Date: 27 September 2007
References: ESB-2007.0732 ESB-2007.0733 ESB-2007.0744
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AA-2007.0082 AUSCERT Advisory
Multiple Linux kernel vulnerabilities
27 September 2007
AusCERT Advisory Summary
Operating System: Linux variants
Impact: Increased Privileges
Read-only Data Access
Denial of Service
Access: Existing Account
CVE Names: CVE-2007-0997 CVE-2007-4571 CVE-2007-4573
Member content until: Thursday, October 25 2007
There have been recent announcements of several vulnerabilities in
the Linux kernel. The most serious of the vulnerabilities may result
in local privilege escalation.
The National Vulnerability Database , gives the following
information regarding these vulnerabilities:
o CVE-2007-0997: "Race condition in the tee (sys_tee) system call
in the Linux kernel 2.6.17 through 22.214.171.124 might allow local
users to cause a denial of service (system crash), obtain
sensitive information (kernel memory contents), or gain privileges
via unspecified vectors related to a potentially dropped ipipe
lock during a race between two pipe readers."
o CVE-2007-4571: "The snd_mem_proc_read function in
sound/core/memalloc.c in the Advanced Linux Sound Architecture
(ALSA) in the Linux kernel before 126.96.36.199 does not return the
correct write size, which allows local users to obtain sensitive
information (kernel memory contents) via a small count argument,
as demonstrated by multiple reads of /proc/driver/snd-page-alloc."
. iDefense have also published an advisory  regarding this
o CVE-2007-4573: "The IA32 system call emulation functionality in
Linux kernel 2.4.x and 2.6.x before 188.8.131.52, when running on the
x86_64 architecture, does not zero extend the eax register after
the 32bit entry path to ptrace is used, which might allow local
users to gain privileges by triggering an out-of-bounds access to
the system call table using the %RAX register."
o CVE-2007-5087: "The ATM module in the Linux kernel before 184.108.40.206,
when CLIP support is enabled, allows local users to cause a denial
of service (kernel panic) by reading /proc/net/atm/arp before the
CLIP module has been loaded."
Upgrade to the current stable kernel versions: 220.127.116.11 and 18.104.22.168.
 National Vulnerability Database
 National Vulnerability Database (CVE-2007-0997)
 National Vulnerability Database (CVE-2007-4571)
 Linux Kernel ALSA snd_mem_proc_read Information Disclosure
 National Vulnerability Database (CVE-2007-4573)
 National Vulnerability Database (CVE-2007-5087)
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----