CVE-2006-6304 - The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL bu

CVE-2006-6304

Summary

The do_coredump function in fs/exec.c in the Linux kernel 2.6.19 sets the flag variable to O_EXCL but does not use it, which allows context-dependent attackers to modify arbitrary files via a rewrite attack during a core dump.

References

Vulnerable Configurations

cpe:2.3:o:linux:linux_kernel:2.6.19:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.19:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 11-10-2017 - 01:31)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

oval via4

accepted

2013-04-29T04:08:53.423-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10797

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

accepted

2014-01-20T04:01:34.917-05:00

class

vulnerability

contributors

name J. Daniel Brown
organization DTCC
name Chris Coffin
organization The MITRE Corporation

definition_extensions

comment	VMware ESX Server 4.0 is installed
oval	oval:org.mitre.oval:def:6293

description

family

unix

oval:org.mitre.oval:def:7446

status

accepted

submitted

2010-06-01T17:30:00.000-05:00

title

Linux Kernel Do_Coredump Security Bypass Vulnerability

version

redhat via4

advisories

rhsa
id RHSA-2010:0046
rhsa
id RHSA-2010:0095

rpms

kernel-0:2.6.18-164.11.1.el5
kernel-PAE-0:2.6.18-164.11.1.el5
kernel-PAE-debuginfo-0:2.6.18-164.11.1.el5
kernel-PAE-devel-0:2.6.18-164.11.1.el5
kernel-debug-0:2.6.18-164.11.1.el5
kernel-debug-debuginfo-0:2.6.18-164.11.1.el5
kernel-debug-devel-0:2.6.18-164.11.1.el5
kernel-debuginfo-0:2.6.18-164.11.1.el5
kernel-debuginfo-common-0:2.6.18-164.11.1.el5
kernel-devel-0:2.6.18-164.11.1.el5
kernel-doc-0:2.6.18-164.11.1.el5
kernel-headers-0:2.6.18-164.11.1.el5
kernel-kdump-0:2.6.18-164.11.1.el5
kernel-kdump-debuginfo-0:2.6.18-164.11.1.el5
kernel-kdump-devel-0:2.6.18-164.11.1.el5
kernel-xen-0:2.6.18-164.11.1.el5
kernel-xen-debuginfo-0:2.6.18-164.11.1.el5
kernel-xen-devel-0:2.6.18-164.11.1.el5

refmap via4

bid	21591
confirm	http://support.avaya.com/css/P8/documents/100073666 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.19.1
secunia	23349
trustix	2006-0074
vupen	ADV-2006-5002

statements via4

contributor	Tomas Hoger
lastmodified	2010-01-21
organization	Red Hat
statement	This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit d025c9db that introduced the problem. This upstream commit was backported in Red Hat Enterprise Linux 5 via RHSA-2009:0225. It was later reported and addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2010-0046.html

Last major update

11-10-2017 - 01:31

Published

14-12-2006 - 20:28

Last modified

11-10-2017 - 01:31