[Secure-testing-team] Re: Three more security problems in the 2.6 kernel

Wed Oct 12 06:13:34 UTC 2005

On Tue, Oct 11, 2005 at 10:30:42PM +0200, Moritz Muehlenhoff wrote:
> Horms wrote:
> > > I found three more security related reports/patches on linux-kernel.
> > 
> > As mentioned elsewhere, the first (request_key_auth memleek) is CAN-2005-3119.
> > Can we get CAN numbers for the other two?
> 
> Here they are:

Thanks, I'll get them into svn and my patch_notes space ASAP.

> > > From: Dave Jones <davej at redhat.com>
> > > 
> > > Please consider for next 2.6.13, it is a minor security issue allowing
> > > users to turn on drm debugging when they shouldn't...
> 
> ======================================================
> Candidate: CAN-2005-3179
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3179
> Reference: CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=d7067d7d1f92cba14963a430cfbd53098cbbc8fd
> Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=107893
> 
> drm.c in Linux kernel 2.6.13 and earlier creates a debug file in sysfs
> with world-readable and world-writable permissions, which allows local
> users to enable DRM debugging and obtain sensitive information.
> 
> 
> > > From: Pavel Roskin <proski at gnu.org>
> > > 
> > > The orinoco driver can send uninitialized data exposing random pieces of
> > > the system memory.  This happens because data is not padded with zeroes
> > > when its length needs to be increased.
> 
> ======================================================
> Candidate: CAN-2005-3180
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3180
> Reference: CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=feecb2ffde28639e60ede769c6f817dc536c677b
> 
> The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does
> not properly clear memory from a previously used packet whose length
> is increased, which allows remote attackers to obtain sensitive
> information.

-- 
Horms