Linux Kernel Keyring Management KEYCTL_JOIN_SESSION_KEYRING DoS

2005-08-09T09:19:50
ID OSVDB:18652
Type osvdb
Reporter OSVDB
Modified 2005-08-09T09:19:50

Description

Vulnerability Description

Linux contains a flaw that may allow a local denial of service. The issue is triggered when a user causes the system to attempt to allocate a new session keyring after either the user's key quota has been reached, or if the new keyring name is blank or is too long, and will result in loss of availability for the keyring management service.

Solution Description

Upgrade to kernel version 2.6.13-rc6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Linux contains a flaw that may allow a local denial of service. The issue is triggered when a user causes the system to attempt to allocate a new session keyring after either the user's key quota has been reached, or if the new keyring name is blank or is too long, and will result in loss of availability for the keyring management service.

References:

Vendor Specific News/Changelog Entry: http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.13-rc6 Security Tracker: 1014644 Secunia Advisory ID:16355 Secunia Advisory ID:17073 Secunia Advisory ID:16500 Related OSVDB ID: 18651 RedHat RHSA: RHSA-2005:514 Other Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 CVE-2005-2098 Bugtraq ID: 14521