kernel
Page content
- Author: Miklos Vajna
- Vulnerable: 2.6.28-5
- Unaffected: 2.6.28-6anacreon1
- The exit_notify function in kernel/exit.c does not restrict exit signals when the CAP_KILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.
- drivers/char/agp/generic.c in the agp subsystem does not zero out pages that may later be available to a user-space process, which allows local users to obtain sensitive information by reading these pages.
- Integer overflow in rose_sendmsg (sys/net/af_rose.c) might allow remote attackers to obtain sensitive information via a large length value, which causes “garbage” memory to be sent (DoS from local network).
- The ecryptfs_write_metadata_to_contents function in the eCryptfs functionality uses an incorrect size when writing kernel memory to an eCryptfs file header, which triggers an out-of-bounds read and allows local users to obtain portions of kernel memory.
- The sock_getsockopt function in net/core/sock.c does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel memory via an SO_BSDCOMPAT getsockopt request (local privilege escalation).
- Bug Tracker URL: http://bugs.frugalware.org/task/3767