Red Hat 9042 Published by

A kernel security update is available for Red Hat Enterprise Linux 3

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Important: kernel security update
Advisory ID: RHSA-2005:293-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-293.html
Issue date: 2005-04-22
Updated on: 2005-04-22
Product: Red Hat Enterprise Linux
Keywords: taroon
Obsoletes: RHSA-2005:043
CVE Names: CAN-2004-0075 CAN-2004-0177 CAN-2004-0814 CAN-2004-1058 CAN-2004-1073 CAN-2005-0135 CAN-2005-0137 CAN-2005-0204 CAN-2005-0384 CAN-2005-0403 CAN-2005-0449 CAN-2005-0736 CAN-2005-0749 CAN-2005-0750
----------------------------------------------------------------------

1. Summary:

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64



3. Problem description:

The following security issues were fixed:

The Vicam USB driver did not use the copy_from_user function to access userspace, crossing security boundaries. (CAN-2004-0075)

The ext3 and jfs code did not properly initialize journal descriptor blocks. A privileged local user could read portions of kernel memory. (CAN-2004-0177)

The terminal layer did not properly lock line discipline changes or pending IO. An unprivileged local user could read portions of kernel memory, or cause a denial of service (system crash). (CAN-2004-0814)

A race condition was discovered. Local users could use this flaw to read the environment variables of another process that is still spawning via /proc/.../cmdline. (CAN-2004-1058)

A flaw in the execve() syscall handling was discovered, allowing a local user to read setuid ELF binaries that should otherwise be protected by standard permissions. (CAN-2004-1073). Red Hat originally reported this as being fixed by RHSA-2004:549, but the associated fix was missing from that update.

Keith Owens reported a flaw in the Itanium unw_unwind_to_user() function.
A local user could use this flaw to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0135)

A missing Itanium syscall table entry could allow an unprivileged local user to cause a denial of service (system crash) on the Itanium architecture. (CAN-2005-0137)

A flaw affecting the OUTS instruction on the AMD64 and Intel EM64T architectures was discovered. A local user could use this flaw to access privileged IO ports. (CAN-2005-0204)

A flaw was discovered in the Linux PPP driver. On systems allowing remote users to connect to a server using ppp, a remote client could cause a denial of service (system crash). (CAN-2005-0384)

A flaw in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 was discovered that left a pointer to a freed tty structure. A local user could potentially use this flaw to cause a denial of service (system crash) or possibly gain read or write access to ttys that should normally be prevented. (CAN-2005-0403)

A flaw in fragment queuing was discovered affecting the netfilter subsystem. On systems configured to filter or process network packets (for example those configured to do firewalling), a remote attacker could send a carefully crafted set of fragmented packets to a machine and cause a denial of service (system crash). In order to sucessfully exploit this flaw, the attacker would need to know (or guess) some aspects of the firewall ruleset in place on the target system to be able to craft the right fragmented packets. (CAN-2005-0449)

Missing validation of an epoll_wait() system call parameter could allow a local user to cause a denial of service (system crash) on the IBM S/390 and zSeries architectures. (CAN-2005-0736)

A flaw when freeing a pointer in load_elf_library was discovered. A local user could potentially use this flaw to cause a denial of service (system crash). (CAN-2005-0749)

A flaw was discovered in the bluetooth driver system. On system where the bluetooth modules are loaded, a local user could use this flaw to gain elevated (root) privileges. (CAN-2005-0750)

In addition to the security issues listed above, there was an important fix made to the handling of the msync() system call for a particular case in which the call could return without queuing modified mmap()'ed data for file system update. (BZ 147969)

Note: The kernel-unsupported package contains various drivers and modules that are unsupported and therefore might contain security problems that have not been addressed.

Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures/configurations

Please note that the fix for CAN-2005-0449 required changing the external symbol linkages (kernel module ABI) for the ip_defrag() and ip_ct_gather_frags() functions. Any third-party module using either of these would also need to be fixed.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

121032 - CAN-2004-0177 ext3 infoleak
126407 - CAN-2004-0075 Vicam USB user/kernel copying
130774 - oops in drivers/char/tty_io.c:init_dev()
131674 - CAN-2004-0814 potential race condition in RHEL 2.1/3 tty layer
133108 - CAN-2004-0814 input/serio local DOS
133113 - CAN-2004-1058 /proc/<PID>/cmdline information disclosure
144059 - CAN-2005-0403 panic in tty init_dev
144530 - random poolsize sysctl handler integer overflow
148855 - CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports
150334 - Kernel panic: Code: Bad EIP value
151086 - kernel locks up tty/psuedo-tty access
151241 - CAN-2005-0384 pppd remote DoS
151805 - CAN-2005-0449 Possible remote Oops/firewall bypass
152178 - CAN-2005-0750 bluetooth security flaw
152411 - CAN-2005-0749 load_elf_library possible DoS
152552 - CAN-2004-1073 looks unfixed in RHEL3
155234 - CAN-2005-0137 ia64 syscall_table DoS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kernel-2.4.21-27.0.4.EL.src.rpm
9abc6f839b6f0a520e14f77ebd232695 kernel-2.4.21-27.0.4.EL.src.rpm

i386:
9fbfd848c45689aedc8a8ca6bc695be5 kernel-2.4.21-27.0.4.EL.athlon.rpm
d4f3b5b5cfdef8586756c7a9af24a527 kernel-2.4.21-27.0.4.EL.i686.rpm
9928c02efefef214d1f4f5653875c075 kernel-BOOT-2.4.21-27.0.4.EL.i386.rpm
325a18ac740b0ece6c427d81af1b7ae0 kernel-doc-2.4.21-27.0.4.EL.i386.rpm
27cd78f5d6d17f80d8dbd4eb43a30eec kernel-hugemem-2.4.21-27.0.4.EL.i686.rpm
2aa825007fc1cb852b5c371db44c5909 kernel-hugemem-unsupported-2.4.21-27.0.4.EL.i686.rpm
752dcfb04c02b16b28610f62078d7b96 kernel-smp-2.4.21-27.0.4.EL.athlon.rpm
9b60e080e34efe40ab4a592966dc133b kernel-smp-2.4.21-27.0.4.EL.i686.rpm
a6d5f950e96c3ac929cc906a2eee1413 kernel-smp-unsupported-2.4.21-27.0.4.EL.athlon.rpm
da9f25472ea9bef181d913466fefe191 kernel-smp-unsupported-2.4.21-27.0.4.EL.i686.rpm
a22b277a5971a225df7441932a2fb793 kernel-source-2.4.21-27.0.4.EL.i386.rpm
736f0feedd86a8b226016358fab7adb9 kernel-unsupported-2.4.21-27.0.4.EL.athlon.rpm
2e73792aff62b9e8d3e1b065b0ea7a89 kernel-unsupported-2.4.21-27.0.4.EL.i686.rpm

ia64:
9f1e16737fcf947cda8542a7df6f0f8b kernel-2.4.21-27.0.4.EL.ia64.rpm
fde8cd81a07ff0694ce554b00e7dbc07 kernel-doc-2.4.21-27.0.4.EL.ia64.rpm
b646434a8fa1b9a7eb91afb417c229d1 kernel-source-2.4.21-27.0.4.EL.ia64.rpm
0390c3443876b0de3b193d84d859251d kernel-unsupported-2.4.21-27.0.4.EL.ia64.rpm

ppc:
7741e86ffde8e3b811eaa10b88ff3719 kernel-2.4.21-27.0.4.EL.ppc64iseries.rpm
50ca9beed2cab6c982d7551b9a9da883 kernel-2.4.21-27.0.4.EL.ppc64pseries.rpm
eb5f512c6fe2bdb321dee28461c7ef0c kernel-doc-2.4.21-27.0.4.EL.ppc64.rpm
0e287838ad66535182c633332e183d36 kernel-source-2.4.21-27.0.4.EL.ppc64.rpm
47e6f0f318afb7c96817444606feb815 kernel-unsupported-2.4.21-27.0.4.EL.ppc64iseries.rpm
d43b29927d2bad0a1958f76993609d9b kernel-unsupported-2.4.21-27.0.4.EL.ppc64pseries.rpm

s390:
c9d699236207e0f1e66fd422a1a93096 kernel-2.4.21-27.0.4.EL.s390.rpm
e436e4e5457db03aae0cfc2993463352 kernel-doc-2.4.21-27.0.4.EL.s390.rpm
1e0d2dbfff8e909d634349d0ba8f4e7f kernel-source-2.4.21-27.0.4.EL.s390.rpm
211363ee1e02f3aa10f54fbecd8c1ba1 kernel-unsupported-2.4.21-27.0.4.EL.s390.rpm

s390x:
e3f5671361bfa5ffd86d7b3d90053fcb kernel-2.4.21-27.0.4.EL.s390x.rpm
af836330d8aa58c823e64028445cc307 kernel-doc-2.4.21-27.0.4.EL.s390x.rpm
c7ab3b59c9eae8dc861162a7b57ce8cb kernel-source-2.4.21-27.0.4.EL.s390x.rpm
5950fb528167eba2d3eed49f3a7f5aef kernel-unsupported-2.4.21-27.0.4.EL.s390x.rpm

x86_64:
e2fcabc6dae9c8f9d3748374c120445b kernel-2.4.21-27.0.4.EL.x86_64.rpm
c326f94f327fb593fa19adbcf00efc58 kernel-2.4.21-27.0.4.EL.ia32e.rpm
c125001f1c31be0a290ff2ceb45a3347 kernel-doc-2.4.21-27.0.4.EL.x86_64.rpm
85562e1c0932125b0c7802af36ac9350 kernel-smp-2.4.21-27.0.4.EL.x86_64.rpm
54d374ca58eff6edde5e578665389afe kernel-smp-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
2b61e4879a294cbd2fff6e1e2640ff91 kernel-source-2.4.21-27.0.4.EL.x86_64.rpm
546f618e79c0439a34453fa5957b3545 kernel-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
a9b9faf1b37abfb96c26c8494779e67e kernel-unsupported-2.4.21-27.0.4.EL.ia32e.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kernel-2.4.21-27.0.4.EL.src.rpm
9abc6f839b6f0a520e14f77ebd232695 kernel-2.4.21-27.0.4.EL.src.rpm

i386:
9fbfd848c45689aedc8a8ca6bc695be5 kernel-2.4.21-27.0.4.EL.athlon.rpm
d4f3b5b5cfdef8586756c7a9af24a527 kernel-2.4.21-27.0.4.EL.i686.rpm
9928c02efefef214d1f4f5653875c075 kernel-BOOT-2.4.21-27.0.4.EL.i386.rpm
325a18ac740b0ece6c427d81af1b7ae0 kernel-doc-2.4.21-27.0.4.EL.i386.rpm
27cd78f5d6d17f80d8dbd4eb43a30eec kernel-hugemem-2.4.21-27.0.4.EL.i686.rpm
2aa825007fc1cb852b5c371db44c5909 kernel-hugemem-unsupported-2.4.21-27.0.4.EL.i686.rpm
752dcfb04c02b16b28610f62078d7b96 kernel-smp-2.4.21-27.0.4.EL.athlon.rpm
9b60e080e34efe40ab4a592966dc133b kernel-smp-2.4.21-27.0.4.EL.i686.rpm
a6d5f950e96c3ac929cc906a2eee1413 kernel-smp-unsupported-2.4.21-27.0.4.EL.athlon.rpm
da9f25472ea9bef181d913466fefe191 kernel-smp-unsupported-2.4.21-27.0.4.EL.i686.rpm
a22b277a5971a225df7441932a2fb793 kernel-source-2.4.21-27.0.4.EL.i386.rpm
736f0feedd86a8b226016358fab7adb9 kernel-unsupported-2.4.21-27.0.4.EL.athlon.rpm
2e73792aff62b9e8d3e1b065b0ea7a89 kernel-unsupported-2.4.21-27.0.4.EL.i686.rpm

x86_64:
e2fcabc6dae9c8f9d3748374c120445b kernel-2.4.21-27.0.4.EL.x86_64.rpm
c326f94f327fb593fa19adbcf00efc58 kernel-2.4.21-27.0.4.EL.ia32e.rpm
c125001f1c31be0a290ff2ceb45a3347 kernel-doc-2.4.21-27.0.4.EL.x86_64.rpm
85562e1c0932125b0c7802af36ac9350 kernel-smp-2.4.21-27.0.4.EL.x86_64.rpm
54d374ca58eff6edde5e578665389afe kernel-smp-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
2b61e4879a294cbd2fff6e1e2640ff91 kernel-source-2.4.21-27.0.4.EL.x86_64.rpm
546f618e79c0439a34453fa5957b3545 kernel-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
a9b9faf1b37abfb96c26c8494779e67e kernel-unsupported-2.4.21-27.0.4.EL.ia32e.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kernel-2.4.21-27.0.4.EL.src.rpm
9abc6f839b6f0a520e14f77ebd232695 kernel-2.4.21-27.0.4.EL.src.rpm

i386:
9fbfd848c45689aedc8a8ca6bc695be5 kernel-2.4.21-27.0.4.EL.athlon.rpm
d4f3b5b5cfdef8586756c7a9af24a527 kernel-2.4.21-27.0.4.EL.i686.rpm
9928c02efefef214d1f4f5653875c075 kernel-BOOT-2.4.21-27.0.4.EL.i386.rpm
325a18ac740b0ece6c427d81af1b7ae0 kernel-doc-2.4.21-27.0.4.EL.i386.rpm
27cd78f5d6d17f80d8dbd4eb43a30eec kernel-hugemem-2.4.21-27.0.4.EL.i686.rpm
2aa825007fc1cb852b5c371db44c5909 kernel-hugemem-unsupported-2.4.21-27.0.4.EL.i686.rpm
752dcfb04c02b16b28610f62078d7b96 kernel-smp-2.4.21-27.0.4.EL.athlon.rpm
9b60e080e34efe40ab4a592966dc133b kernel-smp-2.4.21-27.0.4.EL.i686.rpm
a6d5f950e96c3ac929cc906a2eee1413 kernel-smp-unsupported-2.4.21-27.0.4.EL.athlon.rpm
da9f25472ea9bef181d913466fefe191 kernel-smp-unsupported-2.4.21-27.0.4.EL.i686.rpm
a22b277a5971a225df7441932a2fb793 kernel-source-2.4.21-27.0.4.EL.i386.rpm
736f0feedd86a8b226016358fab7adb9 kernel-unsupported-2.4.21-27.0.4.EL.athlon.rpm
2e73792aff62b9e8d3e1b065b0ea7a89 kernel-unsupported-2.4.21-27.0.4.EL.i686.rpm

ia64:
9f1e16737fcf947cda8542a7df6f0f8b kernel-2.4.21-27.0.4.EL.ia64.rpm
fde8cd81a07ff0694ce554b00e7dbc07 kernel-doc-2.4.21-27.0.4.EL.ia64.rpm
b646434a8fa1b9a7eb91afb417c229d1 kernel-source-2.4.21-27.0.4.EL.ia64.rpm
0390c3443876b0de3b193d84d859251d kernel-unsupported-2.4.21-27.0.4.EL.ia64.rpm

x86_64:
e2fcabc6dae9c8f9d3748374c120445b kernel-2.4.21-27.0.4.EL.x86_64.rpm
c326f94f327fb593fa19adbcf00efc58 kernel-2.4.21-27.0.4.EL.ia32e.rpm
c125001f1c31be0a290ff2ceb45a3347 kernel-doc-2.4.21-27.0.4.EL.x86_64.rpm
85562e1c0932125b0c7802af36ac9350 kernel-smp-2.4.21-27.0.4.EL.x86_64.rpm
54d374ca58eff6edde5e578665389afe kernel-smp-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
2b61e4879a294cbd2fff6e1e2640ff91 kernel-source-2.4.21-27.0.4.EL.x86_64.rpm
546f618e79c0439a34453fa5957b3545 kernel-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
a9b9faf1b37abfb96c26c8494779e67e kernel-unsupported-2.4.21-27.0.4.EL.ia32e.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kernel-2.4.21-27.0.4.EL.src.rpm
9abc6f839b6f0a520e14f77ebd232695 kernel-2.4.21-27.0.4.EL.src.rpm

i386:
9fbfd848c45689aedc8a8ca6bc695be5 kernel-2.4.21-27.0.4.EL.athlon.rpm
d4f3b5b5cfdef8586756c7a9af24a527 kernel-2.4.21-27.0.4.EL.i686.rpm
9928c02efefef214d1f4f5653875c075 kernel-BOOT-2.4.21-27.0.4.EL.i386.rpm
325a18ac740b0ece6c427d81af1b7ae0 kernel-doc-2.4.21-27.0.4.EL.i386.rpm
27cd78f5d6d17f80d8dbd4eb43a30eec kernel-hugemem-2.4.21-27.0.4.EL.i686.rpm
2aa825007fc1cb852b5c371db44c5909 kernel-hugemem-unsupported-2.4.21-27.0.4.EL.i686.rpm
752dcfb04c02b16b28610f62078d7b96 kernel-smp-2.4.21-27.0.4.EL.athlon.rpm
9b60e080e34efe40ab4a592966dc133b kernel-smp-2.4.21-27.0.4.EL.i686.rpm
a6d5f950e96c3ac929cc906a2eee1413 kernel-smp-unsupported-2.4.21-27.0.4.EL.athlon.rpm
da9f25472ea9bef181d913466fefe191 kernel-smp-unsupported-2.4.21-27.0.4.EL.i686.rpm
a22b277a5971a225df7441932a2fb793 kernel-source-2.4.21-27.0.4.EL.i386.rpm
736f0feedd86a8b226016358fab7adb9 kernel-unsupported-2.4.21-27.0.4.EL.athlon.rpm
2e73792aff62b9e8d3e1b065b0ea7a89 kernel-unsupported-2.4.21-27.0.4.EL.i686.rpm

ia64:
9f1e16737fcf947cda8542a7df6f0f8b kernel-2.4.21-27.0.4.EL.ia64.rpm
fde8cd81a07ff0694ce554b00e7dbc07 kernel-doc-2.4.21-27.0.4.EL.ia64.rpm
b646434a8fa1b9a7eb91afb417c229d1 kernel-source-2.4.21-27.0.4.EL.ia64.rpm
0390c3443876b0de3b193d84d859251d kernel-unsupported-2.4.21-27.0.4.EL.ia64.rpm

x86_64:
e2fcabc6dae9c8f9d3748374c120445b kernel-2.4.21-27.0.4.EL.x86_64.rpm
c326f94f327fb593fa19adbcf00efc58 kernel-2.4.21-27.0.4.EL.ia32e.rpm
c125001f1c31be0a290ff2ceb45a3347 kernel-doc-2.4.21-27.0.4.EL.x86_64.rpm
85562e1c0932125b0c7802af36ac9350 kernel-smp-2.4.21-27.0.4.EL.x86_64.rpm
54d374ca58eff6edde5e578665389afe kernel-smp-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
2b61e4879a294cbd2fff6e1e2640ff91 kernel-source-2.4.21-27.0.4.EL.x86_64.rpm
546f618e79c0439a34453fa5957b3545 kernel-unsupported-2.4.21-27.0.4.EL.x86_64.rpm
a9b9faf1b37abfb96c26c8494779e67e kernel-unsupported-2.4.21-27.0.4.EL.ia32e.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0177
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.