Candidate: CVE-2004-0077 References: BUGTRAQ:20040218 Second critical mremap() bug found in all Linux kernels VULNWATCH:20040218 Second critical mremap() bug found in all Linux kernels MISC:http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt CONECTIVA:CLA-2004:820 DEBIAN:DSA-438 DEBIAN:DSA-439 DEBIAN:DSA-440 DEBIAN:DSA-441 DEBIAN:DSA-442 DEBIAN:DSA-444 DEBIAN:DSA-450 DEBIAN:DSA-453 DEBIAN:DSA-454 DEBIAN:DSA-456 DEBIAN:DSA-466 DEBIAN:DSA-470 DEBIAN:DSA-514 DEBIAN:DSA-475 REDHAT:RHSA-2004:065 REDHAT:RHSA-2004:066 REDHAT:RHSA-2004:069 REDHAT:RHSA-2004:106 SLACKWARE:SSA:2004-049 SUSE:SuSE-SA:2004:005 TRUSTIX:2004-0007 TRUSTIX:2004-0008 GENTOO:GLSA-200403-02 CERT-VN:VU#981222 XF:linux-mremap-gain-privileges(15244) BID:9686 OSVDB:3986 OVAL:OVAL825 OVAL:OVAL837 Description: The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Notes: dannf> we think these are the patches: 2.6: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=59287e5eef8d33dcd842852a898b43a81fe0b2c2 2.4: http://linux.bkbits.net:8080/linux-2.4/cset@40327d9fxQLz7BU9yAATPsFlWiSG0A?nav=index.html|src/|src/mm|related/mm/mremap.c Bugs: upstream: released (2.4.25-rc4, 2.6.3) linux-2.6: N/A 2.6.8-sarge-security: N/A 2.4.27-sarge-security: N/A 2.4.19-woody-security: released (2.4.19-4.woody1) 2.4.18-woody-security: released (2.4.18-14.2) 2.4.17-woody-security: released (2.4.17-1woody2) 2.4.16-woody-security: released (2.4.16-1woody2) 2.4.17-woody-security-hppa: released (32.3, 62.3) 2.4.17-woody-security-ia64: released (011226.16) 2.4.18-woody-security-hppa: released (62.2)