|
----- Original Message ----- From: "Sebastian Krahmer" <krahmer@suse.de> To: <bugtraq@securityfocus.com> Sent: Tuesday, August 12, 2003 8:57 AM Subject: SuSE Security Announcement: kernel (SuSE-SA:2003:034) > -----BEGIN PGP SIGNED MESSAGE----- > > ____________________________________________________________________________ __ > > SuSE Security Announcement > > Package: kernel > Announcement-ID: SuSE-SA:2003:034 > Date: Tue Aug 12 18:15:00 CEST 2003 > Affected products: 7.2, 7.3, 8.0, 8.1, 8.2 > SuSE Linux Database Server, > SuSE eMail Server III, 3.1 > SuSE Linux Enterprise Server 7, 8 > SuSE Linux Firewall on CD/Admin host > SuSE Linux Connectivity Server > SuSE Linux Office Server > SuSE Linux Openexchange Server > SuSE Linux Desktop 1.0 > United Linux 1.0 > Vulnerability Type: local privilege escalation, > remote Denial of Service (DoS) > Severity (1-10): 7 > SuSE default package: yes > Cross References: CAN-2003-0476 > CAN-2003-0501 > CAN-2003-0464 > > Content of this advisory: > 1) security vulnerability resolved: a race condition in the ELF loader, > a minor information leakage problem in the proc-fs, > re-binding problem of UDP port 2049 sockets, > DoS in netfilter and NFSv3 code > 2) pending vulnerabilities, solutions, workarounds: > - xfstt > - heartbeat > - KDE config files > - several minor bug fixes > 3) standard appendix (further information) > > ____________________________________________________________________________ __ > > 1) problem description, brief discussion, solution, upgrade information > > During the last weeks a couple of security relevant fixes have been > accumulated for the kernel. These fix local vulnerabilities and > remote DoS conditions. The list of the fixed vulnerabilities is > as follows: > > - fix for a possible denial of service attack (DoS) in the routing code > - fix for a possible attack of an unpriviledged user via ioport > - fix for a re-binding problem of UDP port 2049 (NFS) sockets > - fix for a kernel panic with pptpd when mss > mtu > - fix for console redirect bug > - fix for the execve() file read race vulnerability > - fix for several race conditions in procfs > - fix for possible DoS in netfilter code > - fix for possible DoS in NFSv3 code > > Not all kernel-versions are affected by all of these vulnerabilities. > However, since there is no easy workaround for all of the vulnerabilities, > we recommend an update of the kernel package. > > Please follow the steps in the "SPECIAL INSTALL INSTRUCTIONS" section to > update your system. > > Note: Managing the necessary patches, building and mostly testing > kernel update packages is an extremely worksome and therefore also > time-consuming process. SuSE wishes to provide the same quality and > reliability in update packages as customers are used to from the > shipped original products. Even though our kernel updates are > thoroughly tested, the numerous possible hardware configurations for the > x86 platform give a certain probability for a functional failure of > parts of the kernel after the update has been performed. Some of the > possible failures cannot be handled by SuSE by definition. These > include (and are not limited to) possible problems with NVIDIA chipset > graphics boards that make use of hardware 3D acceleration. > SuSE cannot deliver the binary only driver for the NVIDIA graphics > boards in the kernel RPM. It is known that the NVIDIA hardware acceleration > will not continue to work after a reboot, resulting in a failure to start > the X-server. Hardware acceleration support for NVIDIA graphics chipsets on > SuSE Linux 8.1 and 8.2 will be automatically disabled if the kernel update > is performed by YOU (Yast Online Update). If you are committing the update > by hand (necessary for SuSE Linux 8.0 and older), you should either turn > off hardware acceleration support for your X Server configuration, or you > may want to link the acceleration driver with binaries directly from > nvidia's ftp server yourself, using the provided kernel-source RPM package. > > The kernel of a Linux system is the most critical component with respect > to stability, reliability and security. By consequence, an update of that > component requires some care and full attention to succeed. > > SPECIAL INSTALL INSTRUCTIONS: > ============================== > The following paragraphs will guide you through the installation > process in a step-by-step fashion. The character sequence "****" > marks the beginning of a new paragraph. In some cases, you decide > if the paragraph is needed for you or not. Please read through all > of the steps down to the end. All of the commands that need to be > executed are required to be run as the superuser (root). Each step > relies on the steps before to complete successfully. > > > **** Step 1: Determine the needed kernel type > > Please use the following command to find the kernel type that is > installed on your system: > > rpm -qf /boot/vmlinuz > > The following options are possible (disregarding the version and build > number following the name, separated by the "-" character): > > k_deflt # default kernel, good for most systems. > k_i386 # kernel for older processors and chipsets > k_athlon # kernel made specifically for AMD Athlon(tm) family processors > k_psmp # kernel for Pentium-I dual processor systems > k_smp # kernel for SMP systems (Pentium-II and above) > > **** Step 2: Download the package for your system > > Please download the kernel RPM package for your distribution with the > name starting as indicated by Step 1. The list of all kernel rpm > packages is appended below. Note: The kernel-source package does not > contain any binary kernel in bootable form. Instead, it contains the > sources that the binary kernel rpm packages are made from. It can be > used by administrators who have decided to build their own kernel. > Since the kernel-source.rpm is an installable (compiled) package that > contains sources for the linux kernel, it is not the source RPM for > the kernel RPM binary packages. > > The kernel RPM binary packages for the distributions can be found at these > locations under ftp://ftp.suse.com/pub/suse/i386/update/ : > > 7.2/kernel/2.4.18-20030812 > 7.3/kernel/2.4.18-20030812 > 8.0/kernel/2.4.18-20030812 > 8.1/rpm/i586 > 8.2/rpm/i586 > > After downloading the kernel RPM package for your system, you should > verify the authenticity of the kernel rpm package using the methods as > listed in section 3) of each SuSE Security Announcement. > > > **** Step 3: Installing your kernel rpm package > > Install the rpm package that you have downloaded in Steps 3 or 4 with > the command > rpm -Uhv --nodeps --force <K_FILE.RPM> > where <K_FILE.RPM> is the name of the rpm package that you downloaded. > > Warning: After performing this step, your system will likely not be > able to boot if the following steps have not been fully > applied. > > > If you run SuSE Linux 8.1 and use the freeswan package, you also need > to update the freeswan rpm as a dependency as offered by YOU (Yast > Online Update). The package can be downloaded from > ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/ > > **** Step 4: configuring and creating the initrd > > The initrd is a ramdisk that is being loaded into the memory of your > system together with the kernel boot image by the bootloader. The > kernel uses the content of this ramdisk to execute commands that must > be run before the kernel can mount its actual root filesystem. It is > usually used to initialize scsi drivers or NIC drivers for diskless > operation. > > The variable INITRD_MODULES (set in the files /etc/rc.config up to > 7.3) or /etc/sysconfig/kernel (after and including 8.0)) determines > which kernel modules will be loaded in the initrd before the kernel > has mounted its actual root filesystem. The variable should contain > your scsi adapter (if any) or filesystem driver modules. > > With the installation of the new kernel, the initrd has to be > re-packed with the update kernel modules. Please run the command > > mk_initrd > > as root to create a new init rmadisk (initrd) for your system. > > > **** Step 5: bootloader > > If you have a 7.x system, you must now run the command > > lilo > > as root to initialize the lilo bootloader for your system. Then > proceed to the next step. > > If you run a SuSE Linux 8.x or a SLES8 system, there are two options: > Depending on your software configuration, you have the lilo bootloader > or the grub bootloader installed and initialized on your system. > The grub bootloader does not require any further actions to be > performed after the new kernel images have been moved in place by the > rpm Update command. > If you have a lilo bootloader installed and initialized, then the lilo > program must be run as root. Use the command > > grep LOADER_TYPE /etc/sysconfig/bootloader > > to find out which boot loader is configured. If it is lilo, then you > must run the lilo command as root. If grub is listed, then your system > does not require any bootloader initialization. > > Warning: An improperly installed bootloader may render your system > unbootable. > > **** Step 6: reboot > > If all of the steps above have been successfully applied to your > system, then the new kernel including the kernel modules and the > initrd should be ready to boot. The system needs to be rebooted for > the changes to become active. Please make sure that all steps are > complete, then reboot using the command > shutdown -r now > or > init 6 > > Your system should now shut down and reboot with the new kernel. > > > Download sources for all kernel RPM packages: > Our maintenance customers are being notified individually. The packages > are being offered to install from the maintenance web. > > Due to the large amount of package-names you will not find the usual > list of package-names with the corresponding MD5 sums here. However the > integrity of the packages is ensured and can be verified as described in > section 3.2. > > ____________________________________________________________________________ __ > > 2) Pending vulnerabilities in SuSE Distributions and Workarounds: > > - xfstt > The X truetype font-server can be crashed my sending > malicious packets over the network. It may even be > possible to execute arbitrary commands with the > privileges of the xfstt server. > Update packages are available on our FTP servers now. > > - heartbeat > New heartbeat packages which fix an overflow are available on our > ftp servers. > > - KDE config files > Due to an mistake some files in /etc/opt/kde3/share/config/ > of SuSe Linux 8.2 are world-writeable. Under certain > circumstances these files can be used to gain higher > privileges. Please add an entry for each file in your > /etc/permissions.local file. Example: > /etc/opt/kde3/share/config/kmailrc root.root 0644 > > This bug was reported by nordi <nordi@addcom.de>. > > - several minor bug fixes > There are alot more minor security updates in the queue. YOU (Yast > Online Update) will inform you when they appear. Alternatively you > may want to monitor the following website: > http://www.suse.de/de/private/download/updates/index.html > or: > http://www.suse.de/en/private/download/updates/index.html > > ____________________________________________________________________________ __ > > 3) standard appendix: authenticity verification, additional information > > - Package authenticity verification: > > SuSE update packages are available on many mirror ftp servers all over > the world. While this service is being considered valuable and important > to the free and open source software community, many users wish to be > sure about the origin of the package and its content before installing > the package. There are two verification methods that can be used > independently from each other to prove the authenticity of a downloaded > file or rpm package: > 1) md5sums as provided in the (cryptographically signed) announcement. > 2) using the internal gpg signatures of the rpm package. > > 1) execute the command > md5sum <name-of-the-file.rpm> > after you downloaded the file from a SuSE ftp server or its mirrors. > Then, compare the resulting md5sum with the one that is listed in the > announcement. Since the announcement containing the checksums is > cryptographically signed (usually using the key security@suse.de), > the checksums show proof of the authenticity of the package. > We disrecommend to subscribe to security lists which cause the > email message containing the announcement to be modified so that > the signature does not match after transport through the mailing > list software. > Downsides: You must be able to verify the authenticity of the > announcement in the first place. If RPM packages are being rebuilt > and a new version of a package is published on the ftp server, all > md5 sums for the files are useless. > > 2) rpm package signatures provide an easy way to verify the authenticity > of an rpm package. Use the command > rpm -v --checksig <file.rpm> > to verify the signature of the package, where <file.rpm> is the > filename of the rpm package that you have downloaded. Of course, > package authenticity verification can only target an un-installed rpm > package file. > Prerequisites: > a) gpg is installed > b) The package is signed using a certain key. The public part of this > key must be installed by the gpg program in the directory > ~/.gnupg/ under the user's home directory who performs the > signature verification (usually root). You can import the key > that is used by SuSE in rpm packages for SuSE Linux by saving > this announcement to a file ("announcement.txt") and > running the command (do "su -" to be root): > gpg --batch; gpg < announcement.txt | gpg --import > SuSE Linux distributions version 7.1 and thereafter install the > key "build@suse.de" upon installation or upgrade, provided that > the package gpg is installed. The file containing the public key > is placed at the top-level directory of the first CD (pubring.gpg) > and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . > > > - SuSE runs two security mailing lists to which any interested party may > subscribe: > > suse-security@suse.com > - general/linux/SuSE security discussion. > All SuSE security announcements are sent to this list. > To subscribe, send an email to > <suse-security-subscribe@suse.com>. > > suse-security-announce@suse.com > - SuSE's announce-only mailing list. > Only SuSE's security announcements are sent to this list. > To subscribe, send an email to > <suse-security-announce-subscribe@suse.com>. > > For general information or the frequently asked questions (faq) > send mail to: > <suse-security-info@suse.com> or > <suse-security-faq@suse.com> respectively. > > ===================================================================== > SuSE's security contact is <security@suse.com> or <security@suse.de>. > The <security@suse.de> public key is listed below. > ===================================================================== > ____________________________________________________________________________ __ > > The information in this advisory may be distributed or reproduced, > provided that the advisory is not modified in any way. In particular, > it is desired that the clear-text signature shows proof of the > authenticity of the text. > SuSE Linux AG makes no warranties of any kind whatsoever with respect > to the information contained in this security advisory. > > Type Bits/KeyID Date User ID > pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> > pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> > > - -----BEGIN PGP PUBLIC KEY BLOCK----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff > 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d > M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO > QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK > XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE > D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd > G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM > CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE > myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr > YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD > wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d > NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe > QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe > LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t > XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU > D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 > 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot > 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW > cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E > ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f > AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E > Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ > HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h > t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT > tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM > 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q > 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 > QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw > JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ > 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH > ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 > wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY > EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol > 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK > CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co > SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo > omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt > A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J > /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE > GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf > ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT > ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 > RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ > 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb > B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X > 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA > 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj > qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p > WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL > hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG > BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ > AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi > RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 > zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM > /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 > whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl > D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz > dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI > RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI > DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= > =LRKC > - -----END PGP PUBLIC KEY BLOCK----- > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iQEVAwUBPzkasney5gA9JdPZAQGuvQf/eObGpN295r+3OIdWdQyx7NVuP/otU3ut > G+HPJ5WaQxXYTBRj2hAOXsJmudJ1p2rEiYY7aX4ggO3A8Fvz8MfCGbnLxXo7/TLw > GgTFFwfYMvgETHDPvq6Kjrk8Tf1ngLHRYB7gHTifMgJXo9iuR63qKbxkykP0Palf > Cp8D8Rut49VEAfRQYfcLniyNpUNkaadLUaAm/xQyUw9GzMRuAKQE/mBuhCVQXoNJ > 5GkcPjrtBuTHeNFOtmoLKZ42aRqOzsjuMZSBD6fS76B1tppuE7Y6naLmJoy+nJe/ > Fio1PYmT8tZTMtaaAP0CnWLFD7MJlfx3twZ2i5sipJeXcc8xFMSZUA== > =/T1o > -----END PGP SIGNATURE----- >