Candidate: CVE-2004-2536 References: http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1242.html http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1265.html http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6 Description: The exit_thread function (process.c) in Linux kernel 2.6 through 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a process obtains IO access permissions from the ioperm function but does not drop those permissions when it exits, which allows other processes to access the per-TSS pointers, access restricted memory locations, and possibly gain privileges. Notes: Horms> Tested against kernel-image-2.4.27-2-686 2.4.27-11 which does not seem to exhibit the problem, although the code suggests it might. I guess its just a 2.6 problem. I marked 2.4.27 and the woody kernels N/A Bugs: upstream: released (2.6.6) linux-2.6: N/A 2.6.8-sarge-security: N/A 2.4.27-sarge-security: N/A 2.4.19-woody-security: N/A 2.4.18-woody-security: N/A 2.4.17-woody-security: N/A 2.4.16-woody-security: N/A 2.4.17-woody-security-hppa: N/A 2.4.17-woody-security-ia64: N/A 2.4.18-woody-security-hppa: N/A