CVE-2009-3001 – Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure
https://notcve.org/view.php?id=CVE-2009-3001
The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket. La función llc_ui_getname en net/llc/af_llc.c del kernel de Linux v2.6.31-rc7 y anteriores no inicializa cierta estructura de datos, lo que permite leer a los usuarios locales el contenido de algunas celdas de memoria del núcleo llamando a la función getsockname a través de un socket AF_LLC. • https://www.exploit-db.com/exploits/9513 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=28e9fc592cb8c7a43e4d3147b38be6032a0e81bc http://jon.oberheide.org/files/llc-getsockname-leak.c http://secunia.com/advisories/37105 http://www.exploit-db.com/exploits/9513 http://www.openwall.com/lists/oss-security/2009/08/26/1 http://www.securityfocus.com/bid/36126 http://www.ubuntu.com/usn/USN-852-1 https://bugzilla.redhat.com/show_bug.cgi?id=519 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-3002 – Linux Kernel 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure
https://notcve.org/view.php?id=CVE-2009-3002
The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c. El kernel de Linux antes de v2.6.31-rc7 no inicializa ciertas estructuras de datos dentro de las funciones getname, lo que permite a usuarios locales leer el contenido de algunas celdas de memoria del núcleo llamando a getsockname en (1) un socket AF_APPLETALK, relacionado con la función atalk_getname en net/appletalk/ddp.c; (2) un socket AF_IRDA, relacionado con la función irda_getname en net/irda/af_irda.c; (3) un socket AF_ECONET, relacionado con la función econet_getname en net/econet/af_econet.c; (4) un socket AF_NETROM, relacionado con la función nr_getname en net/netrom/af_netrom.c; (5) un socket AF_ROSE, relacionado con la función rose_getname en net/rose/af_rose.c, o (6) un raw socket CAN , relacionado con la función raw_getname en net/can/raw.c. • https://www.exploit-db.com/exploits/9521 https://www.exploit-db.com/exploits/9543 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=09384dfc76e526c3993c09c42e016372dc9dd22c http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=17ac2e9c58b69a1e25460a568eae1b0dc0188c25 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3d392475c873c10c10d6d96b94d092a34ebd4791 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-2695 – kernel: SELinux and mmap_min_addr
https://notcve.org/view.php?id=CVE-2009-2695
The Linux kernel before 2.6.31-rc7 does not properly prevent mmap operations that target page zero and other low memory addresses, which allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities, related to (1) the default configuration of the allow_unconfined_mmap_low boolean in SELinux on Red Hat Enterprise Linux (RHEL) 5, (2) an error that causes allow_unconfined_mmap_low to be ignored in the unconfined_t domain, (3) lack of a requirement for the CAP_SYS_RAWIO capability for these mmap operations, and (4) interaction between the mmap_min_addr protection mechanism and certain application programs. El kernel de Linux antes de v2.6.31-rc7 no previene debidamente las operaciones nmap que apuntan a una pagina cero y otras direcciones de memoria bajas, lo que permite a usuarios locales obtener privilegios mediante la explotación de vulnerabilidades de desreferencia a puntero NULL, relacionados con (1) la configuración por defecto del boolano allow_unconfined_mmap_low en SELinux en Red Hat Enterprise Linux (RHEL) 5, (2) un error que provoca allow_unconfined_mmap_low para ser ignorado en el dominio unconfined_t, (3) la falta de un requisito de la capacidad CAP_SYS_RAWIO para estas nmap operaciones, y (4) la interacción entre el mecanismo de protección mmap_min_addr y algunos programas de aplicación. • http://danwalsh.livejournal.com/30084.html http://eparis.livejournal.com/606.html http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git%3Ba=commit%3Bh=47d439e9fb8a81a90022cfa785bf1c36c4e2aff6 http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git%3Ba=commit%3Bh=7c73875e7dda627040b12c19b01db634fa7f0fd1 http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git%3Ba=commit%3Bh=84336d1a77ccd2c06a730ddd38e695c2324a7386 http://git.kernel.org/?p=linux/kernel/ • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2009-2698 – Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2009-2698
The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket. La función udp_sendmsg en la implementación UDP en los archivos (1) net/ipv4/udp.c y (2) net/ipv6/udp.c en el kernel de Linux anterior a versión 2.6.19, permite a los usuarios locales obtener privilegios o causar una denegación de servicio (Desreferencia de puntero NULL y bloqueo de sistema) por medio de vectores que involucran el flag MSG_MORE y un socket UDP. • https://www.exploit-db.com/exploits/9575 https://www.exploit-db.com/exploits/9574 https://www.exploit-db.com/exploits/9542 https://github.com/xiaoxiaoleo/CVE-2009-2698 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1e0c14f49d6b393179f423abbac47f85618d3d46 http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00008.html http://rhn.redhat.com/errata/RHSA-2009-1222.html http://rhn.redhat.com/errata/RHSA-2009-1223.html http://secunia.com • CWE-476: NULL Pointer Dereference •
CVE-2009-2849 – kernel: md: NULL pointer deref when accessing suspend_* sysfs attributes
https://notcve.org/view.php?id=CVE-2009-2849
The md driver (drivers/md/md.c) in the Linux kernel before 2.6.30.2 might allow local users to cause a denial of service (NULL pointer dereference) via vectors related to "suspend_* sysfs attributes" and the (1) suspend_lo_store or (2) suspend_hi_store functions. NOTE: this is only a vulnerability when sysfs is writable by an attacker. El driver md (drivers/md/md.c) en el kernel de Linux anteriores a 2.6.30.2 podría permitir a usuarios locales producir una denegación de servicio (referencia a un puntero nulo) a través de vectores relacionados con los " atributos suspend*sysfs" a la funciones (1) suspend_lo_store o (2) suspend_hi_store. NOTA: Esto se trata de una vulnerabilidad cuando sysfs puede ser escrito por un atacante. • http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git%3Ba=commit%3Bh=3c92900d9a4afb176d3de335dc0da0198660a244 http://lists.vmware.com/pipermail/security-announce/2010/000082.html http://secunia.com/advisories/36501 http://secunia.com/advisories/37105 http://secunia.com/advisories/38794 http://secunia.com/advisories/38834 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.2 http://www.openwall.com/lists/oss-security/2009/07/24/1 http://www.openwal • CWE-476: NULL Pointer Dereference •