devel-0:2.6.18-53.1.6.el5
refmap via4
bid 24631
confirm http://support.avaya.com/elmodocs2/security/ASA-2007-287.htm
debian DSA-1428
misc http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242558
osvdb 37115
sectrack 1018289
secunia
  • 25771
  • 25838
  • 26289
  • 26643
  • 26651
  • 27912
  • 28033
  • 28643
suse SUSE-SA:2007:064
ubuntu
  • USN-508-1
  • USN-509-1
  • USN-510-1
statements via4
contributor Mark J Cox
lastmodified 2007-10-18
organization Red Hat
statement This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.
Last major update 21-08-2010 - 00:00
Published 26-06-2007 - 14:30
Last modified 10-10-2017 - 21:32
Back to Top