ID CVE-2007-4573
Summary The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
References
Vulnerable Configurations
  • cpe:2.3:o:linux:linux_kernel:2.4.35:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.4.35:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.22.6:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.22.6:-:x86_64
CVSS
Base: 7.2 (as of 25-09-2007 - 09:16)
Impact:
Exploitability:
CWE CWE-264
CAPEC
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Linux Kernel 2.6.x Ptrace Local Privilege Escalation Vulnerability. CVE-2007-4573. Local exploit for linux platform
id EDB-ID:30604
last seen 2016-02-03
modified 2007-09-21
published 2007-09-21
reporter Wojciech Purczynski
source https://www.exploit-db.com/download/30604/
title Linux Kernel 2.6.x - Ptrace Local Privilege Escalation Vulnerability
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0937.NASL
    description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 26905
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26905
    title RHEL 4 : kernel (RHSA-2007:0937)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-105.NASL
    description The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740) The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer. (CVE-2007-3851) The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. (CVE-2007-4133) The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This vulnerability is now being fixed in the Xen kernel too. (CVE-2007-4573) Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two error. (CVE-2007-4997) The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 relies on user space to close the device, which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. (CVE-2007-5093) A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375) The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 37772
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37772
    title Mandriva Linux Security Advisory : kernel (MDVSA-2008:105)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1381.NASL
    description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5755 The NT bit maybe leaked into the next task which can make it possible for local attackers to cause a Denial of Service (crash) on systems which run the amd64 flavour kernel. The stable distribution ('etch') was not believed to be vulnerable to this issue at the time of release, however Bastian Blank discovered that this issue still applied to the xen-amd64 and xen-vserver-amd64 flavours, and is resolved by this DSA. - CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. - CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. DSA-1378 resolved this problem for the amd64 flavour kernels, but Tim Wickberg and Ralf Hemmenstadt reported an outstanding issue with the xen-amd64 and xen-vserver-amd64 flavours that is resolved by this DSA. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince users with local access to remove the device on their behalf. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch4. This is an update to DSA-1381-1 which included only amd64 binaries for linux-2.6. Builds for all other architectures are now available, as well as rebuilds of ancillary packages that make use of the included linux source. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch.13etch4 kernel-patch-openvz 028.18.1etch5 user-mode-linux 2.6.18-1um-2etch.13etch4
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 26211
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26211
    title Debian DSA-1381-2 : linux-2.6 - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4745.NASL
    description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref'ing skb after it is potentially freed. - patches.xen/263-xfs-unmap.patch: xfs: eagerly remove vmap mappings to avoid upsetting Xen. - patches.xen/xen-i386-set-fixmap: i386/PAE: avoid temporarily inconsistent pte-s. - patches.xen/xen-isa-dma: Suppress all use of ISA DMA on Xen. - patches.xen/xen-x86-panic-smp, - patches.xen/xen-netback-alloc, - patches.xen/xen-split-pt-lock, - patches.xen/137-netfront-copy-release.patch, - patches.xen/141-driver-autoload.patch, - patches.xen/xen-balloon-max-target, - patches.xen/xen-balloon-min, - patches.xen/xen-i386-highpte, - patches.xen/xen-intel-agp, - patches.xen/xen-multicall-check, - patches.xen/xen-x86-dcr-fallback, - patches.xen/xen-x86-pXX_val, - patches.xen/xen-x86-performance: Adjust. - patches.arch/acpi_backport_video.c.patch: Backport video driver from 2.6.23-rc9 [#343660] - patches.arch/acpi_find_bcl_support.patch: Store brightness/video functionality of ACPI provided by BIOS [#343660]
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 59125
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59125
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4745)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4487.NASL
    description This kernel update fixes the following security problems : - CVE-2007-3105: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wake-up threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving 'bound check ordering'. Since this value can only be changed by a root user, exploitability is low. - CVE-2007-2525: A memory leak in the PPPoE driver can be abused by local users to cause a denial-of-service condition. - CVE-2007-3851: On machines with a Intel i965 based graphics card local users with access to the direct rendering devicenode could overwrite memory on the machine and so gain root privileges. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. and the following non security bugs : - patches.arch/x86-fam10-mtrr: mtrr: fix size_or_mask and size_and_mask [#237736] - patches.fixes/usb_nokia6233_fix1.patch: usb: rndis_host: fix crash while probing a Nokia S60 mobile [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usbnet: init fault (oops) cleanup, whitespace fixes [#244459] - patches.fixes/usb_nokia6233_fix2.patch: usb: unusual_devs.h entry for Nokia 6233 [#244459] - patches.fixes/bt_broadcom_reset.diff: quirky Broadcom device [#257303] - patches.arch/i386-compat-vdso: i386: allow debuggers to access the vsyscall page with compat vDSO [#258433] - - patches.fixes/anycast6-unbalanced-inet6_dev-refcnt.patch : Fix netdevice reference leak when reading from /proc/net/anycast6 [#285336] - - patches.drivers/scsi-throttle-SG_DXFER_TO_FROM_DEV-warni ng-b etter: SCSI: throttle SG_DXFER_TO_FROM_DEV warning message better [#290117] - - patches.fixes/nf_conntrack_h323-out-of-bounds-index.diff : nf_conntrack_h323: add checking of out-of-range on choices' index values [#290611] - patches.fixes/ppc-fpu-corruption-fix.diff: ppc: fix corruption of fpu [#290622] - - patches.fixes/ppp-fix-osize-too-small-errors-when-decodi ng-m ppe.diff: ppp: Fix osize too small errors when decoding mppe [#291102] - patches.fixes/hugetlbfs-stack-grows-fix.patch: Don't allow the stack to grow into hugetlb reserved regions [#294021] - patches.fixes/pwc_dos.patch: fix a disconnect method waiting for user space to close a file. A malicious user can stall khubd indefinitely long [#302063] [#302194] - patches.suse/kdb.add-unwind-info-to-kdb_call: Add unwind info to kdb_call() to fix build of KDB kernel on i386 [#305209] - Updated config files: enable KDB for kernel-debug on i386. [#305209]
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27298
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27298
    title openSUSE 10 Security Update : kernel (kernel-4487)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-712.NASL
    description Update to official Linux 2.6.22.6 (previously 2.6.22.6-rc1): http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6 Update to Linux 2.6.22.7: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7 - USB: three trivial fixes - futex: fix compat list traversal - Restore ofpath functionality (IDE_PROC_FS=y)(#289931) - add option to disable DMA on libata PATA devices (libata.pata_dma, see kernel-parameters.txt) - fix DMA on ATAPI devices with it821x - fix cable detection on pata_via - fix vmware's broken SCSI device emulation - fix init of huawei 220 modem - LVM: fix hang and lockups during snapshot (#269541) - net: fix oops with zero-length packet (#253290) - CFS scheduler updates - utrace update (#248532, #267161, #284311) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 26116
    published 2007-09-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26116
    title Fedora Core 6 : kernel-2.6.22.7-57.fc6 (2007-712)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4473.NASL
    description This kernel update fixes the following security problems : - CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27297
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27297
    title openSUSE 10 Security Update : kernel (kernel-4473)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4741.NASL
    description This kernel update fixes the following security problems : - The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. (CVE-2007-3104) - A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. (CVE-2007-4997) - The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. (CVE-2007-3740) - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. (CVE-2007-4573) This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. - The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. (CVE-2007-4308) - The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. (CVE-2007-3843) - Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. (CVE-2007-5904) This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. - Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. (CVE-2007-6063) and the following non security bugs : - patches.drivers/pci-delete-ACPI-hook-from-pci_set_power_stat e.patch: Delete ACPI hook from pci_set_power_state() [#162320] Still execute the code on Lenovo ThinkPads (or USB ports do not work anymore after suspend [#329232] - patches.drivers/alsa-post-sp1-hda-probe-blacklist: [ALSA] hda-intel - Add probe_mask blacklist [#172330] - patches.drivers/alsa-post-sp1-hda-robust-probe: [ALSA] hda-intel - Improve HD-audio codec probing robustness [#172330] - patches.arch/i386-hpet-lost-interrupts-fix.patch: Backport i386 hpet lost interrupts code [#257035] - patches.fixes/megaraid_mbox-dell-cerc-support: Dell CERC support for megaraid_mbox [#267134] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.drivers/ide-amd74xx-add-ignore_enablebits-parameter: amd74xx: add ignore_enable_bits module parameter [#272786] - patches.fixes/legacy-pty-count-kernel-parm.patch: Add a kernel boot parameter to overwrite the legacy PTY count. The default value of 64 is insufficient occasionally [#277846] - patches.fixes/lockd-grant-shutdown: Stop GRANT callback from crashing if NFS server has been stopped. [#292478] - Kernel update to 2.6.16.54 [#298719] including (among others) : - lots of md fixes - fix of sparc bugs - fix of TCP handling of SACK in bidirectional flows - fix of MCA bus matching - fix of PPC issues : - Fix osize too small errors when decoding mppe. - Fix output buffer size in ppp_decompress_frame(). - patches.fixes/assign-task_struct.exit_code-before-taskstats_ exit.patch: Assign task_struct.exit_code before taskstats_exit() [#307504] - patches.fixes/bonding_no_addrconf_for_bond_slaves: bonding / ipv6: no addrconf for slaves separately from master. [#310254] - patches.fixes/bonding_support_carrier_state_for_master: bonding: support carrier state for master [#310254] - patches.fixes/fix-sys-devices-system-node-node0-meminfo-from -having-anonpages-wrapped.patch: fix /sys/devices/system/node/node0/meminfo from having anonpages wrapped [#310744] - patches.fixes/nfs-remove-bogus-cache-change-attribute-check. diff fix bogus cache change to make data available immediately, on direct write [#325877] - patches.fixes/tcp-send-ACKs-each-2nd-received-segment.patch: Send ACKs each 2nd received segment. This fixes a problem where the tcp cubic congestion algorithm was too slow in converging [#327848] - patches.drivers/libata-fix-spindown: libata: fix disk spindown on shutdown [#330722] - patches.fixes/scsi-reset-resid: busy status on tape write results in incorrect residual [#330926] - patches.fixes/condense-output-of-show_free_areas.patch: Condense output of show_free_areas() [#331251] - patches.arch/powernowk8_family_freq_from_fiddid.patch: To find the frequency given the fid and did is family dependent. [#332722] - patches.fixes/tcp-saner-thash_entries-default.patch: Limit the size of the TCP established hash to 512k entries by default [#333273] - patches.drivers/alsa-emu10k1-spdif-mem-fix: [ALSA] emu10k1 - Fix memory corruption [#333314] - patches.drivers/alsa-post-sp1-hda-stac-error-fix: [ALSA] Fix error probing with STAC codecs [#333320] - patches.fixes/qla2xxx-avoid-duplicate-pci_disable_device : Fixup patch to not refer to stale pointer [#333542] - large backport of dm-crypt fixes: [#333905] - patches.fixes/dm-disable_barriers.diff: dm: disable barriers. - patches.fixes/dm-crypt-restructure_for_workqueue_change.diff - patches.fixes/dm-crypt-restructure_write_processing.diff - patches.fixes/dm-crypt-move_io_to_workqueue.diff - patches.fixes/dm-crypt-use_private_biosets.diff - patches.fixes/dm-crypt-fix_call_to_clone_init.diff - patches.fixes/dm-crypt-fix_avoid_cloned_bio_ref_after_free.d iff - patches.fixes/dm-crypt-fix_remove_first_clone.diff - patches.fixes/dm-crypt-use_smaller_bvecs_in_clones.diff - patches.fixes/dm-crypt-fix_panic_on_large_request.diff - patches.fixes/initramfs-fix-cpio-hardlink-check.patch: initramfs: fix CPIO hardlink check [#334612] - patches.drivers/lpfc-8.1.10.12-update: driver update to fix severe issues in lpfc 8.1.10.9 driver [#334630] [#342044] - patches.fixes/nfs-direct-io-fix-1: NFS: Fix error handling in nfs_direct_write_result() [#336200] - patches.fixes/nfs-direct-io-fix-2: NFS: Fix a refcount leakage in O_DIRECT [#336200] - add patches.drivers/ibmvscsi-migration-login.patch prohibit IO during adapter login process [#337980] - patches.arch/acpi_thinkpad_brightness_fix.patch: Take care of latest Lenovo ThinkPad brightness control [#338274] [#343660] - patches.fixes/ramdisk-2.6.23-corruption_fix.diff: rd: fix data corruption on memory pressure [#338643] - patches.fixes/fc_transport-remove-targets-on-host-remove : memory use after free error in mptfc [#338730] - patches.fixes/ipmi-ipmi_msghandler.c-fix-a-memory-leak.patch : IPMI: ipmi_msghandler.c: fix a memory leak [#339413] - add patches.arch/ppc-pseries-rtas_ibm_suspend_me.patch fix multiple bugs in rtas_ibm_suspend_me code [#339927] - patches.fixes/nfsacl-retval.diff: knfsd: fix spurious EINVAL errors on first access of new filesystem [#340873] - patches.fixes/avm-fix-capilib-locking: [ISDN] Fix random hard freeze with AVM cards. [#341894] - patches.fixes/ipv6_rh_processing_fix: [IPV6]: Restore semantics of Routing Header processing [#343100] - The following set of XEN fixes has been applied: [#343612] - patches.xen/14280-net-fake-carrier-flag.patch: netfront: Better fix for netfront_tx_slot_available(). - patches.xen/14893-copy-more-skbs.patch: netback: Copy skbuffs that are presented to the start_xmit() function. - patches.xen/157-netfront-skb-deref.patch: net front: Avoid deref'ing skb after it is potentially freed. - patches.xen/263-xfs-unmap.patch: xfs: eagerly remove vmap mappings to avoid upsetting Xen. - patches.xen/xen-i386-set-fixmap: i386/PAE: avoid temporarily inconsistent pte-s. - patches.xen/xen-isa-dma: Suppress all use of ISA DMA on Xen. - patches.xen/xen-x86-panic-smp, - patches.xen/xen-netback-alloc, - patches.xen/xen-split-pt-lock, - patches.xen/137-netfront-copy-release.patch, - patches.xen/141-driver-autoload.patch, - patches.xen/xen-balloon-max-target, - patches.xen/xen-balloon-min, - patches.xen/xen-i386-highpte, - patches.xen/xen-intel-agp, - patches.xen/xen-multicall-check, - patches.xen/xen-x86-dcr-fallback, - patches.xen/xen-x86-pXX_val, - patches.xen/xen-x86-performance: Adjust. - patches.arch/acpi_backport_video.c.patch: Backport video driver from 2.6.23-rc9 [#343660] - patches.arch/acpi_find_bcl_support.patch: Store brightness/video functionality of ACPI provided by BIOS [#343660] Fixes for ia64 : - patches.fixes/fix-the-graphic-corruption-issue-on-ia64-machi nes.patch: Fix the graphic corruption issue on IA64 machines [#241041] Fixes for S/390 : - IBM Patchcluster 18 [#333421,#340129,#341000] - Problem-ID: 39323 - qeth: discard inbound packets with unknown header id - Problem-ID: 39542 - cio: Incorrect check for activity in cmf - Problem-ID: 38321 - kernel: Reboot of large z/VM guests takes a lot of time - Problem-ID: 40293 - kernel: pfault disabled - Problem-ID: 40296 - cio: change device sense procedure to work with PAV aliases - Problem-ID: 39981 - zfcp: Remove SCSI devices when removing complete adapter - Problem-ID: 40331 - zfcp: Deadlock when adding invalid LUN - Problem-ID: 40333 - zfcp: Reduce flood on hba trace - Fix kprobe on 'bc' instruction [#301563] For further description of the named Problem-IDs, please look to http://www-128.ibm.com/developerworks/linux/linux390/oct ober 2005_recommended.html
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 29489
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29489
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4741)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1504.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process' umask which may lead to unintentionally relaxed permissions. - CVE-2007-3848 Wojciech Purczynski discovered that pdeath_signal was not being reset properly under certain conditions which may allow local users to gain privileges by sending arbitrary signals to suid binaries. - CVE-2007-4133 Hugh Dickins discovered a potential local DoS (panic) in hugetlbfs. A misconversion of hugetlb_vmtruncate_list to prio_tree may allow local users to trigger a BUG_ON() call in exit_mmap. - CVE-2007-4308 Alan Cox reported an issue in the aacraid driver that allows unprivileged local users to make ioctl calls which should be restricted to admin privileges. - CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. - CVE-2007-5093 Alex Smith discovered an issue with the pwc driver for certain webcam devices. If the device is removed while a userspace application has it open, the driver will wait for userspace to close the device, resulting in a blocked USB subsystem. This issue is of low security impact as it requires the attacker to either have physical access to the system or to convince a user with local access to remove the device on their behalf. - CVE-2007-6063 Venustech AD-LAB discovered a a buffer overflow in the isdn ioctl handling, exploitable by a local user. - CVE-2007-6151 ADLAB discovered a possible memory overrun in the ISDN subsystem that may permit a local user to overwrite kernel memory by issuing ioctls with unterminated data. - CVE-2007-6206 Blake Frantz discovered that when a core file owned by a non-root user exists, and a root-owned process dumps core over it, the core file retains its original ownership. This could be used by a local user to gain access to sensitive information. - CVE-2007-6694 Cyrill Gorcunov reported a NULL pointer dereference in code specific to the CHRP PowerPC platforms. Local users could exploit this issue to achieve a Denial of Service (DoS). - CVE-2008-0007 Nick Piggin of SuSE discovered a number of issues in subsystems which register a fault handler for memory mapped areas. This issue can be exploited by local users to achieve a Denial of Service (DoS) and possibly execute arbitrary code. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 3.1 (sarge) kernel-image-2.6.8-alpha 2.6.8-17sarge1 kernel-image-2.6.8-amd64 2.6.8-17sarge1 kernel-image-2.6.8-hppa 2.6.8-7sarge1 kernel-image-2.6.8-i386 2.6.8-17sarge1 kernel-image-2.6.8-ia64 2.6.8-15sarge1 kernel-image-2.6.8-m68k 2.6.8-5sarge1 kernel-image-2.6.8-s390 2.6.8-6sarge1 kernel-image-2.6.8-sparc 2.6.8-16sarge1 kernel-patch-powerpc-2.6.8 2.6.8-13sarge1 fai-kernels 1.9.1sarge8
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 31148
    published 2008-02-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31148
    title Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070927_KERNEL_ON_SL5_X.NASL
    description A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Please Note: Kernel's and their dependencies do *NOT* get autoyumed. You have to update them by hand by simply typing 'yum update'
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60258
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60258
    title Scientific Linux Security Update : kernel on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4503.NASL
    description This kernel update fixes the following security problems : - CVE-2007-4571: An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. - CVE-2007-4573: It was possible for local user to become root by exploitable a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. and the following non security bugs : - supported.conf: Mark 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/nfsv4-MAXNAME-fix.diff: knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME [#271803] - patches.fixes/sky2-tx-sum-resume.patch: sky2: fix transmit state on resume [#297132] [#326376] - patches.suse/reiserfs-add-reiserfs_error.diff: patches.suse/reiserfs-use-reiserfs_error.diff: patches.suse/reiserfs-buffer-info-for-balance.diff: Fix reiserfs_error() with NULL superblock calls [#299604] - patches.fixes/acpi_disable_C_states_in_suspend.patch: ACPI: disable lower idle C-states across suspend/resume [#302482] - kernel-syms.rpm: move the copies of the Modules.alias files from /lib/modules/... to /usr/src/linux-obj/... to avoid a file conflict between kernel-syms and other kernel-$flavor packages. The Modules.alias files in kernel-syms.rpm are intended for future use - [#307291] - patches.fixes/jffs2-fix-ACL-vs-mode-handling: Fix ACL vs. mode handling. [#310520] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race-on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - Update config files: Enabled CONFIG_DVB_PLUTO2 for i386 since it's enabled everywhere else. [#327790] - patches.drivers/libata-pata_ali-fix-garbage-PCI-rev-value: p ata_ali: fix garbage PCI rev value in ali_init_chipset() [#328422] - patches.apparmor/apparmor-lsm-fix.diff: apparmor_file_mmap function parameters mismatch [#328423] - patches.drivers/libata-HPA-off-by-one-horkage: Fix HPA handling regression [#329584]
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 27299
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27299
    title openSUSE 10 Security Update : kernel (kernel-4503)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0936.NASL
    description From Red Hat Security Advisory 2007:0936 : Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67577
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67577
    title Oracle Linux 5 : kernel (ELSA-2007-0936)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-195.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : A stack-based buffer overflow in the random number generator could allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size (CVE-2007-3105). The lcd_write function did not limit the amount of memory used by a caller, which allows local users to cause a denial of service (memory consumption) (CVE-2007-3513). The decode_choice function allowed remote attackers to cause a denial of service (crash) via an encoded out-of-range index value for a choice field which triggered a NULL pointer dereference (CVE-2007-3642). The Linux kernel allowed local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die which delivered an attacker-controlled parent process death signal (PR_SET_PDEATHSIG) (CVE-2007-3848). The aac_cfg_openm and aac_compat_ioctl functions in the SCSI layer ioctl patch in aacraid did not check permissions for ioctls, which might allow local users to cause a denial of service or gain privileges (CVE-2007-4308). The IA32 system call emulation functionality, when running on the x86_64 architecture, did not zero extend the eax register after the 32bit entry path to ptrace is used, which could allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register (CVE-2007-4573). In addition to these security fixes, other fixes have been included such as : - More NVidia PCI ids wre added - The 3w-9xxx module was updated to version 2.26.02.010 - Fixed the map entry for ICH8 - Added the TG3 5786 PCI id - Reduced the log verbosity of cx88-mpeg To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 27561
    published 2007-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27561
    title Mandrake Linux Security Advisory : kernel (MDKSA-2007:195)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0937.NASL
    description From Red Hat Security Advisory 2007:0937 : Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 67578
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67578
    title Oracle Linux 4 : kernel (ELSA-2007-0937)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-518-1.NASL
    description Evan Teran discovered that the Linux kernel ptrace routines did not correctly handle certain requests robustly. Local attackers could exploit this to crash the system, causing a denial of service. (CVE-2007-3731) It was discovered that hugetlb kernels on PowerPC systems did not prevent the stack from colliding with reserved kernel memory. Local attackers could exploit this and crash the system, causing a denial of service. (CVE-2007-3739) It was discovered that certain CIFS filesystem actions did not honor the umask of a process. Local attackers could exploit this to gain additional privileges. (CVE-2007-3740) Wojciech Purczynski discovered that the Linux kernel ia32 syscall emulation in x86_64 kernels did not correctly clear the high bits of registers. Local attackers could exploit this to gain root privileges. (CVE-2007-4573). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28123
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28123
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : linux-source-2.6.15, linux-source-2.6.17, linux-source-2.6.20 vulnerabilities (USN-518-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4752.NASL
    description This kernel update fixes the following security problems : ++ CVE-2007-3104: The sysfs_readdir function in the Linux kernel 2.6 allows local users to cause a denial of service (kernel OOPS) by dereferencing a NULL pointer to an inode in a dentry. ++ CVE-2007-4997: A 2 byte buffer underflow in the ieee80211 stack was fixed, which might be used by attackers in the local WLAN reach to crash the machine. ++ CVE-2007-3740: The CIFS filesystem, when Unix extension support is enabled, did not honor the umask of a process, which allowed local users to gain privileges. ++ CVE-2007-4573: It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This problem affects the x86_64 platform only, on all distributions. This problem was fixed for regular kernels, but had not been fixed for the XEN kernels. This update fixes the problem also for the XEN kernels. ++ CVE-2007-4308: The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI layer ioctl path in aacraid did not check permissions for ioctls, which might have allowed local users to cause a denial of service or gain privileges. ++ CVE-2007-3843: The Linux kernel checked the wrong global variable for the CIFS sec mount option, which might allow remote attackers to spoof CIFS network traffic that the client configured for security signatures, as demonstrated by lack of signing despite sec=ntlmv2i in a SetupAndX request. ++ CVE-2007-5904: Multiple buffer overflows in CIFS VFS in the Linux kernel allowed remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long SMB responses that trigger the overflows in the SendReceive function. This requires the attacker to mis-present / replace a CIFS server the client machine is connected to. ++ CVE-2007-6063: Buffer overflow in the isdn_net_setcfg function in isdn_net.c in the Linux kernel allowed local users to have an unknown impact via a crafted argument to the isdn_ioctl function. Furthermore, this kernel catches up to the SLE 10 state of the kernel, with numerous additional fixes.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 29880
    published 2008-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29880
    title openSUSE 10 Security Update : kernel (kernel-4752)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-2298.NASL
    description Update to official Linux 2.6.22.6 (from 2.6.22.6-rc1): http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6 Update to Linux 2.6.22.7: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.7 - libata: add option to disable DMA on PATA devices (libata.pata_dma, see kernel-parameters.txt for details) - libata: fix DMA on ATAPI devices with it821x (#242229) - libata: fix cable detection on pata_via - fix vmware's broken SCSI device emulation (#241935) - fix init of huawei 220 modem (#253096) - LVM: fix hang and lockups during snapshot (#269541) - net: fix oops with zero-length packet - USB: three trivial fixes - futex: fix compat list traversal - CFS scheduler update - utrace update (#248532, #267161, #284311) - wireless driver update Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 27765
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27765
    title Fedora 7 : kernel-2.6.22.7-85.fc7 (2007-2298)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0938.NASL
    description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 26906
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26906
    title RHEL 3 : kernel (RHSA-2007:0938)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1378.NASL
    description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3731 Evan Teran discovered a potential local denial of service (oops) in the handling of PTRACE_SETREGS and PTRACE_SINGLESTEP requests. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Matt Keenan reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process' umask which may lead to unintentionally relaxed permissions. - CVE-2007-4573 Wojciech Purczynski discovered a vulnerability that can be exploited by a local user to obtain superuser privileges on x86_64 systems. This resulted from improper clearing of the high bits of registers during ia32 system call emulation. This vulnerability is relevant to the Debian amd64 port as well as users of the i386 port who run the amd64 linux-image flavour. - CVE-2007-4849 Michael Stone reported an issue with the JFFS2 filesystem. Legacy modes for inodes that were created with POSIX ACL support enabled were not being written out to the medium, resulting in incorrect permissions upon remount. These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch3. This advisory has been updated to include a build for the arm architecture, which was not yet available at the time of DSA-1378-1. The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update : Debian 4.0 (etch) fai-kernels 1.17+etch.13etch3 user-mode-linux 2.6.18-1um-2etch.13etch3
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 26208
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26208
    title Debian DSA-1378-2 : linux-2.6 - several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0936.NASL
    description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 26205
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26205
    title CentOS 5 : kernel (CESA-2007:0936)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0936.NASL
    description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 26904
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26904
    title RHEL 5 : kernel (RHSA-2007:0936)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0938.NASL
    description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 26207
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26207
    title CentOS 3 : kernel (CESA-2007:0938)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0938.NASL
    description From Red Hat Security Advisory 2007:0938 : Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 3 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in ia32 emulation affecting users running 64-bit versions of Red Hat Enterprise Linux on x86_64 architectures. A local user could use this flaw to gain elevated privileges. (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 3 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 67579
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67579
    title Oracle Linux 3 : kernel (ELSA-2007-0938)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4471.NASL
    description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219] Fixes for S/390 : - IBM Patchcluster 17 [#330036] - Problem-ID: 38085 - zfcp: zfcp_scsi_eh_abort_handler or zfcp_scsi_eh_device_reset_handler hanging after CHPID off/on - Problem-ID: 38491 - zfcp: Error messages when LUN 0 is present - Problem-ID: 37390 - zcrypt: fix PCIXCC/CEX2C error recovery [#306056] - Problem-ID: 38500 - kernel: too few page cache pages in state volatile - Problem-ID: 38634 - qeth: crash during reboot after failing online setting - Problem-ID: 38927 - kernel: shared memory may not be volatile - Problem-ID: 39069 - cio: Disable channel path measurements on shutdown/reboot - Problem-ID: 27787 - qeth: recognize 'exclusively used'-RC from Hydra3 - Problem-ID: 38330 - qeth: make qeth driver loadable without ipv6 module For further description of the named Problem-IDs, please look to http://www-128.ibm.com/developerworks/linux/linux390/oct ober 2005_recommended.html
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 29488
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29488
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4471)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-4472.NASL
    description This kernel update fixes the following security problems : - It was possible for local user to become root by exploiting a bug in the IA32 system call emulation. This affects x86_64 platforms with kernel 2.4.x and 2.6.x before 2.6.22.7 only. (CVE-2007-4573) - An information disclosure vulnerability in the ALSA driver can be exploited by local users to read sensitive data from the kernel memory. (CVE-2007-4571) and the following non security bugs : - patches.xen/xen-blkback-cdrom: CDROM removable media-present attribute plus handling code [#159907] - patches.drivers/libata-add-pata_dma-kernel-parameter: libata: Add a drivers/ide style DMA disable [#229260] [#272786] - patches.drivers/libata-sata_via-kill-SATA_PATA_SHARING: sata_via: kill SATA_PATA_SHARING register handling [#254158] [#309069] - patches.drivers/libata-sata_via-add-PCI-IDs: sata_via: add PCI IDs [#254158] [#326647] - supported.conf: Marked 8250 and 8250_pci as supported (only Xen kernels build them as modules) [#260686] - patches.fixes/bridge-module-get-put.patch: Module use count must be updated as bridges are created/destroyed [#267651] - patches.fixes/iscsi-netware-fix: Linux Initiator hard hangs writing files to NetWare target [#286566] - patches.fixes/lockd-chroot-fix: Allow lockd to work reliably with applications in a chroot [#288376] [#305480] - add patches.fixes/x86_64-hangcheck_timer-fix.patch fix monotonic_clock() and hangcheck_timer [#291633] - patches.arch/sn_hwperf_cpuinfo_fix.diff: Correctly count CPU objects for SGI ia64/sn hwperf interface [#292240] - Extend reiserfs to properly support file systems up to 16 TiB [#294754] - patches.fixes/reiserfs-signedness-fixes.diff: reiserfs: fix usage of signed ints for block numbers - patches.fixes/reiserfs-fix-large-fs.diff: reiserfs: ignore s_bmap_nr on disk for file systems >= 8 TiB - patches.suse/ocfs2-06-per-resource-events.diff: Deliver events without a specified resource unconditionally. [#296606] - patches.fixes/proc-readdir-race-fix.patch: Fix the race in proc_pid_readdir [#297232] - patches.xen/xen3-patch-2.6.16.49-50: XEN: update to Linux 2.6.16.50 [#298719] - patches.fixes/pm-ordering-fix.patch: PM: Fix ACPI suspend / device suspend ordering [#302207] - patches.drivers/ibmvscsi-slave_configure.patch add ->slave_configure() to allow device restart [#304138] - patches.arch/ppc-power6-ebus-unique_location.patch Prevent bus_id collisions [#306482] - patches.xen/30-bit-field-booleans.patch: Fix packet loss in DomU xen netback driver [#306896] - config/i386/kdump: Enable ahci module [#308556] - update patches.drivers/ppc-power6-ehea.patch fix link state detection for bonding [#309553] - patches.drivers/ibmveth-fixup-pool_deactivate.patch patches.drivers/ibmveth-large-frames.patch patches.drivers/ibmveth-large-mtu.patch: fix serveral crashes when changing ibmveth sysfs values [#326164] - patches.drivers/libata-sata_sil24-fix-IRQ-clearing-race- on-I RQ_WOC: sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used [#327536] - update patches.drivers/ibmvscsis.patch set blocksize to PAGE_CACHE_SIZE to fix flood of bio allocation warnings/failures [#328219]
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 59124
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59124
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 4472)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0937.NASL
    description Updated kernel packages that fix a security issue in the Red Hat Enterprise Linux 4 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. A flaw was found in the IA32 system call emulation provided on AMD64 and Intel 64 platforms. An improperly validated 64-bit value could be stored in the %RAX register, which could trigger an out-of-bounds system call table access. An untrusted local user could exploit this flaw to run code in the kernel (ie a root privilege escalation). (CVE-2007-4573). Red Hat would like to thank Wojciech Purczynski for reporting this issue. Red Hat Enterprise Linux 4 users are advised to upgrade to these packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 26206
    published 2007-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26206
    title CentOS 4 : kernel (CESA-2007:0937)
oval via4
accepted 2013-04-29T04:21:43.668-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
family unix
id oval:org.mitre.oval:def:9735
status accepted
submitted 2010-07-09T03:56:16-04:00
title The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
version 24
redhat via4
advisories
  • bugzilla
    id 294541
    title CVE-2007-4573 x86_64 syscall vulnerability
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936002
        • comment kernel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099003
      • AND
        • comment kernel-PAE is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936018
        • comment kernel-PAE is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099019
      • AND
        • comment kernel-PAE-devel is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936016
        • comment kernel-PAE-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099017
      • AND
        • comment kernel-devel is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936010
        • comment kernel-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099011
      • AND
        • comment kernel-doc is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936020
        • comment kernel-doc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099021
      • AND
        • comment kernel-headers is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936004
        • comment kernel-headers is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099005
      • AND
        • comment kernel-kdump is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936012
        • comment kernel-kdump is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099015
      • AND
        • comment kernel-kdump-devel is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936014
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099013
      • AND
        • comment kernel-xen is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936006
        • comment kernel-xen is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099007
      • AND
        • comment kernel-xen-devel is earlier than 0:2.6.18-8.1.14.el5
          oval oval:com.redhat.rhsa:tst:20070936008
        • comment kernel-xen-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070099009
    rhsa
    id RHSA-2007:0936
    released 2007-09-27
    severity Important
    title RHSA-2007:0936: kernel security update (Important)
  • bugzilla
    id 294541
    title CVE-2007-4573 x86_64 syscall vulnerability
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20060016001
    • OR
      • AND
        • comment kernel is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937002
        • comment kernel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689003
      • AND
        • comment kernel-devel is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937004
        • comment kernel-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689005
      • AND
        • comment kernel-doc is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937022
        • comment kernel-doc is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689019
      • AND
        • comment kernel-hugemem is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937018
        • comment kernel-hugemem is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689017
      • AND
        • comment kernel-hugemem-devel is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937020
        • comment kernel-hugemem-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689015
      • AND
        • comment kernel-largesmp is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937012
        • comment kernel-largesmp is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689013
      • AND
        • comment kernel-largesmp-devel is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937016
        • comment kernel-largesmp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689009
      • AND
        • comment kernel-smp is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937010
        • comment kernel-smp is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689011
      • AND
        • comment kernel-smp-devel is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937006
        • comment kernel-smp-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689007
      • AND
        • comment kernel-xenU is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937014
        • comment kernel-xenU is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070488009
      • AND
        • comment kernel-xenU-devel is earlier than 0:2.6.9-55.0.9.EL
          oval oval:com.redhat.rhsa:tst:20070937008
        • comment kernel-xenU-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070488011
    rhsa
    id RHSA-2007:0937
    released 2007-09-27
    severity Important
    title RHSA-2007:0937: kernel security update (Important)
  • bugzilla
    id 294541
    title CVE-2007-4573 x86_64 syscall vulnerability
    oval
    AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • OR
      • AND
        • comment kernel is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938002
        • comment kernel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689003
      • AND
        • comment kernel-BOOT is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938014
        • comment kernel-BOOT is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060710015
      • AND
        • comment kernel-doc is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938004
        • comment kernel-doc is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689019
      • AND
        • comment kernel-hugemem is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938016
        • comment kernel-hugemem is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689017
      • AND
        • comment kernel-hugemem-unsupported is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938018
        • comment kernel-hugemem-unsupported is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060710017
      • AND
        • comment kernel-smp is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938006
        • comment kernel-smp is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060689011
      • AND
        • comment kernel-smp-unsupported is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938010
        • comment kernel-smp-unsupported is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060710011
      • AND
        • comment kernel-source is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938008
        • comment kernel-source is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060710007
      • AND
        • comment kernel-unsupported is earlier than 0:2.4.21-52.EL
          oval oval:com.redhat.rhsa:tst:20070938012
        • comment kernel-unsupported is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060710009
    rhsa
    id RHSA-2007:0938
    released 2007-09-27
    severity Important
    title RHSA-2007:0938: kernel security update (Important)
rpms
  • kernel-0:2.6.18-8.1.14.el5
  • kernel-PAE-0:2.6.18-8.1.14.el5
  • kernel-PAE-devel-0:2.6.18-8.1.14.el5
  • kernel-devel-0:2.6.18-8.1.14.el5
  • kernel-doc-0:2.6.18-8.1.14.el5
  • kernel-headers-0:2.6.18-8.1.14.el5
  • kernel-kdump-0:2.6.18-8.1.14.el5
  • kernel-kdump-devel-0:2.6.18-8.1.14.el5
  • kernel-xen-0:2.6.18-8.1.14.el5
  • kernel-xen-devel-0:2.6.18-8.1.14.el5
  • kernel-0:2.6.9-55.0.9.EL
  • kernel-devel-0:2.6.9-55.0.9.EL
  • kernel-doc-0:2.6.9-55.0.9.EL
  • kernel-hugemem-0:2.6.9-55.0.9.EL
  • kernel-hugemem-devel-0:2.6.9-55.0.9.EL
  • kernel-largesmp-0:2.6.9-55.0.9.EL
  • kernel-largesmp-devel-0:2.6.9-55.0.9.EL
  • kernel-smp-0:2.6.9-55.0.9.EL
  • kernel-smp-devel-0:2.6.9-55.0.9.EL
  • kernel-xenU-0:2.6.9-55.0.9.EL
  • kernel-xenU-devel-0:2.6.9-55.0.9.EL
  • kernel-0:2.4.21-52.EL
  • kernel-BOOT-0:2.4.21-52.EL
  • kernel-doc-0:2.4.21-52.EL
  • kernel-hugemem-0:2.4.21-52.EL
  • kernel-hugemem-unsupported-0:2.4.21-52.EL
  • kernel-smp-0:2.4.21-52.EL
  • kernel-smp-unsupported-0:2.4.21-52.EL
  • kernel-source-0:2.4.21-52.EL
  • kernel-unsupported-0:2.4.21-52.EL
refmap via4
bid 25774
bugtraq
  • 20070924 COSEINC Linux Advisory #2: IA32 System Call Emulation Vulnerability
  • 20070926 Re: COSEINC Linux Advisory #2: IA32 System CallEmulation Vulnerability
confirm
debian
  • DSA-1378
  • DSA-1381
  • DSA-1504
fedora
  • FEDORA-2007-2298
  • FEDORA-2007-712
fulldisc 20070924 COSEINC Linux Advisory #2: IA32 System Call
mandriva
  • MDKSA-2007:195
  • MDKSA-2007:196
  • MDVSA-2008:008
  • MDVSA-2008:105
mlist
  • [linux-kernel] 20070921 Linux 2.6.22.7
  • [linux-kernel] 20070921 Re: Linux 2.6.22.7
sectrack 1018748
secunia
  • 26917
  • 26919
  • 26934
  • 26953
  • 26955
  • 26978
  • 26994
  • 26995
  • 27212
  • 27227
  • 27912
  • 29058
suse
  • SUSE-SA:2007:053
  • SUSE-SA:2007:064
ubuntu USN-518-1
vupen ADV-2007-3246
statements via4
contributor Mark J Cox
lastmodified 2007-09-27
organization Red Hat
statement This issue affected users who were running 64-bit versions of Red Hat Enterprise Linux 3, 4, or 5 on x86_64 architecture. It did not affect users of Red Hat Enterprise Linux 2.1. Updates are available for Red Hat Enterprise Linux 3, 4, and 5 to correct this issue. New kernel packages along with our advisory are available at the URL below as well as via the Red Hat Network. http://rhn.redhat.com/errata/CVE-2007-4573.html
Last major update 07-03-2011 - 21:58
Published 24-09-2007 - 18:17
Last modified 15-10-2018 - 17:36
Back to Top