Your message dated Sat, 26 Mar 2005 01:47:47 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#296700: fixed in kernel-source-2.4.27 2.4.27-9 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 24 Feb 2005 06:29:15 +0000 >From [EMAIL PROTECTED] Wed Feb 23 22:29:15 2005 Return-path: <[EMAIL PROTECTED]> Received: from buffy.riseup.net (mail.riseup.net) [69.90.134.155] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1D4CUt-0006l9-00; Wed, 23 Feb 2005 22:29:15 -0800 Received: from localhost (localhost [127.0.0.1]) by mail.riseup.net (Postfix) with ESMTP id 96047A2F25 for <[EMAIL PROTECTED]>; Wed, 23 Feb 2005 22:28:50 -0800 (PST) Received: from mail.riseup.net ([127.0.0.1]) by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05000-20 for <[EMAIL PROTECTED]>; Wed, 23 Feb 2005 22:28:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.riseup.net (Postfix) with ESMTP id 410B3A2F18 for <[EMAIL PROTECTED]>; Wed, 23 Feb 2005 22:28:50 -0800 (PST) Received: by pond (Postfix, from userid 1000) id 7124F3A802; Thu, 24 Feb 2005 00:29:28 -0600 (CST) Content-Type: multipart/mixed; boundary="===============1195735746==" MIME-Version: 1.0 From: Micah Anderson <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction X-Mailer: reportbug 3.8 Date: Thu, 24 Feb 2005 00:29:27 -0600 Message-Id: <[EMAIL PROTECTED]> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: This is a multi-part MIME message sent by reportbug. --===============1195735746== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: kernel-source-2.6.8 Version: 2.6.8-13 Severity: normal Tags: security patch Hello, CAN-2005-0204 reads: Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction. Although this says "before 2.6.9" this *includes* both 2.6.8 and 2.6.9. REDHAT:RHSA-2005:092 URL:http://www.redhat.com/support/errata/RHSA-2005-092.html The RedHat bug associated with this is located at: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148855 A patch to fix the problem is attached to this bugreport, it is located here (also linked to the RedHat bug): https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=110424&action=view This apparantly only affects AMD64 and EM64T, and applies to 2.6.8 as well as 2.6.9. Kernel 2.4.27 appears to have a similar vulnerability, although this patch would not apply cleanly to that tree, but looks relatively trivial to modify appropriately. Please include this CAN number in changelog entries about this problem. Thanks, Micah -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (300, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages kernel-source-2.6.8 depends on: ii binutils 2.15-5 The GNU assembler, linker and bina ii bzip2 1.0.2-1 A high-quality block-sorting file ii coreutils [fileutils] 5.2.1-2 The GNU core utilities ii fileutils 5.2.1-2 The GNU file management utilities -- no debconf information --===============1195735746== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="can-2005-0204" --- linux-2.6.9/include/asm-x86_64/desc.h~ 2005-01-30 20:08:12.799247944 -0800 +++ linux-2.6.9/include/asm-x86_64/desc.h 2005-01-30 20:08:12.799247944 -0800 @@ -128,7 +128,7 @@ { set_tssldt_descriptor(&cpu_gdt_table[cpu][GDT_ENTRY_TSS], (unsigned long)addr, DESC_TSS, - sizeof(struct tss_struct) - 1); + IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7); } static inline void set_ldt_desc(unsigned cpu, void *addr, int size) --===============1195735746==-- --------------------------------------- Received: (at 296700-close) by bugs.debian.org; 26 Mar 2005 06:53:04 +0000 >From [EMAIL PROTECTED] Fri Mar 25 22:53:04 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DF5AO-0002Ww-00; Fri, 25 Mar 2005 22:53:04 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1DF55H-0002FU-00; Sat, 26 Mar 2005 01:47:47 -0500 From: Simon Horman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#296700: fixed in kernel-source-2.4.27 2.4.27-9 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Sat, 26 Mar 2005 01:47:47 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: X-CrossAssassin-Score: 2 Source: kernel-source-2.4.27 Source-Version: 2.4.27-9 We believe that the bug you reported is fixed in the latest version of kernel-source-2.4.27, which is due to be installed in the Debian FTP archive: kernel-doc-2.4.27_2.4.27-9_all.deb to pool/main/k/kernel-source-2.4.27/kernel-doc-2.4.27_2.4.27-9_all.deb kernel-patch-debian-2.4.27_2.4.27-9_all.deb to pool/main/k/kernel-source-2.4.27/kernel-patch-debian-2.4.27_2.4.27-9_all.deb kernel-source-2.4.27_2.4.27-9.diff.gz to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-9.diff.gz kernel-source-2.4.27_2.4.27-9.dsc to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-9.dsc kernel-source-2.4.27_2.4.27-9_all.deb to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-9_all.deb kernel-tree-2.4.27_2.4.27-9_all.deb to pool/main/k/kernel-source-2.4.27/kernel-tree-2.4.27_2.4.27-9_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon Horman <[EMAIL PROTECTED]> (supplier of updated kernel-source-2.4.27 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 25 Mar 2005 10:42:50 +0900 Source: kernel-source-2.4.27 Binary: kernel-tree-2.4.27 kernel-source-2.4.27 kernel-patch-debian-2.4.27 kernel-doc-2.4.27 Architecture: source all Version: 2.4.27-9 Distribution: unstable Urgency: low Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Simon Horman <[EMAIL PROTECTED]> Description: kernel-doc-2.4.27 - Linux kernel specific documentation for version 2.4.27 kernel-patch-debian-2.4.27 - Debian patches to Linux 2.4.27 kernel-source-2.4.27 - Linux kernel source for version 2.4.27 with Debian patches kernel-tree-2.4.27 - Linux kernel source tree for building Debian kernel images Closes: 291536 296639 296700 296905 Changes: kernel-source-2.4.27 (2.4.27-9) unstable; urgency=low . * There was a stray file in 2.4.27-8. Don't include it this time. (Simon Horman) (closes: Bug#291536) . * Updated kernel-tree description from Martin F Krafft (Simon Horman) . * Updated apply script so it can handle point versions (Simon Horman) . * 134_skb_reset_ip_summed.diff: [CAN-2005-0209] resolve checksumming exploit in fragmented packet forwarding (Joshua Kwan) . * 135_fix_ip_options_leak.diff: [CAN-2004-1335] fix leak of IP options data. (Joshua Kwan) . * 136_vc_resizing_overflow.diff: [CAN-2004-1333] make sure VC resizing fits in 16 bits. (Joshua Kwan) . * 137_io_edgeport_overflow.diff: [CAN-2004-1017] fix buffer overflow (underflow, really) that opens multiple attack vectors. (Joshua Kwan) . * 138_amd64_syscall_vuln.diff: [CAN-2004-1144] fix the "int 0x80 hole" that allowed overflow of the system call table. (Joshua Kwan) . * 139_sparc_context_switch.diff: fix FPU context switching dirtiness on sparc32 SMP. (Joshua Kwan) . * 140_VM_IO.diff: [CAN-2004-1057] fix possible DoS from accessing freed kernel pages by flagging VM_IO where necessary. . * 141_acpi_noirq.patch: [ACPI] Enhanced PCI probe, CONFIG_HPET_TIMER build warning fix (Simon Horman) . * 142_acpi_skip_timer_override-1.diff, 142_acpi_skip_timer_override-2.diff, 142_acpi_skip_timer_override-3.diff, 142_acpi_skip_timer_override-4.diff: [ACPI] skip_timer_override including early PCI bridge detection. (closes: #296639) (Simon Horman) . * 121_drm-locking-checks-3.diff: LOCK_TEST_WITH_RETURN build cleanup (Simon Horman) . * 143_outs.diff: [SECURITY]: AMD64, allows local users to write to privileged IO ports via OUTS instruction (CAN-2005-0204) (Simon Horman) (closes: #296700) . * 144_sparc64-sb1500-clock-2.4.diff by David Miller: enable recognition of the clock chip on SunBlade 1500, it won't boot otherwise. (Jurij Smakov). . * 145_insert_vm_struct-no-BUG.patch: [SECURITY] make insert_vm_struct return an error rather than BUG(). See CAN-2005-0003. (dann frazier) . * 146_ip6_copy_metadata_leak.diff 147_ip_copy_metadata_leak.diff: [SECURITY] Do not leak dst entries in ip_copy_metadata() See CAN-2005-0210. (Simon Horman) . * 148_ip_evitor_smp_loop.diff: Fix theoretical loop on SMP in ip_evictor(). (Simon Horman, Andres Salomon) . * 149_fragment_queue_flush.diff: Flush fragment queue on conntrack unload. (Simon Horman, Andres Salomon) . * *** ABI Change! Notify D-I team or delay for future release *** Omitted from release *** 150_private_fragment_queues-1.diff, 150_private_fragment_queues-2.diff: *** Keep fragment queues private to each user. See CAN-2005-0449 and *** http://oss.sgi.com/archives/netdev/2005-01/msg01048.html *** (Simon Horman, Andres Salomon) . * 151_atm_get_addr_signedness_fix.diff: [SECURITY] Fix ATM copy-to-user usage. See: CAN-2005-0531. See: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html (closes: #296905) (Simon Horman) . * 153_ppp_async_dos.diff: [SECURITY] remote Linux DoS on ppp servers. See: CAN-2005-0384 (Simon Horman) . * 111-smb-client-overflow-fix-2.diff, 111-smb-client-overflow-fix-1.diff: [SECURITY] The above patches, included in 2.4.27-6 resolve: local information leak caused by race in SMP systems with more than 4GB of memory. remote information leak cansed by handling of TRANS2 packets handling in smbfs. See CAN-2004-1191. (see: #300163) (Simon Horman) . * 154_cmsg_compat_signedness_fix.diff: Fix CMSG32_OK macros. (Dann Frazier, Simon Horman) Files: c1b495a855629746033b7672ca5a9415 886 devel optional kernel-source-2.4.27_2.4.27-9.dsc 9cc9dbdfe3f53e4c45c331ea303de95d 678025 devel optional kernel-source-2.4.27_2.4.27-9.diff.gz d258368f37be562ec6f373c7a7a1f767 614256 devel optional kernel-patch-debian-2.4.27_2.4.27-9_all.deb 5ab1e1bf82d64c245283466f81731701 3575462 doc optional kernel-doc-2.4.27_2.4.27-9_all.deb 88a703faebb4e68fef18da39865dd42b 31019488 devel optional kernel-source-2.4.27_2.4.27-9_all.deb d282f3ac6f6d5b98a74415bc355b82e6 22754 devel optional kernel-tree-2.4.27_2.4.27-9_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCQ3fvdu+M6Iexz7URAqDlAJ9wbMFNFWUJi+Wh0RLR1RecI3MmQACgu/XD R+PXjmy/ZXFfp3lZ61QsURM= =vIso -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]