ID CVE-2006-0482 Type cve Reporter NVD Modified 2017-07-19T21:29:48
Description
Linux kernel 2.6.15.1 and earlier, when running on SPARC architectures, allows local users to cause a denial of service (hang) via a "date -s" command, which causes invalid sign extended arguments to be provided to the get_compat_timespec function call.
{"result": {"debian": [{"id": "DSA-1017", "type": "debian", "title": "kernel-source-2.6.8 -- several vulnerabilities", "description": "Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2004-1017](<https://security-tracker.debian.org/tracker/CVE-2004-1017>)\n\nMultiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector.\n\n * [CVE-2005-0124](<https://security-tracker.debian.org/tracker/CVE-2005-0124>)\n\nBryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack.\n\n * [CVE-2005-0449](<https://security-tracker.debian.org/tracker/CVE-2005-0449>)\n\nAn error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack.\n\n * [CVE-2005-2457](<https://security-tracker.debian.org/tracker/CVE-2005-2457>)\n\nTim Yamin discovered that insufficient input validation in the zisofs driver for compressed ISO file systems allows a denial of service attack through maliciously crafted ISO images.\n\n * [CVE-2005-2490](<https://security-tracker.debian.org/tracker/CVE-2005-2490>)\n\nA buffer overflow in the sendmsg() function allows local users to execute arbitrary code.\n\n * [CVE-2005-2555](<https://security-tracker.debian.org/tracker/CVE-2005-2555>)\n\nHerbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. \n\n * [CVE-2005-2709](<https://security-tracker.debian.org/tracker/CVE-2005-2709>)\n\nAl Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode.\n\n * [CVE-2005-2800](<https://security-tracker.debian.org/tracker/CVE-2005-2800>)\n\nJan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices leak memory, which allows a denial of service attack.\n\n * [CVE-2005-2973](<https://security-tracker.debian.org/tracker/CVE-2005-2973>)\n\nTetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack.\n\n * [CVE-2005-3044](<https://security-tracker.debian.org/tracker/CVE-2005-3044>)\n\nVasiliy Averin discovered that the reference counters from sockfd_put() and fput() can be forced into overlapping, which allows a denial of service attack through a null pointer dereference.\n\n * [CVE-2005-3053](<https://security-tracker.debian.org/tracker/CVE-2005-3053>)\n\nEric Dumazet discovered that the set_mempolicy() system call accepts a negative value for its first argument, which triggers a BUG() assert. This allows a denial of service attack.\n\n * [CVE-2005-3055](<https://security-tracker.debian.org/tracker/CVE-2005-3055>)\n\nHarald Welte discovered that if a process issues a USB Request Block (URB) to a device and terminates before the URB completes, a stale pointer would be dereferenced. This could be used to trigger a denial of service attack.\n\n * [CVE-2005-3180](<https://security-tracker.debian.org/tracker/CVE-2005-3180>)\n\nPavel Roskin discovered that the driver for Orinoco wireless cards clears its buffers insufficiently. This could leak sensitive information into user space.\n\n * [CVE-2005-3181](<https://security-tracker.debian.org/tracker/CVE-2005-3181>)\n\nRobert Derr discovered that the audit subsystem uses an incorrect function to free memory, which allows a denial of service attack.\n\n * [CVE-2005-3257](<https://security-tracker.debian.org/tracker/CVE-2005-3257>)\n\nRudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation.\n\n * [CVE-2005-3356](<https://security-tracker.debian.org/tracker/CVE-2005-3356>)\n\nDoug Chapman discovered that the mq_open syscall can be tricked into decrementing an internal counter twice, which allows a denial of service attack through a kernel panic.\n\n * [CVE-2005-3358](<https://security-tracker.debian.org/tracker/CVE-2005-3358>)\n\nDoug Chapman discovered that passing a zero bitmask to the set_mempolicy() system call leads to a kernel panic, which allows a denial of service attack.\n\n * [CVE-2005-3783](<https://security-tracker.debian.org/tracker/CVE-2005-3783>)\n\nThe ptrace code using CLONE_THREAD didn't use the thread group ID to determine whether the caller is attaching to itself, which allows a denial of service attack.\n\n * [CVE-2005-3784](<https://security-tracker.debian.org/tracker/CVE-2005-3784>)\n\nThe auto-reaping of child processes functionality included ptraced-attached processes, which allows denial of service through dangling references.\n\n * [CVE-2005-3806](<https://security-tracker.debian.org/tracker/CVE-2005-3806>)\n\nYen Zheng discovered that the IPv6 flow label code modified an incorrect variable, which could lead to memory corruption and denial of service.\n\n * [CVE-2005-3847](<https://security-tracker.debian.org/tracker/CVE-2005-3847>)\n\nIt was discovered that a threaded real-time process, which is currently dumping core can be forced into a dead-lock situation by sending it a SIGKILL signal, which allows a denial of service attack. \n\n * [CVE-2005-3848](<https://security-tracker.debian.org/tracker/CVE-2005-3848>)\n\nOllie Wild discovered a memory leak in the icmp_push_reply() function, which allows denial of service through memory consumption.\n\n * [CVE-2005-3857](<https://security-tracker.debian.org/tracker/CVE-2005-3857>)\n\nChris Wright discovered that excessive allocation of broken file lock leases in the VFS layer can exhaust memory and fill up the system logging, which allows denial of service.\n\n * [CVE-2005-3858](<https://security-tracker.debian.org/tracker/CVE-2005-3858>)\n\nPatrick McHardy discovered a memory leak in the ip6_input_finish() function from the IPv6 code, which allows denial of service.\n\n * [CVE-2005-4605](<https://security-tracker.debian.org/tracker/CVE-2005-4605>)\n\nKarl Janmar discovered that a signedness error in the procfs code can be exploited to read kernel memory, which may disclose sensitive information.\n\n * [CVE-2005-4618](<https://security-tracker.debian.org/tracker/CVE-2005-4618>)\n\nYi Ying discovered that sysctl does not properly enforce the size of a buffer, which allows a denial of service attack.\n\n * [CVE-2006-0095](<https://security-tracker.debian.org/tracker/CVE-2006-0095>)\n\nStefan Rompf discovered that dm_crypt does not clear an internal struct before freeing it, which might disclose sensitive information.\n\n * [CVE-2006-0096](<https://security-tracker.debian.org/tracker/CVE-2006-0096>)\n\nIt was discovered that the SDLA driver's capability checks were too lax for firmware upgrades.\n\n * [CVE-2006-0482](<https://security-tracker.debian.org/tracker/CVE-2006-0482>)\n\nLudovic Courtes discovered that get_compat_timespec() performs insufficient input sanitizing, which allows a local denial of service attack.\n\n * [CVE-2006-1066](<https://security-tracker.debian.org/tracker/CVE-2006-1066>)\n\nIt was discovered that ptrace() on the ia64 architecture allows a local denial of service attack, when preemption is enabled.\n\nThe following matrix explains which kernel version for which architecture fix the problems mentioned above:\n\n| Debian 3.1 (sarge) \n---|--- \nSource | 2.6.8-16sarge2 \nAlpha architecture | 2.6.8-16sarge2 \nAMD64 architecture | 2.6.8-16sarge2 \nHP Precision architecture | 2.6.8-6sarge2 \nIntel IA-32 architecture | 2.6.8-16sarge2 \nIntel IA-64 architecture | 2.6.8-14sarge2 \nMotorola 680x0 architecture| 2.6.8-4sarge2 \nPowerPC architecture | 2.6.8-12sarge2 \nIBM S/390 architecture | 2.6.8-5sarge2 \nSun Sparc architecture | 2.6.8-15sarge2 \n \nThe following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update:\n\n| Debian 3.1 (sarge) \n---|--- \nkernel-latest-2.6-alpha | 101sarge1 \nkernel-latest-2.6-amd64 | 103sarge1 \nkernel-latest-2.6-hppa | 2.6.8-1sarge1 \nkernel-latest-2.6-sparc | 101sarge1 \nkernel-latest-2.6-i386 | 101sarge1 \nkernel-latest-powerpc | 102sarge1 \nfai-kernels | 1.9.1sarge1 \nhostap-modules-i386 | 0.3.7-1sarge1 \nmol-modules-2.6.8 | 0.9.70+2.6.8+12sarge1 \nndiswrapper-modules-i386| 1.1-2sarge1 \n \nWe recommend that you upgrade your kernel package immediately and reboot the machine. If you have built a custom kernel from the kernel source package, you will need to rebuild to take advantage of these fixes.\n\nThis update introduces a change in the kernel's binary interface, the affected kernel packages inside Debian have been rebuilt, if you're running local addons you'll need to rebuild these as well. Due to the change in the package name you need to use `apt-get dist-upgrade` to update your system.", "published": "2006-03-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-1017", "cvelist": ["CVE-2005-3784", "CVE-2005-3783", "CVE-2005-2457", "CVE-2005-3358", "CVE-2006-0096", "CVE-2005-3181", "CVE-2005-3858", "CVE-2005-0124", "CVE-2005-2490", "CVE-2006-1066", "CVE-2005-3356", "CVE-2005-3053", "CVE-2005-4618", "CVE-2005-3044", "CVE-2005-3806", "CVE-2005-3257", "CVE-2005-3848", "CVE-2005-2800", "CVE-2004-1017", "CVE-2005-4605", "CVE-2005-2709", "CVE-2006-0095", "CVE-2006-0482", "CVE-2005-2973", "CVE-2005-3180", "CVE-2005-3847", "CVE-2005-0449", "CVE-2005-3857", "CVE-2005-3055", "CVE-2005-2555"], "lastseen": "2016-09-02T18:35:19"}], "nessus": [{"id": "DEBIAN_DSA-1017.NASL", "type": "nessus", "title": "Debian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities", "description": "Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2004-1017 Multiple overflows exist in the io_edgeport driver which might be usable as a denial of service attack vector.\n\n - CVE-2005-0124 Bryan Fulton reported a bounds checking bug in the coda_pioctl function which may allow local users to execute arbitrary code or trigger a denial of service attack.\n\n - CVE-2005-0449 An error in the skb_checksum_help() function from the netfilter framework has been discovered that allows the bypass of packet filter rules or a denial of service attack.\n\n - CVE-2005-2457 Tim Yamin discovered that insufficient input validation in the zisofs driver for compressed ISO file systems allows a denial of service attack through maliciously crafted ISO images.\n\n - CVE-2005-2490 A buffer overflow in the sendmsg() function allows local users to execute arbitrary code.\n\n - CVE-2005-2555 Herbert Xu discovered that the setsockopt() function was not restricted to users/processes with the CAP_NET_ADMIN capability. This allows attackers to manipulate IPSEC policies or initiate a denial of service attack. \n\n - CVE-2005-2709 Al Viro discovered a race condition in the /proc handling of network devices. A (local) attacker could exploit the stale reference after interface shutdown to cause a denial of service or possibly execute code in kernel mode.\n\n - CVE-2005-2800 Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices leak memory, which allows a denial of service attack.\n\n - CVE-2005-2973 Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code can be forced into an endless loop, which allows a denial of service attack.\n\n - CVE-2005-3044 Vasiliy Averin discovered that the reference counters from sockfd_put() and fput() can be forced into overlapping, which allows a denial of service attack through a NULL pointer dereference.\n\n - CVE-2005-3053 Eric Dumazet discovered that the set_mempolicy() system call accepts a negative value for its first argument, which triggers a BUG() assert. This allows a denial of service attack.\n\n - CVE-2005-3055 Harald Welte discovered that if a process issues a USB Request Block (URB) to a device and terminates before the URB completes, a stale pointer would be dereferenced. This could be used to trigger a denial of service attack.\n\n - CVE-2005-3180 Pavel Roskin discovered that the driver for Orinoco wireless cards clears its buffers insufficiently. This could leak sensitive information into user space.\n\n - CVE-2005-3181 Robert Derr discovered that the audit subsystem uses an incorrect function to free memory, which allows a denial of service attack.\n\n - CVE-2005-3257 Rudolf Polzer discovered that the kernel improperly restricts access to the KDSKBSENT ioctl, which can possibly lead to privilege escalation.\n\n - CVE-2005-3356 Doug Chapman discovered that the mq_open syscall can be tricked into decrementing an internal counter twice, which allows a denial of service attack through a kernel panic.\n\n - CVE-2005-3358 Doug Chapman discovered that passing a zero bitmask to the set_mempolicy() system call leads to a kernel panic, which allows a denial of service attack.\n\n - CVE-2005-3783 The ptrace code using CLONE_THREAD didn't use the thread group ID to determine whether the caller is attaching to itself, which allows a denial of service attack.\n\n - CVE-2005-3784 The auto-reaping of child processes functionality included ptraced-attached processes, which allows denial of service through dangling references.\n\n - CVE-2005-3806 Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, which could lead to memory corruption and denial of service.\n\n - CVE-2005-3847 It was discovered that a threaded real-time process, which is currently dumping core can be forced into a dead-lock situation by sending it a SIGKILL signal, which allows a denial of service attack. \n\n - CVE-2005-3848 Ollie Wild discovered a memory leak in the icmp_push_reply() function, which allows denial of service through memory consumption.\n\n - CVE-2005-3857 Chris Wright discovered that excessive allocation of broken file lock leases in the VFS layer can exhaust memory and fill up the system logging, which allows denial of service.\n\n - CVE-2005-3858 Patrick McHardy discovered a memory leak in the ip6_input_finish() function from the IPv6 code, which allows denial of service.\n\n - CVE-2005-4605 Karl Janmar discovered that a signedness error in the procfs code can be exploited to read kernel memory, which may disclose sensitive information.\n\n - CVE-2005-4618 Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which allows a denial of service attack.\n\n - CVE-2006-0095 Stefan Rompf discovered that dm_crypt does not clear an internal struct before freeing it, which might disclose sensitive information.\n\n - CVE-2006-0096 It was discovered that the SDLA driver's capability checks were too lax for firmware upgrades.\n\n - CVE-2006-0482 Ludovic Courtes discovered that get_compat_timespec() performs insufficient input sanitizing, which allows a local denial of service attack.\n\n - CVE-2006-1066 It was discovered that ptrace() on the ia64 architecture allows a local denial of service attack, when preemption is enabled.", "published": "2006-10-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22559", "cvelist": ["CVE-2005-3784", "CVE-2005-3783", "CVE-2005-2457", "CVE-2005-3358", "CVE-2006-0096", "CVE-2005-3181", "CVE-2005-3858", "CVE-2005-0124", "CVE-2005-2490", "CVE-2006-1066", "CVE-2005-3356", "CVE-2005-3053", "CVE-2005-4618", "CVE-2005-3044", "CVE-2005-3806", "CVE-2005-3257", "CVE-2005-3848", "CVE-2005-2800", "CVE-2004-1017", "CVE-2005-4605", "CVE-2005-2709", "CVE-2006-0095", "CVE-2006-0482", "CVE-2005-2973", "CVE-2005-3180", "CVE-2005-3847", "CVE-2005-0449", "CVE-2005-3857", "CVE-2005-3055", "CVE-2005-2555"], "lastseen": "2017-10-29T13:45:20"}], "openvas": [{"id": "OPENVAS:56469", "type": "openvas", "title": "Debian Security Advisory DSA 1017-1 (kernel-source-2.6.8)", "description": "The remote host is missing an update to kernel-source-2.6.8\nannounced via advisory DSA 1017-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=56469", "cvelist": ["CVE-2005-3784", "CVE-2005-3783", "CVE-2005-2457", "CVE-2005-3358", "CVE-2006-0096", "CVE-2005-3181", "CVE-2005-3858", "CVE-2005-0124", "CVE-2005-2490", "CVE-2006-1066", "CVE-2005-3356", "CVE-2005-3053", "CVE-2005-4618", "CVE-2005-3044", "CVE-2005-3806", "CVE-2005-3257", "CVE-2005-3848", "CVE-2005-2800", "CVE-2004-1017", "CVE-2005-4605", "CVE-2005-2709", "CVE-2006-0095", "CVE-2006-0482", "CVE-2005-2973", "CVE-2005-3180", "CVE-2005-3847", "CVE-2005-0449", "CVE-2005-3857", "CVE-2005-3055", "CVE-2005-2555"], "lastseen": "2017-07-24T12:50:22"}]}}
