ID CVE-2007-4571
Summary The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
References
Vulnerable Configurations
  • Linux Kernel 2.6.22.7
    cpe:2.3:o:linux:linux_kernel:2.6.22.7
CVSS
Base: 2.1 (as of 26-09-2007 - 06:27)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
description Linux Kernel 2.6.x ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability. CVE-2007-4571. Local exploit for linux platform
id EDB-ID:30605
last seen 2016-02-03
modified 2007-09-21
published 2007-09-21
reporter Karimo_DM
source https://www.exploit-db.com/download/30605/
title Linux Kernel 2.6.x - ALSA snd-page-alloc Local Proc File Information Disclosure Vulnerability
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-618-1.NASL
    description It was discovered that the ALSA /proc interface did not write the correct number of bytes when reporting memory allocations. A local attacker might be able to access sensitive kernel memory, leading to a loss of privacy. (CVE-2007-4571) Multiple buffer overflows were discovered in the handling of CIFS filesystems. A malicious CIFS server could cause a client system crash or possibly execute arbitrary code with kernel privileges. (CVE-2007-5904) It was discovered that PowerPC kernels did not correctly handle reporting certain system details. By requesting a specific set of information, a local attacker could cause a system crash resulting in a denial of service. (CVE-2007-6694) It was discovered that some device driver fault handlers did not correctly verify memory ranges. A local attacker could exploit this to access sensitive kernel memory, possibly leading to a loss of privacy. (CVE-2008-0007) It was discovered that CPU resource limits could be bypassed. A malicious local user could exploit this to avoid administratively imposed resource limits. (CVE-2008-1294) A race condition was discovered between dnotify fcntl() and close() in the kernel. If a local attacker performed malicious dnotify requests, they could cause memory consumption leading to a denial of service, or possibly send arbitrary signals to any process. (CVE-2008-1375) On SMP systems, a race condition existed in fcntl(). Local attackers could perform malicious locks, causing system crashes and leading to a denial of service. (CVE-2008-1669). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 33255
    published 2008-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33255
    title Ubuntu 6.06 LTS / 7.04 / 7.10 : linux-source-2.6.15/20/22 vulnerabilities (USN-618-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071129_KERNEL_ON_SL5_X.NASL
    description These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60318
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60318
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0993.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Red Hat would like to credit Vasily Averin, Chris Evans, and Neil Kettle for reporting the security issues corrected by this update.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 28363
    published 2007-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28363
    title RHEL 5 : kernel (RHSA-2007:0993)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1505.NASL
    description Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel (CVE-2007-4571 ).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 31149
    published 2008-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31149
    title Debian DSA-1505-1 : alsa-driver - kernel memory leak
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0993.NASL
    description From Red Hat Security Advisory 2007:0993 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : A memory leak was found in the Red Hat Content Accelerator kernel patch. A local user could use this flaw to cause a denial of service (memory exhaustion). (CVE-2007-5494, Important) A flaw was found in the handling of IEEE 802.11 frames affecting several wireless LAN modules. In certain circumstances, a remote attacker could trigger this flaw by sending a malicious packet over a wireless network and cause a denial of service (kernel crash). (CVE-2007-4997, Important). A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate). In addition to the security issues described above, several bug fixes preventing possible memory corruption, system crashes, SCSI I/O fails, networking drivers performance regression and journaling block device layer issue were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. Red Hat would like to credit Vasily Averin, Chris Evans, and Neil Kettle for reporting the security issues corrected by this update.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67595
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67595
    title Oracle Linux 5 : kernel (ELSA-2007-0993)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4487.NASL
    description This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. Since this value can only be changed by a root user, exploitability is low. - CVE-2007-2525: A memory leak in the PPPoE driver can be abused by local users to cause a denial-of-service condition. - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. and the following non security bugs : - patches.arch/x86-fam10-mtrr: mtrr: fix size_or_mask and size_and_mask [#237736] - patches.fixes/usb_nokia6233_fix1.patch: usb: rndis_host: fix crash while probing a Nokia S60 mobile [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usbnet: init fault (oops) cleanup, whitespace fixes [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usb: unusual_devs.h entry for Nokia 6233 [#244459] - patches.fixes/bt_broadcom_reset.diff: quirky Broadcom device [#257303] - patches.arch/i386-compat-vdso: i386: allow debuggers to access the vsyscall page with compat vDSO [#258433] - - patches.fixes/anycast6-unbalanced-inet6_dev-refcnt.patch : Fix netdevice reference leak when reading from /proc/net/anycast6 [#285336] - - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-b etter: SCSI: throttle SG_DXFER_TO_FROM_DEV warning message better [#290117] - - patches.fixes/nf_conntrack_h323-out-of-bounds-index.diff : nf_conntrack_h323: add checking of out-of-range on choices' index values [#290611] - patches.fixes/ppc-fpu-corruption-fix.diff: ppc: fix corruption of fpu [#290622] - - patches.fixes/ppp-fix-osize-too-small-errors-when-decodi ng-m ppe.diff: ppp: Fix osize too small errors when decoding mppe [#291102] - patches.fixes/hugetlbfs-stack-grows-fix.patch: Don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.fixes/pwc_dos.patch: fix a disconnect method waiting for user space to close a file. A malicious user can stall khubd indefinitely long [#302063] [#302194] - patches.suse/kdb.add-unwind-info-to-kdb_call: Add unwind info to kdb_call() to fix build of KDB kernel on i386 [#305209] - Updated config files: enable KDB for kernel-debug on i386. [#305209]
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27298
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27298
    title openSUSE 10 Security Update : kernel (kernel-4487)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1479.NASL
    description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2878 Bart Oldeman reported a denial of service (DoS) issue in the VFAT filesystem that allows local users to corrupt a kernel structure resulting in a system crash. This is only an issue for systems which make use of the VFAT compat ioctl interface, such as systems running an 'amd64' flavor kernel. - CVE-2007-4571 Takashi Iwai supplied a fix for a memory leak in the snd_page_alloc module. Local users could exploit this issue to obtain sensitive information from the kernel. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2008-0001 Bill Roman of Datalight noticed a coding error in the linux VFS subsystem that, under certain conditions, can allow local users to remove directories for which they should not have removal privileges. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-17etch1.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 30126
    published 2008-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=30126
    title Debian DSA-1479-1 : linux-2.6 - several vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-714.NASL
    description Update to Linux 2.6.22.8 and 2.6.22.9: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.9 CVE-2007-4571 The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. Additional fixes: Revert to the old RTC driver (#265721, #284191) Disable NCQ for additional SATA drives. libata pata_sis: DMA fixes (#202291) libata sata_sil24: IRQ clearing race fixes net driver r8169: fix hanging (#252955, #292161) qdisc sfq: fix oops with 2 packet queue (#219895) ACPI: disable processor C-states suring suspend ACPI: silence noisy message Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 26934
    published 2007-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26934
    title Fedora Core 6 : kernel-2.6.22.9-61.fc6 (2007-714)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4473.NASL
    description This kernel update fixes the following security problems : - CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27297
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27297
    title openSUSE 10 Security Update : kernel (kernel-4473)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4503.NASL
    description This kernel update fixes the following security problems : - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. and the following non security bugs : - supported.conf: Mark 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.fixes/sky2-tx-sum-resume.patch: sky2: fix transmit state on resume [#297132] [#326376] - patches.suse/reiserfs-add-reiserfs_error.diff: patches.suse/reiserfs-use-reiserfs_error.diff: patches.suse/reiserfs-buffer-info-for-balance.diff: Fix reiserfs_error() with NULL superblock calls [#299604] - patches.fixes/acpi_disable_C_states_in_suspend.patch: ACPI: disable lower idle C-states across suspend/resume [#302482] - kernel-syms.rpm: move the copies of the Modules.alias files from /lib/modules/... to /usr/src/linux-obj/... to avoid a file conflict between kernel-syms and other kernel-$flavor packages. The Modules.alias files in kernel-syms.rpm are intended for future use - [#307291] - patches.fixes/jffs2-fix-ACL-vs-mode-handling: Fix ACL vs. mode handling. [#310520] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race-on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - Update config files: Enabled CONFIG_DVB_PLUTO2 for i386 since it's enabled everywhere else. [#327790] - patches.drivers/libata-pata_ali-fix-garbage-PCI-rev-value: p ata_ali: fix garbage PCI rev value in ali_init_chipset() [#328422] - patches.apparmor/apparmor-lsm-fix.diff: apparmor_file_mmap function parameters mismatch [#328423] - patches.drivers/libata-HPA-off-by-one-horkage: Fix HPA handling regression [#329584]
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 27299
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27299
    title openSUSE 10 Security Update : kernel (kernel-4503)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0939.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 37953
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37953
    title CentOS 4 : kernel (CESA-2007:0939)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-2349.NASL
    description Update to Linux 2.6.22.8 and 2.6.22.9: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.9 CVE-2007-4571 The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. Additional fixes: Revert to the old RTC driver (#265721, #284191) Disable NCQ for additional SATA drives. libata pata_sis: DMA fixes (#247768) libata sata_sil24: IRQ clearing race fixes net driver r8169: fix hanging (#252955, #292161) qdisc sfq: fix oops with 2 packet queue (#219895) ACPI: disable processor C-states suring suspend ACPI: silence noisy message Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 27768
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27768
    title Fedora 7 : kernel-2.6.22.9-91.fc7 (2007-2349)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0939.NASL
    description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 27616
    published 2007-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27616
    title RHEL 4 : kernel (RHSA-2007:0939)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0939.NASL
    description From Red Hat Security Advisory 2007:0939 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel is the core of the operating system. These updated kernel packages contain fixes for the following security issues : * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) * A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) * A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) * A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) * A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : * A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. * A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. Please see the Red Hat Knowledgebase for more detailed information. * A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Enterprise Linux 5.1 hypervisor. The fix is to allow your Enterprise Linux 4 Xen SMP guests to boot under a 5.1 hypervisor. Please see the Red Hat Knowledgebase for more detailed information. Red Hat Enterprise Linux 4 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67580
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67580
    title Oracle Linux 4 : kernel (ELSA-2007-0939)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20071101_KERNEL_ON_SL4_X.NASL
    description - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the CIFS file system. This could cause the umask values of a process to not be honored on CIFS file systems where UNIX extensions are supported. (CVE-2007-3740, Important) - A flaw was found in the VFAT compat ioctl handling on 64-bit systems. This allowed a local user to corrupt a kernel_dirent struct and cause a denial of service. (CVE-2007-2878, Important) - A flaw was found in the Advanced Linux Sound Architecture (ALSA). A local user who had the ability to read the /proc/driver/snd-page-alloc file could see portions of kernel memory. (CVE-2007-4571, Moderate) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver that should be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the stack expansion when using the hugetlb kernel on PowerPC systems. This allowed a local user to cause a denial of service. (CVE-2007-3739, Moderate) - A flaw was found in the handling of zombie processes. A local user could create processes that would not be properly reaped which could lead to a denial of service. (CVE-2006-6921, Moderate) - A flaw was found in the CIFS file system handling. The mount option 'sec=' did not enable integrity checking or produce an error message if used. (CVE-2007-3843, Low) - A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. This flaw could be exploited if the root user raised the default wakeup threshold over the size of the output pool. (CVE-2007-3105, Low) Additionally, the following bugs were fixed : - A flaw was found in the kernel netpoll code, creating a potential deadlock condition. If the xmit_lock for a given network interface is held, and a subsequent netpoll event is generated from within the lock owning context (a console message for example), deadlock on that cpu will result, because the netpoll code will attempt to re-acquire the xmit_lock. The fix is to, in the netpoll code, only attempt to take the lock, and fail if it is already acquired (rather than block on it), and queue the message to be sent for later delivery. Any user of netpoll code in the kernel (netdump or netconsole services), is exposed to this problem, and should resolve the issue by upgrading to this kernel release immediately. - A flaw was found where, under 64-bit mode (x86_64), AMD processors were not able to address greater than a 40-bit physical address space; and Intel processors were only able to address up to a 36-bit physical address space. The fix is to increase the physical addressing for an AMD processor to 48 bits, and an Intel processor to 38 bits. - A flaw was found in the xenU kernel that may prevent a paravirtualized guest with more than one CPU from starting when running under an Scientific Linux 5.1 hypervisor. The fix is to allow your Scientific Linux 4 Xen SMP guests to boot under a 5.1 hypervisor.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60280
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60280
    title Scientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4471.NASL
    description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] Fixes for S/390 : - IBM Patchcluster 17 [#330036] - Problem-ID: 38085 - zfcp: zfcp_scsi_eh_abort_handler or zfcp_scsi_eh_device_reset_handler hanging after CHPID off/on - Problem-ID: 38491 - zfcp: Error messages when LUN 0 is present - Problem-ID: 37390 - zcrypt: fix PCIXCC/CEX2C error recovery [#306056] - Problem-ID: 38500 - kernel: too few page cache pages in state volatile - Problem-ID: 38634 - qeth: crash during reboot after failing online setting - Problem-ID: 38927 - kernel: shared memory may not be volatile - Problem-ID: 39069 - cio: Disable channel path measurements on shutdown/reboot - Problem-ID: 27787 - qeth: recognize 'exclusively used'-RC from Hydra3 - Problem-ID: 38330 - qeth: make qeth driver loadable without ipv6 module For further description of the named Problem-IDs, please look to http://www-128.ibm.com/developerworks/linux/linux390/oct ober 2005_recommended.html
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29488
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29488
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4471)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4472.NASL
    description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219]
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 59124
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59124
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4472)
oval via4
accepted 2013-04-29T04:18:10.641-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
family unix
id oval:org.mitre.oval:def:9053
status accepted
submitted 2010-07-09T03:56:16-04:00
title The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
version 24
redhat via4
advisories
  • bugzilla
    id 320791
    title EL4.5: Improperly flushed TLBs may lead to Machine check errors
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939002
        • comment kernel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304003
      • AND
        • comment kernel-devel is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939004
        • comment kernel-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304005
      • AND
        • comment kernel-doc is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939022
        • comment kernel-doc is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304023
      • AND
        • comment kernel-hugemem is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939020
        • comment kernel-hugemem is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304021
      • AND
        • comment kernel-hugemem-devel is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939018
        • comment kernel-hugemem-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304019
      • AND
        • comment kernel-largesmp is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939012
        • comment kernel-largesmp is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304017
      • AND
        • comment kernel-largesmp-devel is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939016
        • comment kernel-largesmp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304013
      • AND
        • comment kernel-smp is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939008
        • comment kernel-smp is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304009
      • AND
        • comment kernel-smp-devel is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939006
        • comment kernel-smp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304015
      • AND
        • comment kernel-xenU is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939010
        • comment kernel-xenU is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304011
      • AND
        • comment kernel-xenU-devel is earlier than 0:2.6.9-55.0.12.EL
          oval oval:com.redhat.rhsa:tst:20070939014
        • comment kernel-xenU-devel is signed with Red Hat master key
          oval oval:com.redhat.rhba:tst:20070304007
    rhsa
    id RHSA-2007:0939
    released 2007-11-01
    severity Important
    title RHSA-2007:0939: kernel security update (Important)
  • rhsa
    id RHSA-2007:0993
rpms
  • kernel-0:2.6.9-55.0.12.EL
  • kernel-devel-0:2.6.9-55.0.12.EL
  • kernel-doc-0:2.6.9-55.0.12.EL
  • kernel-hugemem-0:2.6.9-55.0.12.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.12.EL
  • kernel-largesmp-0:2.6.9-55.0.12.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.12.EL
  • kernel-smp-0:2.6.9-55.0.12.EL
  • kernel-smp-devel-0:2.6.9-55.0.12.EL
  • kernel-xenU-0:2.6.9-55.0.12.EL
  • kernel-xenU-devel-0:2.6.9-55.0.12.EL
  • kernel-0:2.6.18-53.1.4.el5
  • kernel-PAE-0:2.6.18-53.1.4.el5
  • kernel-PAE-devel-0:2.6.18-53.1.4.el5
  • kernel-debug-0:2.6.18-53.1.4.el5
  • kernel-debug-devel-0:2.6.18-53.1.4.el5
  • kernel-devel-0:2.6.18-53.1.4.el5
  • kernel-doc-0:2.6.18-53.1.4.el5
  • kernel-headers-0:2.6.18-53.1.4.el5
  • kernel-kdump-0:2.6.18-53.1.4.el5
  • kernel-kdump-devel-0:2.6.18-53.1.4.el5
  • kernel-xen-0:2.6.18-53.1.4.el5
  • kernel-xen-devel-0:2.6.18-53.1.4.el5
refmap via4
bid 25807
confirm
debian
  • DSA-1479
  • DSA-1505
fedora
  • FEDORA-2007-2349
  • FEDORA-2007-714
idefense 20070925 Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
sectrack 1018734
secunia
  • 26918
  • 26980
  • 26989
  • 27101
  • 27227
  • 27436
  • 27747
  • 27824
  • 28626
  • 29054
  • 30769
suse SUSE-SA:2007:053
ubuntu USN-618-1
vupen ADV-2007-3272
xf linux-sndpagealloc-information-disclosure(36780)
statements via4
contributor Mark J Cox
lastmodified 2007-10-18
organization Red Hat
statement This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1 or 3.
Last major update 07-03-2011 - 21:58
Published 26-09-2007 - 06:17
Last modified 28-09-2017 - 21:29
Back to Top