ID CVE-2008-5025
Summary Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.
References
Vulnerable Configurations
  • Linux Kernel 2.6.24.7
    cpe:2.3:o:linux:linux_kernel:2.6.24.7
  • Linux Kernel 2.6.25.15
    cpe:2.3:o:linux:linux_kernel:2.6.25.15
  • Linux Kernel 2.6.23.16
    cpe:2.3:o:linux:linux_kernel:2.6.23.15
  • Linux Kernel 2.6.23.17
    cpe:2.3:o:linux:linux_kernel:2.6.23.17
  • Linux Kernel 2.6.23.16
    cpe:2.3:o:linux:linux_kernel:2.6.23.16
  • Linux Kernel 2.6.23.11
    cpe:2.3:o:linux:linux_kernel:2.6.23.11
  • Linux Kernel 2.6.23.9
    cpe:2.3:o:linux:linux_kernel:2.6.23.9
  • Linux Kernel 2.6.23.13
    cpe:2.3:o:linux:linux_kernel:2.6.23.13
  • Linux Kernel 2.6.25.2
    cpe:2.3:o:linux:linux_kernel:2.6.25.2
  • Linux Kernel 2.6.23.12
    cpe:2.3:o:linux:linux_kernel:2.6.23.12
  • Linux Kernel 2.6.21.5
    cpe:2.3:o:linux:linux_kernel:2.6.21.5
  • Linux Kernel 2.6.20.21
    cpe:2.3:o:linux:linux_kernel:2.6.20.21
  • Linux Kernel 2.6.23.8
    cpe:2.3:o:linux:linux_kernel:2.6.23.8
  • Linux Kernel 2.6.20.18
    cpe:2.3:o:linux:linux_kernel:2.6.20.18
  • Linux Kernel 2.6.20.17
    cpe:2.3:o:linux:linux_kernel:2.6.20.17
  • Linux Kernel 2.6.20.20
    cpe:2.3:o:linux:linux_kernel:2.6.20.20
  • Linux Kernel 2.6.20.19
    cpe:2.3:o:linux:linux_kernel:2.6.20.19
  • Linux Kernel 2.6.19.7
    cpe:2.3:o:linux:linux_kernel:2.6.19.7
  • Linux Kernel 2.6.20.16
    cpe:2.3:o:linux:linux_kernel:2.6.20.16
  • Linux Kernel 2.6.19.5
    cpe:2.3:o:linux:linux_kernel:2.6.19.5
  • Linux Kernel 2.6.19.6
    cpe:2.3:o:linux:linux_kernel:2.6.19.6
  • Linux Kernel 2.6.19.4
    cpe:2.3:o:linux:linux_kernel:2.6.19.4
  • Linux Kernel 2.6.25.5
    cpe:2.3:o:linux:linux_kernel:2.6.25.5
  • cpe:2.3:o:linux:linux_kernel:2.6.23_rc1
    cpe:2.3:o:linux:linux_kernel:2.6.23_rc1
  • cpe:2.3:o:linux:linux_kernel:2.6.24_rc4
    cpe:2.3:o:linux:linux_kernel:2.6.24_rc4
  • cpe:2.3:o:linux:linux_kernel:2.6.24_rc5
    cpe:2.3:o:linux:linux_kernel:2.6.24_rc5
  • cpe:2.3:o:linux:linux_kernel:2.4.36.4
    cpe:2.3:o:linux:linux_kernel:2.4.36.4
  • cpe:2.3:o:linux:linux_kernel:2.4.36.5
    cpe:2.3:o:linux:linux_kernel:2.4.36.5
  • cpe:2.3:o:linux:linux_kernel:2.4.36.1
    cpe:2.3:o:linux:linux_kernel:2.4.36.1
  • Linux Kernel 2.6.22
    cpe:2.3:o:linux:linux_kernel:2.6.22
  • cpe:2.3:o:linux:linux_kernel:2.4.36
    cpe:2.3:o:linux:linux_kernel:2.4.36
  • Linux Kernel 2.6.18
    cpe:2.3:o:linux:linux_kernel:2.6.18
  • cpe:2.3:o:linux:linux_kernel:2.4.36.3
    cpe:2.3:o:linux:linux_kernel:2.4.36.3
  • Linux Kernel 2.6.23
    cpe:2.3:o:linux:linux_kernel:2.6.23
  • cpe:2.3:o:linux:linux_kernel:2.4.36.2
    cpe:2.3:o:linux:linux_kernel:2.4.36.2
  • Linux Kernel 2.6.25.16
    cpe:2.3:o:linux:linux_kernel:2.6.25.16
  • Linux Kernel 2.6.25.17
    cpe:2.3:o:linux:linux_kernel:2.6.25.17
  • cpe:2.3:o:linux:linux_kernel:2.6.22_rc7
    cpe:2.3:o:linux:linux_kernel:2.6.22_rc7
  • Linux Kernel 2.6.21.6
    cpe:2.3:o:linux:linux_kernel:2.6.21.6
  • cpe:2.3:o:linux:linux_kernel:2.6.22_rc1
    cpe:2.3:o:linux:linux_kernel:2.6.22_rc1
  • Linux Kernel 2.6.23.10
    cpe:2.3:o:linux:linux_kernel:2.6.23.10
  • Linux Kernel 2.6.21.7
    cpe:2.3:o:linux:linux_kernel:2.6.21.7
  • cpe:2.3:o:linux:linux_kernel:2.6.24_rc1
    cpe:2.3:o:linux:linux_kernel:2.6.24_rc1
  • Linux Kernel 2.6.24.6
    cpe:2.3:o:linux:linux_kernel:2.6.24.6
  • Linux Kernel 2.6.25.4
    cpe:2.3:o:linux:linux_kernel:2.6.25.4
  • Linux Kernel 2.6.25.13
    cpe:2.3:o:linux:linux_kernel:2.6.25.13
  • Linux Kernel 2.6.25.3
    cpe:2.3:o:linux:linux_kernel:2.6.25.3
  • Linux Kernel 2.6.25.14
    cpe:2.3:o:linux:linux_kernel:2.6.25.14
  • Linux Kernel 2.6.24.1
    cpe:2.3:o:linux:linux_kernel:2.6.24.1
  • Linux Kernel 2.6.24
    cpe:2.3:o:linux:linux_kernel:2.6.24
  • Linux Kernel 2.6.25.10
    cpe:2.3:o:linux:linux_kernel:2.6.25.10
  • Linux Kernel 2.6.25.11
    cpe:2.3:o:linux:linux_kernel:2.6.25.11
  • cpe:2.3:o:linux:linux_kernel:2.4.36.6
    cpe:2.3:o:linux:linux_kernel:2.4.36.6
  • Linux Kernel 2.6.22.1
    cpe:2.3:o:linux:linux_kernel:2.6.22.1
  • cpe:2.3:o:linux:linux_kernel:2.2.27
    cpe:2.3:o:linux:linux_kernel:2.2.27
  • cpe:2.3:o:linux:linux_kernel:2.6.25.12:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.12:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.11:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.11:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.8:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.8:-:x86_64
  • Linux Kernel 2.6.25.6
    cpe:2.3:o:linux:linux_kernel:2.6.25.6
  • cpe:2.3:o:linux:linux_kernel:2.6.25.7:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.7:-:x86_64
  • Linux Kernel 2.6.25.7
    cpe:2.3:o:linux:linux_kernel:2.6.25.7
  • cpe:2.3:o:linux:linux_kernel:2.6.25.6:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.6:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.5:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.5:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.4:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.4:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.3:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.3:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.2:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.2:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.10:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.10:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25.1:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.1:-:x86_64
  • Linux Kernel 2.6.18 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc5
  • Linux Kernel 2.6.18 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc6
  • Linux Kernel 2.6.18 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc7
  • Linux Kernel 2.6.18 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc1
  • Linux Kernel 2.6.18 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc2
  • Linux Kernel 2.6.25.8
    cpe:2.3:o:linux:linux_kernel:2.6.25.8
  • Linux Kernel 2.6.18 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc3
  • Linux Kernel 2.6.18 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc4
  • Linux Kernel 2.6.25.1
    cpe:2.3:o:linux:linux_kernel:2.6.25.1
  • Linux Kernel 2.6.25.12
    cpe:2.3:o:linux:linux_kernel:2.6.25.12
  • Linux Kernel 2.6.24.2
    cpe:2.3:o:linux:linux_kernel:2.6.24.2
  • Linux Kernel 2.6.22.22
    cpe:2.3:o:linux:linux_kernel:2.6.22.22
  • Linux Kernel 2.6.22.21
    cpe:2.3:o:linux:linux_kernel:2.6.22.21
  • Linux Kernel 2.6.22.20
    cpe:2.3:o:linux:linux_kernel:2.6.22.20
  • Linux Kernel 2.6.22.19
    cpe:2.3:o:linux:linux_kernel:2.6.22.19
  • cpe:2.3:o:linux:linux_kernel:2.6
    cpe:2.3:o:linux:linux_kernel:2.6
  • Linux Kernel 2.6.24.3
    cpe:2.3:o:linux:linux_kernel:2.6.24.3
  • Linux Kernel 2.6.24.4
    cpe:2.3:o:linux:linux_kernel:2.6.24.4
  • Linux Kernel 2.6.24.5
    cpe:2.3:o:linux:linux_kernel:2.6.24.5
  • Linux Kernel 2.6.25
    cpe:2.3:o:linux:linux_kernel:2.6.25
  • Linux Kernel 2.6.22.2
    cpe:2.3:o:linux:linux_kernel:2.6.22.2
  • Linux Kernel 2.6.22.8
    cpe:2.3:o:linux:linux_kernel:2.6.22.8
  • Linux Kernel 2.6.22.9
    cpe:2.3:o:linux:linux_kernel:2.6.22.9
  • Linux Kernel 2.6.22.14
    cpe:2.3:o:linux:linux_kernel:2.6.22.14
  • Linux Kernel 2.6.22.15
    cpe:2.3:o:linux:linux_kernel:2.6.22.15
  • Linux Kernel 2.6.22.17
    cpe:2.3:o:linux:linux_kernel:2.6.22.17
  • Linux Kernel 2.6.22.18
    cpe:2.3:o:linux:linux_kernel:2.6.22.18
  • Linux Kernel 2.6.22.10
    cpe:2.3:o:linux:linux_kernel:2.6.22.10
  • Linux Kernel 2.6.22.11
    cpe:2.3:o:linux:linux_kernel:2.6.22.11
  • Linux Kernel 2.6.22.12
    cpe:2.3:o:linux:linux_kernel:2.6.22.12
  • Linux Kernel 2.6.22.13
    cpe:2.3:o:linux:linux_kernel:2.6.22.13
  • Linux Kernel 2.6.25.9
    cpe:2.3:o:linux:linux_kernel:2.6.25.9
  • cpe:2.3:o:linux:linux_kernel:2.6.25.9:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25.9:-:x86_64
  • cpe:2.3:o:linux:linux_kernel:2.6.25:-:x86_64
    cpe:2.3:o:linux:linux_kernel:2.6.25:-:x86_64
  • Linux Kernel 2.6.26
    cpe:2.3:o:linux:linux_kernel:2.6.26
  • Linux Kernel 2.6.26.1
    cpe:2.3:o:linux:linux_kernel:2.6.26.1
  • Linux Kernel 2.6.26.2
    cpe:2.3:o:linux:linux_kernel:2.6.26.2
  • Linux Kernel 2.6.26.3
    cpe:2.3:o:linux:linux_kernel:2.6.26.3
  • Linux Kernel 2.6.26.4
    cpe:2.3:o:linux:linux_kernel:2.6.26.4
  • Linux Kernel 2.6.26.5
    cpe:2.3:o:linux:linux_kernel:2.6.26.5
  • Linux Kernel 2.6.27
    cpe:2.3:o:linux:linux_kernel:2.6.27
  • Linux Kernel 2.6.28
    cpe:2.3:o:linux:linux_kernel:2.6.28
CVSS
Base: 7.8 (as of 18-11-2008 - 13:03)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-246.NASL
    description Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The chip_command function in drivers/media/video/tvaudio.c in the Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7, and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of service (NULL function pointer dereference and OOPS) via unknown vectors. (CVE-2008-5033) Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933. (CVE-2008-5025) Additionally, added enhancements for a newer revision of Nokia models 6300, XpressMusic 5200, 5610 and 7610, the support for the ub USB module was disabled, added fixes for the Wake On LAN feature of the r8169 module, added fixes for suspend and resume on the i915 module, added ALSA fixes for Intel HDA, added workaround for a bug on iwlagn, added the m5602 driver, fixed a crash on the ppscsi module, added fixes to the uvcvideo module. To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37874
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37874
    title Mandriva Linux Security Advisory : kernel (MDVSA-2008:246)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-679-1.NASL
    description It was discovered that the Xen hypervisor block driver did not correctly validate requests. A user with root privileges in a guest OS could make a malicious IO request with a large number of blocks that would crash the host OS, leading to a denial of service. This only affected Ubuntu 7.10. (CVE-2007-5498) It was discovered the the i915 video driver did not correctly validate memory addresses. A local attacker could exploit this to remap memory that could cause a system crash, leading to a denial of service. This issue did not affect Ubuntu 6.06 and was previous fixed for Ubuntu 7.10 and 8.04 in USN-659-1. Ubuntu 8.10 has now been corrected as well. (CVE-2008-3831) David Watson discovered that the kernel did not correctly strip permissions when creating files in setgid directories. A local user could exploit this to gain additional group privileges. This issue only affected Ubuntu 6.06. (CVE-2008-4210) Olaf Kirch and Miklos Szeredi discovered that the Linux kernel did not correctly reject the 'append' flag when handling file splice requests. A local attacker could bypass append mode and make changes to arbitrary locations in a file. This issue only affected Ubuntu 7.10 and 8.04. (CVE-2008-4554) It was discovered that the SCTP stack did not correctly handle INIT-ACK. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10. (CVE-2008-4576) It was discovered that the SCTP stack did not correctly handle bad packet lengths. A remote user could exploit this by sending specially crafted SCTP traffic which would trigger a crash in the system, leading to a denial of service. This issue did not affect Ubuntu 8.10. (CVE-2008-4618) Eric Sesterhenn discovered multiple flaws in the HFS+ filesystem. If a local user or automated system were tricked into mounting a malicious HFS+ filesystem, the system could crash, leading to a denial of service. (CVE-2008-4933, CVE-2008-4934, CVE-2008-5025) It was discovered that the Unix Socket handler did not correctly process the SCM_RIGHTS message. A local attacker could make a malicious socket request that would crash the system, leading to a denial of service. (CVE-2008-5029) It was discovered that the driver for simple i2c audio interfaces did not correctly validate certain function pointers. A local user could exploit this to gain root privileges or crash the system, leading to a denial of service. (CVE-2008-5033). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 37683
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37683
    title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : linux, linux-source-2.6.15/22 vulnerabilities (USN-679-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_KERNEL-090114.NASL
    description This update fixes various security issues and several bugs in the openSUSE 11.0 kernel. It was also updated to the stable version 2.6.25.20. CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call. CVE-2008-5700: libata did not set minimum timeouts for SG_IO requests, which allows local users to cause a denial of service (Programmed I/O mode on drives) via multiple simultaneous invocations of an unspecified test program. CVE-2008-5079: net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. CVE-2008-5300: Linux kernel 2.6.28 allows local users to cause a denial of service ('soft lockup' and process loss) via a large number of sendmsg function calls, which does not block during AF_UNIX garbage collection and triggers an OOM condition, a different vulnerability than CVE-2008-5029. CVE-2008-5029: The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. CVE-2008-4933: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. CVE-2008-5025: Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933. CVE-2008-5182: The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. CVE-2008-3831: The i915 driver in drivers/char/drm/i915_dma.c does not restrict the DRM_I915_HWS_ADDR ioctl to the Direct Rendering Manager (DRM) master, which allows local users to cause a denial of service (memory corruption) via a crafted ioctl call, related to absence of the DRM_MASTER and DRM_ROOT_ONLY flags in the ioctl's configuration. CVE-2008-4554: The do_splice_from function in fs/splice.c did not reject file descriptors that have the O_APPEND flag set, which allows local users to bypass append mode and make arbitrary changes to other locations in the file.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 40011
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40011
    title openSUSE Security Update : kernel (kernel-423)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1681.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3528 Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. - CVE-2008-4554 Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. - CVE-2008-4576 Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. - CVE-2008-4618 Wei Yongjun reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel panic. - CVE-2008-4933 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. - CVE-2008-4934 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. - CVE-2008-5025 Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. - CVE-2008-5029 Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. - CVE-2008-5134 Johannes Berg reported a remote DoS issue in the libertas wireless driver, which can be triggered by a specially crafted beacon/probe response. - CVE-2008-5182 Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. - CVE-2008-5300 Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35036
    published 2008-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35036
    title Debian DSA-1681-1 : linux-2.6.24 - denial of service/privilege escalation
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0014.NASL
    description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs : * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43727
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43727
    title CentOS 4 : kernel (CESA-2009:0014)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-5927.NASL
    description The SUSE Linux Enterprise 10 Service Pack 2 kernel was updated to fix some security issues and various bugs. The following security problems have been fixed : - net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/ *vc file, related to corruption of the vcc table. (CVE-2008-5079) - The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. (CVE-2008-5029) - Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. (CVE-2008-4933) - Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933. (CVE-2008-5025) - The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. (CVE-2008-5182) A lot of other bugs were fixed, a detailed list can be found in the RPM changelog.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 59135
    published 2012-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59135
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 5927)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090114_KERNEL_ON_SL4_X.NASL
    description This update addresses the following security issues : - the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) - when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) - a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) - a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low) - the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) - a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs : - when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel® CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. - mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. - attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. - after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. - writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. - on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. - a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. - a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. - the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. - the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization. This updated kernel-utils package adds an enhancement in the way of proper support for user-space frequency-scaling on multi-core systems.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60520
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60520
    title Scientific Linux Security Update : kernel on SL4.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0014.NASL
    description From Red Hat Security Advisory 2009:0014 : Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs : * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67790
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67790
    title Oracle Linux 4 : kernel (ELSA-2009-0014)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1687.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-3527 Tavis Ormandy reported a local DoS and potential privilege escalation in the Virtual Dynamic Shared Objects (vDSO) implementation. - CVE-2008-3528 Eugene Teo reported a local DoS issue in the ext2 and ext3 filesystems. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to output error messages in an infinite loop. - CVE-2008-4554 Milos Szeredi reported that the usage of splice() on files opened with O_APPEND allows users to write to the file at arbitrary offsets, enabling a bypass of possible assumed semantics of the O_APPEND flag. - CVE-2008-4576 Vlad Yasevich reported an issue in the SCTP subsystem that may allow remote users to cause a local DoS by triggering a kernel oops. - CVE-2008-4933 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that causes the kernel to overrun a buffer, resulting in a system oops or memory corruption. - CVE-2008-4934 Eric Sesterhenn reported a local DoS issue in the hfsplus filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a corrupted filesystem that results in a kernel oops due to an unchecked return value. - CVE-2008-5025 Eric Sesterhenn reported a local DoS issue in the hfs filesystem. Local users who have been granted the privileges necessary to mount a filesystem would be able to craft a filesystem with a corrupted catalog name length, resulting in a system oops or memory corruption. - CVE-2008-5029 Andrea Bittau reported a DoS issue in the unix socket subsystem that allows a local user to cause memory corruption, resulting in a kernel panic. - CVE-2008-5079 Hugo Dias reported a DoS condition in the ATM subsystem that can be triggered by a local user by calling the svc_listen function twice on the same socket and reading /proc/net/atm/*vc. - CVE-2008-5182 Al Viro reported race conditions in the inotify subsystem that may allow local users to acquire elevated privileges. - CVE-2008-5300 Dann Frazier reported a DoS condition that allows local users to cause the out of memory handler to kill off privileged processes or trigger soft lockups due to a starvation issue in the unix socket subsystem.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 35174
    published 2008-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35174
    title Debian DSA-1687-1 : linux-2.6 - denial of service/privilege escalation
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0014.NASL
    description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * the sendmsg() function in the Linux kernel did not block during UNIX socket garbage collection. This could, potentially, lead to a local denial of service. (CVE-2008-5300, Important) * when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a local denial of service. (CVE-2008-5029, Important) * a deficiency was found in the Linux kernel virtual file system (VFS) implementation. This could allow a local, unprivileged user to make a series of file creations within deleted directories, possibly causing a denial of service. (CVE-2008-3275, Moderate) * a buffer underflow flaw was found in the Linux kernel IB700 SBC watchdog timer driver. This deficiency could lead to a possible information leak. By default, the '/dev/watchdog' device is accessible only to the root user. (CVE-2008-5702, Low) * the hfs and hfsplus file systems code failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the hfsplus file system implementation. This could, potentially, lead to a local denial of service when write operations were performed. (CVE-2008-4934, Low) This update also fixes the following bugs : * when running Red Hat Enterprise Linux 4.6 and 4.7 on some systems running Intel(r) CPUs, the cpuspeed daemon did not run, preventing the CPU speed from being changed, such as not being reduced to an idle state when not in use. * mmap() could be used to gain access to beyond the first megabyte of RAM, due to insufficient checks in the Linux kernel code. Checks have been added to prevent this. * attempting to turn keyboard LEDs on and off rapidly on keyboards with slow keyboard controllers, may have caused key presses to fail. * after migrating a hypervisor guest, the MAC address table was not updated, causing packet loss and preventing network connections to the guest. Now, a gratuitous ARP request is sent after migration. This refreshes the ARP caches, minimizing network downtime. * writing crash dumps with diskdump may have caused a kernel panic on Non-Uniform Memory Access (NUMA) systems with certain memory configurations. * on big-endian systems, such as PowerPC, the getsockopt() function incorrectly returned 0 depending on the parameters passed to it when the time to live (TTL) value equaled 255, possibly causing memory corruption and application crashes. * a problem in the kernel packages provided by the RHSA-2008:0508 advisory caused the Linux kernel's built-in memory copy procedure to return the wrong error code after recovering from a page fault on AMD64 and Intel 64 systems. This may have caused other Linux kernel functions to return wrong error codes. * a divide-by-zero bug in the Linux kernel process scheduler, which may have caused kernel panics on certain systems, has been resolved. * the netconsole kernel module caused the Linux kernel to hang when slave interfaces of bonded network interfaces were started, resulting in a system hang or kernel panic when restarting the network. * the '/proc/xen/' directory existed even if systems were not running Red Hat Virtualization. This may have caused problems for third-party software that checks virtualization-ability based on the existence of '/proc/xen/'. Note: this update will remove the '/proc/xen/' directory on systems not running Red Hat Virtualization. All Red Hat Enterprise Linux 4 users should upgrade to these updated packages, which contain backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 35381
    published 2009-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35381
    title RHEL 4 : kernel (RHSA-2009:0014)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090210_KERNEL_ON_SL5_X.NASL
    description This update addresses the following security issues : - a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) - a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) - a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) - the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) - a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) - when fput() was called to close a socket, the __scm_destroy() function in the Linux kernel could make indirect recursive calls to itself. This could, potentially, lead to a denial of service issue. (CVE-2008-5029, Important) - a flaw was found in the Asynchronous Transfer Mode (ATM) subsystem. A local, unprivileged user could use the flaw to listen on the same socket more than once, possibly causing a denial of service. (CVE-2008-5079, Important) - a race condition was found in the Linux kernel 'inotify' watch removal and umount implementation. This could allow a local, unprivileged user to cause a privilege escalation or a denial of service. (CVE-2008-5182, Important) ** Bug fixes and enhancements are provided for : - support for specific NICs, including products from the following manufacturers: Broadcom Chelsio Cisco Intel Marvell NetXen Realtek Sun - Fiber Channel support, including support for Qlogic qla2xxx, qla4xxx, and qla84xx HBAs and the FCoE, FCP, and zFCP protocols. - support for various CPUs, including: AMD Opteron processors with 45 nm SOI ('Shanghai') AMD Turion Ultra processors Cell processors Intel Core i7 processors - Xen support, including issues specific to the IA64 platform, systems using AMD processors, and Dell Optiplex GX280 systems - ext3, ext4, GFS2, NFS, and SPUFS - Infiniband (including eHCA, eHEA, and IPoIB) support - common I/O (CIO), direct I/O (DIO), and queued direct I/O (qdio) support - the kernel distributed lock manager (DLM) - hardware issues with: SCSI, IEEE 1394 (FireWire), RAID (including issues specific to Adaptec controllers), SATA (including NCQ), PCI, audio, serial connections, tape-drives, and USB - ACPI, some of a general nature and some related to specific hardware including: certain Lenovo Thinkpad notebooks, HP DC7700 systems, and certain machines based on Intel Centrino processor technology. - CIFS, including Kerberos support and a tech-preview of DFS support - networking support, including IPv6, PPPoE, and IPSec - support for Intel chipsets, including: Intel Cantiga chipsets Intel Eagle Lake chipsets Intel i915 chipsets Intel i965 chipsets Intel Ibex Peak chipsets Intel chipsets offering QuickPath Interconnects (QPI) - device mapping issues, including some in device mapper itself - various issues specific to IA64 and PPC - CCISS, including support for Compaq SMART Array controllers P711m and P712m and other new hardware - various issues affecting specific HP systems, including: DL785G5 XW4800 XW8600 XW8600 XW9400 - IOMMU support, including specific issues with AMD and IBM Calgary hardware - the audit subsystem - DASD support - iSCSI support, including issues specific to Chelsio T3 adapters - LVM issues - SCTP management information base (MIB) support - issues with: autofs, kdump, kobject_add, libata, lpar, ptrace, and utrace - platforms using Intel Enhanced Error Handling (EEH) - EDAC issues for AMD K8 and Intel i5000 - ALSA, including support for new hardware - futex support - hugepage support - Intelligent Platform Management Interface (IPMI) support - issues affecting NEC/Stratus servers - OFED support - SELinux - various Virtio issues - when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. - the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. - nfs_create_rpc_client was called with a 'flavor' parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct. - when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register. - the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to. - when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data. - when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60532
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60532
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0264.NASL
    description Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs : * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a 'flavor' parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct. * when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register. * the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to. * when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data. * when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 35645
    published 2009-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35645
    title RHEL 5 : kernel (RHSA-2009:0264)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-5924.NASL
    description The SUSE Linux Enterprise 10 Service Pack 2 kernel was updated to fix some security issues and various bugs. The following security problems have been fixed : - net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/ *vc file, related to corruption of the vcc table. (CVE-2008-5079) - The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. (CVE-2008-5029) - Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. (CVE-2008-4933) - Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933. (CVE-2008-5025) - The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount. (CVE-2008-5182) A lot of other bugs were fixed, a detailed list can be found in the RPM changelog.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 41537
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41537
    title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 5924)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-5920.NASL
    description The openSUSE 10.3 kernel was updated to fix various security problems and bugs. Following security bugs were fixed : CVE-2008-5702: Buffer underflow in the ibwdt_ioctl function in drivers/watchdog/ib700wdt.c might allow local users to have an unknown impact via a certain /dev/watchdog WDIOC_SETTIMEOUT IOCTL call. CVE-2008-5079: net/atm/svc.c in the ATM subsystem allowed local users to cause a denial of service (kernel infinite loop) by making two calls to svc_listen for the same socket, and then reading a /proc/net/atm/*vc file, related to corruption of the vcc table. CVE-2008-5029: The __scm_destroy function in net/core/scm.c makes indirect recursive calls to itself through calls to the fput function, which allows local users to cause a denial of service (panic) via vectors related to sending an SCM_RIGHTS message through a UNIX domain socket and closing file descriptors. CVE-2008-5134: Buffer overflow in the lbs_process_bss function in drivers/net/wireless/libertas/scan.c in the libertas subsystem allowed remote attackers to have an unknown impact via an 'invalid beacon/probe response.' CVE-2008-4933: Buffer overflow in the hfsplus_find_cat function in fs/hfsplus/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfsplus filesystem image with an invalid catalog namelength field, related to the hfsplus_cat_build_key_uni function. CVE-2008-5025: Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c allowed attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933. CVE-2008-5182: The inotify functionality might allow local users to gain privileges via unknown vectors related to race conditions in inotify watch removal and umount.
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 35446
    published 2009-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35446
    title openSUSE 10 Security Update : kernel (kernel-5920)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0264.NASL
    description From Red Hat Security Advisory 2009:0264 : Updated kernel packages that resolve several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update addresses the following security issues : * a memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service. (CVE-2009-0031, Important) * a buffer overflow in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) * a flaw when handling heavy network traffic on an SMP system with many cores. An attacker who could send a large amount of network traffic could create a denial of service. (CVE-2008-5713, Important) * the code for the HFS and HFS Plus (HFS+) file systems failed to properly handle corrupted data structures. This could, potentially, lead to a local denial of service. (CVE-2008-4933, CVE-2008-5025, Low) * a flaw was found in the HFS Plus (HFS+) file system implementation. This could, potentially, lead to a local denial of service when write operations are performed. (CVE-2008-4934, Low) In addition, these updated packages fix the following bugs : * when using the nfsd daemon in a clustered setup, kernel panics appeared seemingly at random. These panics were caused by a race condition in the device-mapper mirror target. * the clock_gettime(CLOCK_THREAD_CPUTIME_ID, ) syscall returned a smaller timespec value than the result of previous clock_gettime() function execution, which resulted in a negative, and nonsensical, elapsed time value. * nfs_create_rpc_client was called with a 'flavor' parameter which was usually ignored and ended up unconditionally creating the RPC client with an AUTH_UNIX flavor. This caused problems on AUTH_GSS mounts when the credentials needed to be refreshed. The credops did not match the authorization type, which resulted in the credops dereferencing an incorrect part of the AUTH_UNIX rpc_auth struct. * when copy_user_c terminated prematurely due to reading beyond the end of the user buffer and the kernel jumped to the exception table entry, the rsi register was not cleared. This resulted in exiting back to user code with garbage in the rsi register. * the hexdump data in s390dbf traces was incomplete. The length of the data traced was incorrect and the SAN payload was read from a different place then it was written to. * when using connected mode (CM) in IPoIB on ehca2 hardware, it was not possible to transmit any data. * when an application called fork() and pthread_create() many times and, at some point, a thread forked a child and then attempted to call the setpgid() function, then this function failed and returned and ESRCH error value. Users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: for this update to take effect, the system must be rebooted.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 67800
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67800
    title Oracle Linux 5 : kernel (ELSA-2009-0264)
oval via4
accepted 2013-04-29T04:05:56.219-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.
family unix
id oval:org.mitre.oval:def:10470
status accepted
submitted 2010-07-09T03:56:16-04:00
title Stack-based buffer overflow in the hfs_cat_find_brec function in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows attackers to cause a denial of service (memory corruption or system crash) via an hfs filesystem image with an invalid catalog namelength field, a related issue to CVE-2008-4933.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2009:0014
  • rhsa
    id RHSA-2009:0264
rpms
  • kernel-0:2.6.9-78.0.13.EL
  • kernel-devel-0:2.6.9-78.0.13.EL
  • kernel-doc-0:2.6.9-78.0.13.EL
  • kernel-hugemem-0:2.6.9-78.0.13.EL
  • kernel-hugemem-devel-0:2.6.9-78.0.13.EL
  • kernel-largesmp-0:2.6.9-78.0.13.EL
  • kernel-largesmp-devel-0:2.6.9-78.0.13.EL
  • kernel-smp-0:2.6.9-78.0.13.EL
  • kernel-smp-devel-0:2.6.9-78.0.13.EL
  • kernel-xenU-0:2.6.9-78.0.13.EL
  • kernel-xenU-devel-0:2.6.9-78.0.13.EL
  • kernel-0:2.6.18-128.1.1.el5
  • kernel-PAE-0:2.6.18-128.1.1.el5
  • kernel-PAE-devel-0:2.6.18-128.1.1.el5
  • kernel-debug-0:2.6.18-128.1.1.el5
  • kernel-debug-devel-0:2.6.18-128.1.1.el5
  • kernel-devel-0:2.6.18-128.1.1.el5
  • kernel-doc-0:2.6.18-128.1.1.el5
  • kernel-headers-0:2.6.18-128.1.1.el5
  • kernel-kdump-0:2.6.18-128.1.1.el5
  • kernel-kdump-devel-0:2.6.18-128.1.1.el5
  • kernel-xen-0:2.6.18-128.1.1.el5
  • kernel-xen-devel-0:2.6.18-128.1.1.el5
refmap via4
bid 32289
confirm
debian
  • DSA-1681
  • DSA-1687
mandriva MDVSA-2008:246
mlist
  • [oss-security] 20081110 Re: CVE requests: kernel: hfsplus-related bugs
  • [oss-security] 20081111 Re: CVE requests: kernel: hfsplus-related bugs
osvdb 49863
sectrack 1021230
secunia
  • 32719
  • 32918
  • 32998
  • 33180
  • 33556
  • 33641
  • 33704
  • 33858
suse
  • SUSE-SA:2009:004
  • SUSE-SA:2009:008
ubuntu USN-679-1
xf linux-kernel-hfscatfindbrec-bo(46605)
Last major update 28-08-2013 - 01:56
Published 17-11-2008 - 18:30
Last modified 28-09-2017 - 21:32
Back to Top