Secunia CSI7
Create Profile
Our Commitment
Advisories by Product
Advisories by Vendor
Report Vulnerability
Insecure Library Loading
Moderately critical

Linux Kernel Multiple Vulnerabilities


Release Date:  2005-02-16    Last Update:  2005-12-01    Views:  33,737

Secunia Advisory SA14295


From remote


Unknown, Hijacking, Security Bypass, Exposure of sensitive information, Privilege escalation, DoS

Solution Status:

Partial Fix

CVE Reference(s):


Some vulnerabilities have been reported in the Linux kernel. These can be exploited by malicious, local users to gain knowledge of potentially sensitive information, cause a DoS (Denial of Service), or gain escalated privileges, or by malicious people to cause a DoS or bypass certain security restrictions.

1) Insufficient permission checking in the "shmctl()" function allows any process to lock/unlock arbitrary System V shared memory segments that fall within the RLIMIT_MEMLOCK limit.

This can be exploited to unlock locked memory of other processes, which may result in sensitive information being written to swap space.

2) A race condition exists in the terminal handling of the "setsid()" function used for starting new process sessions.

3) An error within the handling of the OUTS instruction on 64-bit platforms can be exploited by malicious, local users to write to privileged IO ports.

4) Table sizes in "nls_ascii.c" are incorrectly set to 128 instead of 256, which may be exploited to cause buffer overflows and crash the kernel.

5) A design error in the netfilter/iptables module can be exploited to crash the kernel or bypass firewall rules via specially crafted packets.

6) An error in the netfilter/iptables module can be exploited to crash the kernel via specially crafted IP packet fragments.

7) A memory leak in the netfilter/iptables module when handling locally generated packet fragments can be exploited to consume all available kernel memory resources.

8) Missing restrictions on the N_MOUSE line discipline makes it possible for any user to inject mouse movements and keyboard events into the input subsystem and thereby hijack another user's session.

9) An error in the futex handling can be exploited to cause a deadlock condition.

10) A signedness error in sysfs when writing to a sysfs file can be exploited to overwrite kernel memory. This may crash the system or allow execution of arbitrary code with escalated privileges.

11) An unspecified error in the "unw_unwind_to_user()" function can be exploited by malicious, local users to crash 64-bit systems.

12) An unspecified error in the NFS client O_DIRECT error case handling can be exploited by malicious, local users to crash the system.

13) An error in the auditing code can be exploited by malicious, local users on Itanium systems to crash the kernel.

14) A error in the handling of extended attributes on ext2 and ext3 file systems can cause incorrect enforcement of Access Control Lists and may allow unauthorized access to files.

15) A boundary error in the "coda_pioctl()" function in the coda module (pioctl.c) may be exploited to crash the kernel or execute arbitrary code via negative "vi.in_size" or "vi.out_size" values.

16) A race condition in "/fs/exec.c" when threads are sharing memory mapping via CLONE_VM e.g. linuxthreads and vfork, may be exploited by local users to cause a DoS (deadlock) by triggering a core dump while waiting for a thread that has just performed an exec.

17) An error in handling the situation when one thread is tracing another thread that shares the same memory map, may be exploited by local users to cause a DoS (deadlock) by forcing a core dump when the traced thread is in the TASK_TRACED state.

18) Some signedness errors in "drivers/block/scsi_ioctl.c" may be exploited by malicious users to read and write kernel memory, potentially causing a crash.

The vulnerabilities have been reported in the 2.6 kernel. Vulnerability #3 also affects the 2.4 kernel.

1-2) Secunia is currently not aware of an updated kernel version addressing the vulnerabilities. Grant only trusted users access to affected systems.

Further details available to Secunia VIM customers

Provided and/or discovered by:
1) Michael Kerrisk
4) Ogawa Hirofumi
5) David Coulson
6) Herbert Xu
9) Olof Johansson
10) Alexander Nyberg
11) Keith Owens
13) Stephane Eranian
15) Brian Fulton and Ted Unangst, Coverity Inc.
18) Brad Spengler

Original Advisory:;a=commit;h=d53393237d7c6a04976a235420304b9b0a5063e0

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to

Subject: Linux Kernel Multiple Vulnerabilities

No posts yet


You must be logged in to post a comment.

 Products Solutions Customers Partner Resources Company
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
Technology Partners
 About us

© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability