CVE-2009-3001 – Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure
https://notcve.org/view.php?id=CVE-2009-3001
The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket. La función llc_ui_getname en net/llc/af_llc.c del kernel de Linux v2.6.31-rc7 y anteriores no inicializa cierta estructura de datos, lo que permite leer a los usuarios locales el contenido de algunas celdas de memoria del núcleo llamando a la función getsockname a través de un socket AF_LLC. • https://www.exploit-db.com/exploits/9513 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=28e9fc592cb8c7a43e4d3147b38be6032a0e81bc http://jon.oberheide.org/files/llc-getsockname-leak.c http://secunia.com/advisories/37105 http://www.exploit-db.com/exploits/9513 http://www.openwall.com/lists/oss-security/2009/08/26/1 http://www.securityfocus.com/bid/36126 http://www.ubuntu.com/usn/USN-852-1 https://bugzilla.redhat.com/show_bug.cgi?id=519 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-3002 – Linux Kernel 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure
https://notcve.org/view.php?id=CVE-2009-3002
The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c. El kernel de Linux antes de v2.6.31-rc7 no inicializa ciertas estructuras de datos dentro de las funciones getname, lo que permite a usuarios locales leer el contenido de algunas celdas de memoria del núcleo llamando a getsockname en (1) un socket AF_APPLETALK, relacionado con la función atalk_getname en net/appletalk/ddp.c; (2) un socket AF_IRDA, relacionado con la función irda_getname en net/irda/af_irda.c; (3) un socket AF_ECONET, relacionado con la función econet_getname en net/econet/af_econet.c; (4) un socket AF_NETROM, relacionado con la función nr_getname en net/netrom/af_netrom.c; (5) un socket AF_ROSE, relacionado con la función rose_getname en net/rose/af_rose.c, o (6) un raw socket CAN , relacionado con la función raw_getname en net/can/raw.c. • https://www.exploit-db.com/exploits/9521 https://www.exploit-db.com/exploits/9543 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=09384dfc76e526c3993c09c42e016372dc9dd22c http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=17ac2e9c58b69a1e25460a568eae1b0dc0188c25 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3d392475c873c10c10d6d96b94d092a34ebd4791 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-2698 – Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-2698
The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket. La función udp_sendmsg en la implementación UDP en los archivos (1) net/ipv4/udp.c y (2) net/ipv6/udp.c en el kernel de Linux anterior a versión 2.6.19, permite a los usuarios locales obtener privilegios o causar una denegación de servicio (Desreferencia de puntero NULL y bloqueo de sistema) por medio de vectores que involucran el flag MSG_MORE y un socket UDP. • https://www.exploit-db.com/exploits/9575 https://www.exploit-db.com/exploits/9574 https://www.exploit-db.com/exploits/9542 https://github.com/xiaoxiaoleo/CVE-2009-2698 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1e0c14f49d6b393179f423abbac47f85618d3d46 http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00008.html http://rhn.redhat.com/errata/RHSA-2009-1222.html http://rhn.redhat.com/errata/RHSA-2009-1223.html http://secunia.com • CWE-476: NULL Pointer Dereference •
CVE-2009-2474 – neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields
https://notcve.org/view.php?id=CVE-2009-2474
neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. neon, en versiones anteriores a la 0.28.6, cuando OpenSSL está habilitado, no maneja adecuadamente un caracter '\0' en un nombre de dominio, en el campo Common Name (CN) del asunto de un certificado X.509, lo cual permite a atacacantes hombre-en-el-medio (man-in-the-middle) suplantar servidores SSL a su elección a través de certificados manipulados expedidos por una Autoridad de Certificación (CA) legítima, una cuestión relacionada con CVE-2009-2408. • http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html http://secunia.com/advisories/36371 http://secunia.com/advisories/36799 http://support.apple.com/kb/HT4435 http://www.mandriva.com/security/advisories?name=MDVSA-2009:221 http://www.securityfocus.com/bid/36079 http://www.ubuntu.com/usn/usn-835-1 http://www.vupen • CWE-326: Inadequate Encryption Strength •
CVE-2009-2848 – kernel: execve: must clear current->clear_child_tid
https://notcve.org/view.php?id=CVE-2009-2848
The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit. Una función execve en el kernel de Linux, posiblemente versión 2.6.30-rc6 y anteriores, no borra apropiadamente el puntero de current-)clear_child_tid, lo que permite a los usuarios locales causar una denegación de servicio (corrupción de memoria) o posiblemente alcanzar privilegios por medio de un sistema de clonación que llama con CLONE_CHILD_SETTID o CLONE_CHILD_CLEARTID habilitadas, que no son manejados apropiadamente durante la creación y salida de hilos (subprocesos). • http://article.gmane.org/gmane.linux.kernel/871942 http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00007.html http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.html http://rhn.redhat.com/errata/RHSA-2009-1243.html http://secunia.com/advisories/35983 http://secunia.com/advisories/36501 http://secunia.com/advisories/36562 http://secunia.com/advisories/36759 http://secunia.com • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-269: Improper Privilege Management •