path: root/retired/CVE-2004-0077

Candidate: CVE-2004-0077
References: 
 BUGTRAQ:20040218 Second critical mremap() bug found in all Linux kernels
 VULNWATCH:20040218 Second critical mremap() bug found in all Linux kernels
 MISC:http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt
 CONECTIVA:CLA-2004:820
 DEBIAN:DSA-438
 DEBIAN:DSA-439
 DEBIAN:DSA-440
 DEBIAN:DSA-441
 DEBIAN:DSA-442
 DEBIAN:DSA-444
 DEBIAN:DSA-450
 DEBIAN:DSA-453
 DEBIAN:DSA-454
 DEBIAN:DSA-456
 DEBIAN:DSA-466
 DEBIAN:DSA-470
 DEBIAN:DSA-514
 DEBIAN:DSA-475
 REDHAT:RHSA-2004:065
 REDHAT:RHSA-2004:066
 REDHAT:RHSA-2004:069
 REDHAT:RHSA-2004:106
 SLACKWARE:SSA:2004-049
 SUSE:SuSE-SA:2004:005
 TRUSTIX:2004-0007
 TRUSTIX:2004-0008
 GENTOO:GLSA-200403-02
 CERT-VN:VU#981222
 XF:linux-mremap-gain-privileges(15244)
 BID:9686
 OSVDB:3986
 OVAL:OVAL825
 OVAL:OVAL837 
Description: 
 The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4
 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the
 do_munmap function when the maximum number of VMA descriptors is exceeded,
 which allows local users to gain root privileges, a different vulnerability
 than CAN-2003-0985.
Notes: 
 dannf> we think these are the patches:
  2.6: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=59287e5eef8d33dcd842852a898b43a81fe0b2c2
  2.4: http://linux.bkbits.net:8080/linux-2.4/cset@40327d9fxQLz7BU9yAATPsFlWiSG0A?nav=index.html|src/|src/mm|related/mm/mremap.c
Bugs: 
upstream: released (2.4.25-rc4, 2.6.3)
linux-2.6: N/A
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.4.19-woody-security: released (2.4.19-4.woody1)
2.4.18-woody-security: released (2.4.18-14.2)
2.4.17-woody-security: released (2.4.17-1woody2)
2.4.16-woody-security: released (2.4.16-1woody2)
2.4.17-woody-security-hppa: released (32.3, 62.3)
2.4.17-woody-security-ia64: released (011226.16)
2.4.18-woody-security-hppa: released (62.2)