Linux Kernel raw_sendmsg() Unspecified Memory Manipulation
2005-09-09T17:45:55
ID OSVDB:19261 Type osvdb Reporter Al Viro(aviro@redhat.com) Modified 2005-09-09T17:45:55
Description
Vulnerability Description
Linux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by an error in the "raw_sendmsg()" function, which may allow a local unprivileged user to read kernel memory contents to obtain sensitive information or on some architectures cause a denial of service by manipulating hardware state, resulting in a loss of confidentiality and/or availability.
Solution Description
Upgrade to kernel version 2.6.13.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
Linux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by an error in the "raw_sendmsg()" function, which may allow a local unprivileged user to read kernel memory contents to obtain sensitive information or on some architectures cause a denial of service by manipulating hardware state, resulting in a loss of confidentiality and/or availability.
{"enchantments": {"vulnersScore": 2.1}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Kernel", "operator": "eq", "version": "2.6.11"}, {"name": "Kernel", "operator": "eq", "version": "2.6.0"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.10"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12.3"}, {"name": "Kernel", "operator": "eq", "version": "2.6.6"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12.2"}, {"name": "Kernel", "operator": "eq", "version": "2.6.5"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.5"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.4"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.2"}, {"name": "Kernel", "operator": "eq", "version": "2.6.13"}, {"name": "Kernel", "operator": "eq", "version": "2.6.10"}, {"name": "Kernel", "operator": "eq", "version": "2.6.3"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.11"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12.4"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.8"}, {"name": "Kernel", "operator": "eq", "version": "2.6.9"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.9"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12.5"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.1"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.7"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.3"}, {"name": "Kernel", "operator": "eq", "version": "2.6.7"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12"}, {"name": "Kernel", "operator": "eq", "version": "2.6.8.1"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12.1"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.12"}, {"name": "Kernel", "operator": "eq", "version": "2.6.8"}, {"name": "Kernel", "operator": "eq", "version": "2.6.4"}, {"name": "Kernel", "operator": "eq", "version": "2.6.12.6"}, {"name": "Kernel", "operator": "eq", "version": "2.6.2"}, {"name": "Kernel", "operator": "eq", "version": "2.6.1"}, {"name": "Kernel", "operator": "eq", "version": "2.6.11.6"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:19261", "id": "OSVDB:19261", "title": "Linux Kernel raw_sendmsg() Unspecified Memory Manipulation", "history": [], "type": "osvdb", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:15", "edition": 1, "hash": "bf9be8a40f68442f5c9e779e132bbc92be61376c2c976fa01bdd9185f4e06caa", "objectVersion": "1.2", "reporter": "Al Viro(aviro@redhat.com)", "description": "## Vulnerability Description\nLinux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by an error in the \"raw_sendmsg()\" function, which may allow a local unprivileged user to read kernel memory contents to obtain sensitive information or on some architectures cause a denial of service by manipulating hardware state, resulting in a loss of confidentiality and/or availability.\n## Solution Description\nUpgrade to kernel version 2.6.13.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nLinux kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by an error in the \"raw_sendmsg()\" function, which may allow a local unprivileged user to read kernel memory contents to obtain sensitive information or on some architectures cause a denial of service by manipulating hardware state, resulting in a loss of confidentiality and/or availability.\n## References:\nVendor Specific News/Changelog Entry: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1\nVendor Specific News/Changelog Entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830\n[Secunia Advisory ID:17918](https://secuniaresearch.flexerasoftware.com/advisories/17918/)\n[Secunia Advisory ID:16910](https://secuniaresearch.flexerasoftware.com/advisories/16910/)\n[Secunia Advisory ID:17073](https://secuniaresearch.flexerasoftware.com/advisories/17073/)\n[Secunia Advisory ID:16747](https://secuniaresearch.flexerasoftware.com/advisories/16747/)\n[Secunia Advisory ID:16861](https://secuniaresearch.flexerasoftware.com/advisories/16861/)\n[Related OSVDB ID: 19260](https://vulners.com/osvdb/OSVDB:19260)\nRedHat RHSA: RHSA-2005:514\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Dec/0004.html\nISS X-Force ID: 22218\nFrSIRT Advisory: ADV-2005-1701\n[CVE-2005-2492](https://vulners.com/cve/CVE-2005-2492)\nBugtraq ID: 14787\n", "modified": "2005-09-09T17:45:55", "viewCount": 3, "published": "2005-09-09T17:45:55", "cvelist": ["CVE-2005-2492"], "hashmap": [{"key": "affectedSoftware", "hash": "aee8b3e627af548d13cca873fae4c3a5"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "0974bd2370fb056c7ad9a575747dbe87"}, {"key": "cvss", "hash": "22b1844b353effdd54e60bb9fe6edec5"}, {"key": "description", "hash": "0e210dfa0d30c7931216a96974326dcc"}, {"key": "href", "hash": "c3f6ce24d9ee9b585564a3e5ba0893bb"}, {"key": "modified", "hash": "df4bc2fcb84cc1e2248071a301c222a6"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "df4bc2fcb84cc1e2248071a301c222a6"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "0aac859663113f2f5b0eaef5afb87f43"}, {"key": "title", "hash": "9946663b2d9f68c2b41034d64d32c1e0"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}]}
{"result": {"cve": [{"id": "CVE-2005-2492", "type": "cve", "title": "CVE-2005-2492", "description": "The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input.", "published": "2005-09-14T15:03:00", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2492", "cvelist": ["CVE-2005-2492"], "lastseen": "2017-10-11T11:06:19"}], "nessus": [{"id": "UBUNTU_USN-178-1.NASL", "type": "nessus", "title": "Ubuntu 4.10 / 5.04 : linux-source-2.6.10, linux-source-2.6.8.1 vulnerabilities (USN-178-1)", "description": "Oleg Nesterov discovered a local Denial of Service vulnerability in the timer handling. When a non group-leader thread called exec() to execute a different program while an itimer was pending, the timer expiry would signal the old group leader task, which did not exist any more. This caused a kernel panic. This vulnerability only affects Ubuntu 5.04. (CAN-2005-1913)\n\nAl Viro discovered that the sendmsg() function did not sufficiently validate its input data. By calling sendmsg() and at the same time modifying the passed message in another thread, he could exploit this to execute arbitrary commands with kernel privileges. This only affects the amd64 bit platform. (CAN-2005-2490)\n\nAl Viro discovered a vulnerability in the raw_sendmsg() function. By calling this function with specially crafted arguments, a local attacker could either read kernel memory contents (leading to information disclosure) or manipulate the hardware state by reading certain IO ports. This vulnerability only affects Ubuntu 5.04.\n(CAN-2005-2492)\n\nJan Blunck discovered a Denial of Service vulnerability in the procfs interface of the SCSI driver. By repeatedly reading /proc/scsi/sg/devices, a local attacker could eventually exhaust kernel memory. (CAN-2005-2800)\n\nA flaw was discovered in the handling of extended attributes on ext2 and ext3 file systems. Under certain condidions, this could prevent the enforcement of Access Control Lists, which eventually could lead to information disclosure, unauthorized program execution, or unauthorized data modification. This does not affect the standard Unix permissions. (CAN-2005-2801)\n\nChad Walstrom discovered a Denial of Service in the ipt_recent module, which can be used in netfilter (Firewall configuration). A remote attacker could exploit this to crash the kernel by sending certain packets (such as an SSH brute-force attack) to a host which uses the 'recent' module. (CAN-2005-2802).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2006-01-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20588", "cvelist": ["CVE-2005-2801", "CVE-2005-2872", "CVE-2005-2490", "CVE-2005-2800", "CVE-2005-2492", "CVE-2005-1913"], "lastseen": "2017-10-29T13:36:34"}, {"id": "MANDRAKE_MDKSA-2005-235.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : kernel (MDKSA-2005:235)", "description": "Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update :\n\nA stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490).\n\nThe raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492).\n\nThe ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873).\n\nMultiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from null dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044).\n\nVersions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055).\n\ndrm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179).\n\nThe Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180).\n\nKernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181).\n\nThe VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257).\n\nA race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (null dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274).\n\nThe provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.\n\nTo update your kernel, please follow the directions located at :\n\nhttp://www.mandriva.com/en/security/kernelupdate", "published": "2006-01-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20466", "cvelist": ["CVE-2005-3181", "CVE-2005-2873", "CVE-2005-2490", "CVE-2005-3179", "CVE-2005-3274", "CVE-2005-3044", "CVE-2005-3257", "CVE-2005-3180", "CVE-2005-2492", "CVE-2005-3055"], "lastseen": "2017-10-29T13:43:33"}, {"id": "CENTOS_RHSA-2005-514.NASL", "type": "nessus", "title": "CentOS 4 : kernel (CESA-2005:514)", "description": "Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the second regular update.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe Linux kernel handles the basic functions of the operating system.\n\nThis is the second regular kernel update to Red Hat Enterprise Linux 4.\n\nNew features introduced in this update include: - Audit support - systemtap - kprobes, relayfs - Keyring support - iSCSI Initiator - iscsi_sfnet 4:0.1.11-1 - Device mapper multipath support - Intel dual core support - esb2 chipset support - Increased exec-shield coverage - Dirty page tracking for HA systems - Diskdump -- allow partial diskdumps and directing to swap\n\nThere were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4.\n\nThe following security bugs were fixed in this update, detailed below with corresponding CAN names available from the Common Vulnerabilities and Exposures project (cve.mitre.org) :\n\n - flaws in ptrace() syscall handling on 64-bit systems that allowed a local user to cause a denial of service (crash) (CVE-2005-0756, CVE-2005-1761, CVE-2005-1762, CVE-2005-1763)\n\n - flaws in IPSEC network handling that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2456, CVE-2005-2555)\n\n - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2490)\n\n - a flaw in sendmsg() syscall handling that allowed a local user to cause a denial of service by altering hardware state (CVE-2005-2492)\n\n - a flaw that prevented the topdown allocator from allocating mmap areas all the way down to address zero (CVE-2005-1265)\n\n - flaws dealing with keyrings that could cause a local denial of service (CVE-2005-2098, CVE-2005-2099)\n\n - a flaw in the 4GB split patch that could allow a local denial of service (CVE-2005-2100)\n\n - a xattr sharing bug in the ext2 and ext3 file systems that could cause default ACLs to disappear (CVE-2005-2801)\n\n - a flaw in the ipt_recent module on 64-bit architectures which could allow a remote denial of service (CVE-2005-2872)\n\nThe following device drivers have been upgraded to new versions :\n\nqla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2xxx\n--------- 8.00.00b21-k to 8.01.00b5-rh2 qla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2 megaraid_mbox --- 2.20.4.5 to 2.20.4.6 megaraid_mm\n----- 2.20.2.5 to 2.20.2.6 lpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17 cciss ----------- 2.6.4 to 2.6.6 ipw2100 --------- 1.0.3 to 1.1.0 tg3 ------------- 3.22-rh to 3.27-rh e100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI e1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI 3c59x ----------- LK1.1.19 mptbase --------- 3.01.16 to 3.02.18 ixgb ------------ 1.0.66 to 1.0.95-k2-NAPI libata ---------- 1.10 to 1.11 sata_via -------- 1.0 to 1.1 sata_ahci ------- 1.00 to 1.01 sata_qstor ------ 0.04 sata_sil -------- 0.8 to 0.9 sata_svw\n-------- 1.05 to 1.06 s390: crypto ---- 1.31 to 1.57 s390: zfcp ------ s390: CTC-MPC --- s390: dasd ------- s390: cio ------- s390: qeth\n------\n\nAll Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.", "published": "2006-07-05T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=21943", "cvelist": ["CVE-2005-1763", "CVE-2005-2801", "CVE-2005-2100", "CVE-2005-2872", "CVE-2005-2099", "CVE-2005-2490", "CVE-2005-1762", "CVE-2005-2098", "CVE-2005-3275", "CVE-2005-3274", "CVE-2006-5871", "CVE-2005-1265", "CVE-2005-4886", "CVE-2005-1761", "CVE-2005-2492", "CVE-2005-2456", "CVE-2005-0756", "CVE-2005-3105", "CVE-2005-2555"], "lastseen": "2017-10-29T13:42:56"}, {"id": "REDHAT-RHSA-2005-514.NASL", "type": "nessus", "title": "RHEL 4 : kernel (RHSA-2005:514)", "description": "Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the second regular update.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe Linux kernel handles the basic functions of the operating system.\n\nThis is the second regular kernel update to Red Hat Enterprise Linux 4.\n\nNew features introduced in this update include: - Audit support - systemtap - kprobes, relayfs - Keyring support - iSCSI Initiator - iscsi_sfnet 4:0.1.11-1 - Device mapper multipath support - Intel dual core support - esb2 chipset support - Increased exec-shield coverage - Dirty page tracking for HA systems - Diskdump -- allow partial diskdumps and directing to swap\n\nThere were several bug fixes in various parts of the kernel. The ongoing effort to resolve these problems has resulted in a marked improvement in the reliability and scalability of Red Hat Enterprise Linux 4.\n\nThe following security bugs were fixed in this update, detailed below with corresponding CAN names available from the Common Vulnerabilities and Exposures project (cve.mitre.org) :\n\n - flaws in ptrace() syscall handling on 64-bit systems that allowed a local user to cause a denial of service (crash) (CVE-2005-0756, CVE-2005-1761, CVE-2005-1762, CVE-2005-1763)\n\n - flaws in IPSEC network handling that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2456, CVE-2005-2555)\n\n - a flaw in sendmsg() syscall handling on 64-bit systems that allowed a local user to cause a denial of service or potentially gain privileges (CVE-2005-2490)\n\n - a flaw in sendmsg() syscall handling that allowed a local user to cause a denial of service by altering hardware state (CVE-2005-2492)\n\n - a flaw that prevented the topdown allocator from allocating mmap areas all the way down to address zero (CVE-2005-1265)\n\n - flaws dealing with keyrings that could cause a local denial of service (CVE-2005-2098, CVE-2005-2099)\n\n - a flaw in the 4GB split patch that could allow a local denial of service (CVE-2005-2100)\n\n - a xattr sharing bug in the ext2 and ext3 file systems that could cause default ACLs to disappear (CVE-2005-2801)\n\n - a flaw in the ipt_recent module on 64-bit architectures which could allow a remote denial of service (CVE-2005-2872)\n\nThe following device drivers have been upgraded to new versions :\n\nqla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2 qla2xxx\n--------- 8.00.00b21-k to 8.01.00b5-rh2 qla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2 megaraid_mbox --- 2.20.4.5 to 2.20.4.6 megaraid_mm\n----- 2.20.2.5 to 2.20.2.6 lpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17 cciss ----------- 2.6.4 to 2.6.6 ipw2100 --------- 1.0.3 to 1.1.0 tg3 ------------- 3.22-rh to 3.27-rh e100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI e1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI 3c59x ----------- LK1.1.19 mptbase --------- 3.01.16 to 3.02.18 ixgb ------------ 1.0.66 to 1.0.95-k2-NAPI libata ---------- 1.10 to 1.11 sata_via -------- 1.0 to 1.1 sata_ahci ------- 1.00 to 1.01 sata_qstor ------ 0.04 sata_sil -------- 0.8 to 0.9 sata_svw\n-------- 1.05 to 1.06 s390: crypto ---- 1.31 to 1.57 s390: zfcp ------ s390: CTC-MPC --- s390: dasd ------- s390: cio ------- s390: qeth\n------\n\nAll Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.", "published": "2005-10-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19989", "cvelist": ["CVE-2005-1763", "CVE-2005-2801", "CVE-2005-2100", "CVE-2005-2872", "CVE-2005-2099", "CVE-2005-2490", "CVE-2005-1762", "CVE-2005-2098", "CVE-2005-3275", "CVE-2005-3274", "CVE-2006-5871", "CVE-2005-1265", "CVE-2005-4886", "CVE-2005-1761", "CVE-2005-2492", "CVE-2005-2456", "CVE-2005-0756", "CVE-2005-3105", "CVE-2005-2555"], "lastseen": "2017-10-29T13:37:52"}, {"id": "MANDRAKE_MDKSA-2005-220.NASL", "type": "nessus", "title": "MDKSA-2005:220 : kernel", "description": "Multiple vulnerabilities in the Linux 2.6 kernel have been discovered and corrected in this update:\n\nThe kernel on x86_64 platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug which allows a local user to cause a DoS (CVE-2005-1764).\n\nThe KEYCTL_JOIN_SESSION_KEYRING operation in versions prior to 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a DoS (semaphore hang) via a new session keyring with an empty name string, a long name string, the key quota reached, or ENOMEM (CVE-2005-2098).\n\nKernels prior to 2.6.12.5 do not properly destroy a keyring that is not instantiated properly, allowing a local user or remote attacker to cause a DoS (oops) via a keyring with a payload that is not empty (CVE-2005-2099).\n\nAn array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c allows local users to cause a DoS (oops or deadlock) and possibly execute arbitrary code (CVE-2005-2456).\n\nThe zisofs driver in versions prior to 2.6.12.5 allows local users and remove attackers to cause a DoS (crash) via a crafted compressed ISO filesystem (CVE-2005-2457).\n\ninflate.c in the zlib routines in versions prior to 2.6.12.5 allow remove attackers to cause a DoS (crash) via a compressed file with 'improper tables' (CVE-2005-2458).\n\nThe huft_build function in inflate.c in the zlib routines in versions prior to 2.6.12.5 returns the wrong value, allowing remote attackers to cause a DoS (crash) via a certain compressed file that leads to a NULL pointer dereference (CVE-2005-2459).\n\nA stack-based buffer overflow in the sendmsg function call in versions prior to 2.6.13.1 allow local users to execute arbitrary code by calling sendmsg and modifying the message contents in another thread (CVE-2005-2490).\n\nThe raw_sendmsg function in versions prior to 2.6.13.1 allow local users to cause a DoS (change hardware state) or read from arbitrary memory via crafted input (CVE-2005-2492).\n\nA memory leak in the seq_file implementation in the SCSI procfs interface (sg.c) in 2.6.13 and earlier allows a local user to cause a DoS (memory consumption) via certain repeated reads from /proc/scsi/gs/devices file which is not properly handled when the next() interator returns NULL or an error (CVE-2005-2800).\n\nThe ipt_recent module in versions prior to 2.6.12 when running on 64bit processors allows remote attackers to cause a DoS (kernel panic) via certain attacks such as SSH brute force (CVE-2005-2872).\n\nThe ipt_recent module in versions prior to 2.6.12 does not properly perform certain tests when the jiffies value is greater than LONG_MAX, which can cause ipt_recent netfilter rules to block too early (CVE-2005-2873).\n\nMultiple vulnerabilities in versions prior to 2.6.13.2 allow local users to cause a DoS (oops from NULL dereference) via fput in a 32bit ioctl on 64-bit x86 systems or sockfd_put in the 32-bit routing_ioctl function on 64-bit systems (CVE-2005-3044).\n\nThe sys_set_mempolicy function in mempolicy.c allows local users to cause a DoS via a negative first argument (CVE-2005-3053).\n\nVersions 2.6.8 to 2.6.14-rc2 allow local users to cause a DoS (oops) via a userspace process that issues a USB Request Block (URB) to a USB device and terminates before the URB is finished, which leads to a stale pointer reference (CVE-2005-3055).\n\ndrm.c in version 2.6.13 and earlier creates a debug file in sysfs with world-readable and world-writable permissions, allowing local users to enable DRM debugging and obtain sensitive information (CVE-2005-3179).\n\nThe Orinoco driver in 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information (CVE-2005-3180).\n\nKernels 2.6.13 and earlier, when CONFIG_AUDITSYSCALL is enabled, use an incorrect function to free names_cache memory, preventing the memory from being tracked by AUDITSYSCALL code and leading to a memory leak (CVE-2005-3181).\n\nThe VT implementation in version 2.6.12 allows local users to use certain IOCTLs on terminals of other users and gain privileges (CVE-2005-3257).\n\nExec does not properly clear posix-timers in multi-threaded environments, which result in a resource leak and could allow a large number of multiple local users to cause a DoS by using more posix- timers than specified by the quota for a single user (CVE-2005-3271).\n\nThe rose_rt_ioctl function rose_route.c in versions prior to 2.6.12 does not properly verify the ndigis argument for a new route, allowing an attacker to trigger array out-of-bounds errors with a large number of digipeats (CVE-2005-3273).\n\nA race condition in ip_vs_conn_flush in versions prior to 2.6.13, when running on SMP systems, allows local users to cause a DoS (NULL dereference) by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274).\n\nThe NAT code in versions prior to 2.6.13 incorrectly declares a variable to be static, allowing remote attackers to cause a DoS (memory corruption) by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275).\n\nThe sys_get_thread_area function in process.c in versions prior to 2.6.12.4 and 2.6.13 does not clear a data structure before copying it to userspace, which may allow a user process to obtain sensitive information (CVE-2005-3276).\n\nThe provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.\n\nTo update your kernel, please follow the directions located at:\n\nhttp://www.mandriva.com/en/security/kernelupdate", "published": "2006-01-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20451", "cvelist": ["CVE-2005-2457", "CVE-2005-3181", "CVE-2005-2872", "CVE-2005-3273", "CVE-2005-2099", "CVE-2005-2873", "CVE-2005-2490", "CVE-2005-2098", "CVE-2005-3179", "CVE-2005-3275", "CVE-2005-3274", "CVE-2005-3053", "CVE-2005-3044", "CVE-2005-3257", "CVE-2005-2800", "CVE-2005-1764", "CVE-2005-3180", "CVE-2005-2492", "CVE-2005-2459", "CVE-2005-2456", "CVE-2005-3055", "CVE-2005-3271", "CVE-2005-2458", "CVE-2005-3276"], "lastseen": "2017-10-29T13:44:45"}], "ubuntu": [{"id": "USN-178-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Oleg Nesterov discovered a local Denial of Service vulnerability in the timer handling. When a non group-leader thread called exec() to execute a different program while an itimer was pending, the timer expiry would signal the old group leader task, which did not exist any more. This caused a kernel panic. This vulnerability only affects Ubuntu 5.04. (CAN-2005-1913)\n\nAl Viro discovered that the sendmsg() function did not sufficiently validate its input data. By calling sendmsg() and at the same time modifying the passed message in another thread, he could exploit this to execute arbitrary commands with kernel privileges. This only affects the amd64 bit platform. (CAN-2005-2490)\n\nAl Viro discovered a vulnerability in the raw_sendmsg() function. By calling this function with specially crafted arguments, a local attacker could either read kernel memory contents (leading to information disclosure) or manipulate the hardware state by reading certain IO ports. This vulnerability only affects Ubuntu 5.04. (CAN-2005-2492)\n\nJan Blunck discovered a Denial of Service vulnerability in the procfs interface of the SCSI driver. By repeatedly reading /proc/scsi/sg/devices, a local attacker could eventually exhaust kernel memory. (CAN-2005-2800)\n\nA flaw was discovered in the handling of extended attributes on ext2 and ext3 file systems. Under certain condidions, this could prevent the enforcement of Access Control Lists, which eventually could lead to information disclosure, unauthorized program execution, or unauthorized data modification. This does not affect the standard Unix permissions. (CAN-2005-2801)\n\nChad Walstrom discovered a Denial of Service in the ipt_recent module, which can be used in netfilter (Firewall configuration). A remote attacker could exploit this to crash the kernel by sending certain packets (such as an SSH brute force attack) to a host which uses the \u201crecent\u201d module. (CAN-2005-2802)", "published": "2005-09-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://usn.ubuntu.com/178-1/", "cvelist": ["CVE-2005-2801", "CVE-2005-2490", "CVE-2005-2800", "CVE-2005-2492", "CVE-2005-2802", "CVE-2005-1913"], "lastseen": "2018-03-29T18:17:20"}], "centos": [{"id": "CESA-2005:514", "type": "centos", "title": "kernel security update", "description": "**CentOS Errata and Security Advisory** CESA-2005:514\n\n\nThe Linux kernel handles the basic functions of the operating system.\r\n\r\nThis is the second regular kernel update to Red Hat Enterprise Linux 4.\r\n\r\nNew features introduced in this update include:\r\n- Audit support\r\n- systemtap - kprobes, relayfs\r\n- Keyring support\r\n- iSCSI Initiator - iscsi_sfnet 4:0.1.11-1\r\n- Device mapper multipath support\r\n- Intel dual core support\r\n- esb2 chipset support\r\n- Increased exec-shield coverage\r\n- Dirty page tracking for HA systems\r\n- Diskdump -- allow partial diskdumps and directing to swap\r\n\r\nThere were several bug fixes in various parts of the kernel. The ongoing\r\neffort to resolve these problems has resulted in a marked improvement\r\nin the reliability and scalability of Red Hat Enterprise Linux 4. \r\n\r\nThe following security bugs were fixed in this update, detailed below with\r\ncorresponding CAN names available from the Common Vulnerabilities and\r\nExposures project (cve.mitre.org):\r\n\r\n- flaws in ptrace() syscall handling on 64-bit systems that allowed a local\r\nuser to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1761,\r\nCAN-2005-1762, CAN-2005-1763)\r\n\r\n- flaws in IPSEC network handling that allowed a local user to cause a\r\ndenial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555)\r\n\r\n- a flaw in sendmsg() syscall handling on 64-bit systems that allowed a\r\nlocal user to cause a denial of service or potentially gain privileges\r\n(CAN-2005-2490)\r\n\r\n- a flaw in sendmsg() syscall handling that allowed a local user to cause a\r\ndenial of service by altering hardware state (CAN-2005-2492)\r\n\r\n- a flaw that prevented the topdown allocator from allocating mmap areas\r\nall the way down to address zero (CAN-2005-1265)\r\n\r\n- flaws dealing with keyrings that could cause a local denial of service\r\n(CAN-2005-2098, CAN-2005-2099)\r\n\r\n- a flaw in the 4GB split patch that could allow a local denial of service\r\n(CAN-2005-2100)\r\n\r\n- a xattr sharing bug in the ext2 and ext3 file systems that could cause\r\ndefault ACLs to disappear (CAN-2005-2801)\r\n\r\n- a flaw in the ipt_recent module on 64-bit architectures which could allow\r\na remote denial of service (CAN-2005-2872)\r\n\r\nThe following device drivers have been upgraded to new versions:\r\n\r\nqla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2xxx --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nmegaraid_mbox --- 2.20.4.5 to 2.20.4.6\r\nmegaraid_mm ----- 2.20.2.5 to 2.20.2.6 \r\nlpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17\r\ncciss ----------- 2.6.4 to 2.6.6\r\nipw2100 --------- 1.0.3 to 1.1.0\r\ntg3 ------------- 3.22-rh to 3.27-rh\r\ne100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI\r\ne1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI\r\n3c59x ----------- LK1.1.19\r\nmptbase --------- 3.01.16 to 3.02.18\r\nixgb ------------ 1.0.66 to 1.0.95-k2-NAPI\r\nlibata ---------- 1.10 to 1.11\r\nsata_via -------- 1.0 to 1.1\r\nsata_ahci ------- 1.00 to 1.01\r\nsata_qstor ------ 0.04\r\nsata_sil -------- 0.8 to 0.9\r\nsata_svw -------- 1.05 to 1.06\r\ns390: crypto ---- 1.31 to 1.57\r\ns390: zfcp ------ \r\ns390: CTC-MPC ---\r\ns390: dasd -------\r\ns390: cio -------\r\ns390: qeth ------\r\n\r\nAll Red Hat Enterprise Linux 4 users are advised to upgrade their\r\nkernels to the packages associated with their machine architectures\r\nand configurations as listed in this erratum.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-October/012244.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-October/012247.html\n\n**Affected packages:**\nkernel\nkernel-devel\nkernel-doc\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-514.html", "published": "2005-10-05T16:21:56", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2005-October/012244.html", "cvelist": ["CVE-2005-1763", "CVE-2005-2801", "CVE-2005-2100", "CVE-2005-2872", "CVE-2005-2099", "CVE-2005-2490", "CVE-2005-1762", "CVE-2005-2098", "CVE-2005-3275", "CVE-2005-3274", "CVE-2006-5871", "CVE-2005-1265", "CVE-2005-4886", "CVE-2005-1761", "CVE-2005-2492", "CVE-2005-2456", "CVE-2005-0756", "CVE-2005-3105", "CVE-2005-2555"], "lastseen": "2017-10-12T14:45:54"}], "redhat": [{"id": "RHSA-2005:514", "type": "redhat", "title": "(RHSA-2005:514) Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2", "description": "The Linux kernel handles the basic functions of the operating system.\r\n\r\nThis is the second regular kernel update to Red Hat Enterprise Linux 4.\r\n\r\nNew features introduced in this update include:\r\n- Audit support\r\n- systemtap - kprobes, relayfs\r\n- Keyring support\r\n- iSCSI Initiator - iscsi_sfnet 4:0.1.11-1\r\n- Device mapper multipath support\r\n- Intel dual core support\r\n- esb2 chipset support\r\n- Increased exec-shield coverage\r\n- Dirty page tracking for HA systems\r\n- Diskdump -- allow partial diskdumps and directing to swap\r\n\r\nThere were several bug fixes in various parts of the kernel. The ongoing\r\neffort to resolve these problems has resulted in a marked improvement\r\nin the reliability and scalability of Red Hat Enterprise Linux 4. \r\n\r\nThe following security bugs were fixed in this update, detailed below with\r\ncorresponding CAN names available from the Common Vulnerabilities and\r\nExposures project (cve.mitre.org):\r\n\r\n- flaws in ptrace() syscall handling on 64-bit systems that allowed a local\r\nuser to cause a denial of service (crash) (CAN-2005-0756, CAN-2005-1761,\r\nCAN-2005-1762, CAN-2005-1763)\r\n\r\n- flaws in IPSEC network handling that allowed a local user to cause a\r\ndenial of service or potentially gain privileges (CAN-2005-2456, CAN-2005-2555)\r\n\r\n- a flaw in sendmsg() syscall handling on 64-bit systems that allowed a\r\nlocal user to cause a denial of service or potentially gain privileges\r\n(CAN-2005-2490)\r\n\r\n- a flaw in sendmsg() syscall handling that allowed a local user to cause a\r\ndenial of service by altering hardware state (CAN-2005-2492)\r\n\r\n- a flaw that prevented the topdown allocator from allocating mmap areas\r\nall the way down to address zero (CAN-2005-1265)\r\n\r\n- flaws dealing with keyrings that could cause a local denial of service\r\n(CAN-2005-2098, CAN-2005-2099)\r\n\r\n- a flaw in the 4GB split patch that could allow a local denial of service\r\n(CAN-2005-2100)\r\n\r\n- a xattr sharing bug in the ext2 and ext3 file systems that could cause\r\ndefault ACLs to disappear (CAN-2005-2801)\r\n\r\n- a flaw in the ipt_recent module on 64-bit architectures which could allow\r\na remote denial of service (CAN-2005-2872)\r\n\r\nThe following device drivers have been upgraded to new versions:\r\n\r\nqla2100 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2200 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2300 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2322 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla2xxx --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nqla6312 --------- 8.00.00b21-k to 8.01.00b5-rh2\r\nmegaraid_mbox --- 2.20.4.5 to 2.20.4.6\r\nmegaraid_mm ----- 2.20.2.5 to 2.20.2.6 \r\nlpfc ------------ 0:8.0.16.6_x2 to 0:8.0.16.17\r\ncciss ----------- 2.6.4 to 2.6.6\r\nipw2100 --------- 1.0.3 to 1.1.0\r\ntg3 ------------- 3.22-rh to 3.27-rh\r\ne100 ------------ 3.3.6-k2-NAPI to 3.4.8-k2-NAPI\r\ne1000 ----------- 5.6.10.1-k2-NAPI to 6.0.54-k2-NAPI\r\n3c59x ----------- LK1.1.19\r\nmptbase --------- 3.01.16 to 3.02.18\r\nixgb ------------ 1.0.66 to 1.0.95-k2-NAPI\r\nlibata ---------- 1.10 to 1.11\r\nsata_via -------- 1.0 to 1.1\r\nsata_ahci ------- 1.00 to 1.01\r\nsata_qstor ------ 0.04\r\nsata_sil -------- 0.8 to 0.9\r\nsata_svw -------- 1.05 to 1.06\r\ns390: crypto ---- 1.31 to 1.57\r\ns390: zfcp ------ \r\ns390: CTC-MPC ---\r\ns390: dasd -------\r\ns390: cio -------\r\ns390: qeth ------\r\n\r\nAll Red Hat Enterprise Linux 4 users are advised to upgrade their\r\nkernels to the packages associated with their machine architectures\r\nand configurations as listed in this erratum.", "published": "2005-10-05T04:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2005:514", "cvelist": ["CVE-2005-0756", "CVE-2005-1265", "CVE-2005-1761", "CVE-2005-1762", "CVE-2005-1763", "CVE-2005-2098", "CVE-2005-2099", "CVE-2005-2100", "CVE-2005-2456", "CVE-2005-2490", "CVE-2005-2492", "CVE-2005-2555", "CVE-2005-2801", "CVE-2005-2872", "CVE-2005-3105", "CVE-2005-3274", "CVE-2005-3275", "CVE-2005-4886", "CVE-2006-5871"], "lastseen": "2017-09-09T07:20:24"}], "suse": [{"id": "SUSE-SA:2005:068", "type": "suse", "title": "denial of service in kernel", "description": "The Linux kernel was updated to fix several security problems and several bugs, listed below:\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2005-12-14T15:10:59", "cvss": {"score": 6.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2005-12/msg00011.html", "cvelist": ["CVE-2005-3784", "CVE-2005-3783", "CVE-2005-2457", "CVE-2005-2872", "CVE-2005-3805", "CVE-2005-2490", "CVE-2005-1041", "CVE-2005-3275", "CVE-2005-3110", "CVE-2005-3807", "CVE-2005-3527", "CVE-2005-3044", "CVE-2005-3806", "CVE-2005-2800", "CVE-2005-2973", "CVE-2005-3180", "CVE-2005-2492", "CVE-2005-2459", "CVE-2005-3055", "CVE-2005-2458"], "lastseen": "2016-09-04T11:50:28"}]}}
