LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

kernel: several vulnerabilities

Package(s):kernel CVE #(s):CVE-2007-3851 CVE-2007-3848 CVE-2007-3105
Created:August 17, 2007 Updated:January 8, 2009
Description: The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer. (CVE-2007-3851)

Linux kernel 2.4.35 and other versions allows local users to send arbitrary signals to a child process that is running at higher privileges by causing a setuid-root parent process to die, which delivers an attacker-controlled parent process death signal (PR_SET_PDEATHSIG). (CVE-2007-3848)

Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving "bound check ordering". NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root. (CVE-2007-3105)

Alerts:
Red Hat RHSA-2008:0787-01 2009-01-05
Red Hat RHSA-2009:0001-01 2009-01-08
Mandriva MDVSA-2008:105 2007-05-21
SuSE SUSE-SA:2008:017 2008-03-28
Debian DSA-1504 2008-02-22
Debian DSA-1503-2 2008-03-06
Debian DSA-1503 2008-02-22
SuSE SUSE-SA:2008:006 2008-02-07
Red Hat RHSA-2007:1049-01 2007-12-03
SuSE SUSE-SA:2007:053 2007-10-12
Debian DSA-1356-1 2007-08-15
Mandriva MDKSA-2007:216 2007-11-13
Red Hat RHSA-2007:0939-01 2007-11-01
Red Hat RHSA-2007:0940-01 2007-10-22
Red Hat RHSA-2007:0705-01 2007-09-13
SuSE SUSE-SA:2007:051 2007-09-06
Fedora FEDORA-2007-679 2007-09-04
Ubuntu USN-510-1 2007-08-31
Debian DSA-1363-1 2007-08-31
Ubuntu USN-508-1 2007-08-31
Ubuntu USN-509-1 2007-08-31
Fedora FEDORA-2007-1785 2007-08-23
rPath rPSA-2007-0164-1 2007-08-16
(Log in to post comments)

kernel: several vulnerabilities

Posted Aug 23, 2007 11:57 UTC (Thu) by nix (subscriber, #2304) [Link]

No: 2.4.35 and kernels before 2.6.22.3 allow local users to send such signals by causing a *non-privileged*, attacker-controlled parent process to die: before dying it forks, sets the parent process death signal and kicks off a setuid child.

Now when it dies it hits the setuid *child* with whatever signal it chose.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds