National Vulnerability Database (NVD) National Vulnerability Database (CVE-2009-0029)

National Cyber-Alert System

Vulnerability Summary for CVE-2009-0029

Original release date:01/15/2009

Last revised:06/20/2009

Source: US-CERT/NIST

Overview

The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:7.2 (HIGH) (AV:L/AC:L/Au:N/C:C/I:C/A:C) (legend)

Impact Subscore: 10.0

Exploitability Subscore: 3.9

CVSS Version 2 Metrics:

Access Vector: Locally exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Vendor Statments (disclaimer)

Official Statement from Red Hat (06/09/2009): This flaw affects most 64-bit architectures, including IBM S/390 and 64-bit PowerPC, but it does not affect x86_64 or Intel Itanium. The risks associated with fixing this flaw are greater than the security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise MRG is not affected as it is not supported on 64-bit architectures other than x86_64.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: FEDORA

Name: FEDORA-2009-0816

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2009-January/msg01045.html

External Source: CONFIRM

Name: https://bugzilla.redhat.com/show_bug.cgi?id=479969

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=479969

External Source: BID

Name: 33275

Hyperlink:http://www.securityfocus.com/bid/33275

External Source: MANDRIVA

Name: MDVSA-2009:135

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2009:135

External Source: DEBIAN

Name: DSA-1794

Hyperlink:http://www.debian.org/security/2009/dsa-1794

External Source: DEBIAN

Name: DSA-1787

Hyperlink:http://www.debian.org/security/2009/dsa-1787

External Source: DEBIAN

Name: DSA-1749

Hyperlink:http://www.debian.org/security/2009/dsa-1749

External Source: SECUNIA

Name: 35011

Hyperlink:http://secunia.com/advisories/35011

External Source: SECUNIA

Name: 34981

Hyperlink:http://secunia.com/advisories/34981

External Source: SECUNIA

Name: 34394

Hyperlink:http://secunia.com/advisories/34394

External Source: SECUNIA

Name: 33674

Hyperlink:http://secunia.com/advisories/33674

External Source: SECUNIA

Name: 33477

Type: Advisory

Hyperlink:http://secunia.com/advisories/33477

External Source: MLIST

Name: [linux-kernel] 20090110 Re: [PATCH -v7][RFC]: mutex: implement adaptive spinning

Hyperlink:http://marc.info/?l=linux-kernel&m=123155111608910&w=2

External Source: SUSE

Name: SUSE-SA:2009:010

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00003.html

Vulnerable software and versions

Configuration 1

* cpe:/o:linux:kernel:2.6.24.7

* cpe:/o:linux:kernel:2.6.25.15

* cpe:/o:linux:kernel:2.6.23.15

* cpe:/o:linux:kernel:2.6.23.17

* cpe:/o:linux:kernel:2.6.23.16

* cpe:/o:linux:kernel:2.6.23.11

* cpe:/o:linux:kernel:2.6.23.9

* cpe:/o:linux:kernel:2.6.23.13

* cpe:/o:linux:kernel:2.6.25.2

* cpe:/o:linux:kernel:2.6.23.12

* cpe:/o:linux:kernel:2.6.21.5

* cpe:/o:linux:kernel:2.6.20.21

* cpe:/o:linux:kernel:2.6.23.8

* cpe:/o:linux:kernel:2.6.20.18

* cpe:/o:linux:kernel:2.6.20.17

* cpe:/o:linux:kernel:2.6.20.20

* cpe:/o:linux:kernel:2.6.20.19

* cpe:/o:linux:kernel:2.6.19.7

* cpe:/o:linux:kernel:2.6.20.16

* cpe:/o:linux:kernel:2.6.19.5

* cpe:/o:linux:kernel:2.6.19.6

* cpe:/o:linux:kernel:2.6.19.4

* cpe:/o:linux:kernel:2.6.25.5

* cpe:/o:linux:kernel:2.6.23_rc1

* cpe:/o:linux:kernel:2.6.24_rc4

* cpe:/o:linux:kernel:2.6.24_rc5

* cpe:/o:linux:kernel:2.4.36.4

* cpe:/o:linux:kernel:2.4.36.5

* cpe:/o:linux:kernel:2.4.36.1

* cpe:/o:linux:kernel:2.6.22

* cpe:/o:linux:kernel:2.4.36

* cpe:/o:linux:kernel:2.6.18

* cpe:/o:linux:kernel:2.4.36.3

* cpe:/o:linux:kernel:2.6.23

* cpe:/o:linux:kernel:2.4.36.2

* cpe:/o:linux:kernel:2.6.25.16

* cpe:/o:linux:kernel:2.6.25.17

* cpe:/o:linux:kernel:2.6.22_rc7

* cpe:/o:linux:kernel:2.6.21.6

* cpe:/o:linux:kernel:2.6.22_rc1

* cpe:/o:linux:kernel:2.6.23.10

* cpe:/o:linux:kernel:2.6.21.7

* cpe:/o:linux:kernel:2.6.24_rc1

* cpe:/o:linux:kernel:2.6.24.6

* cpe:/o:linux:kernel:2.6.25.4

* cpe:/o:linux:kernel:2.6.25.13

* cpe:/o:linux:kernel:2.6.25.3

* cpe:/o:linux:kernel:2.6.25.14

* cpe:/o:linux:kernel:2.6.24.1

* cpe:/o:linux:kernel:2.6.24

* cpe:/o:linux:kernel:2.6.25.10

* cpe:/o:linux:kernel:2.6.25.11

* cpe:/o:linux:kernel:2.4.36.6

* cpe:/o:linux:kernel:2.6.22.1

* cpe:/o:linux:kernel:2.2.27

* cpe:/o:linux:kernel:2.6.25.12::x86_64

* cpe:/o:linux:kernel:2.6.25.11::x86_64

* cpe:/o:linux:kernel:2.6.25.8::x86_64

* cpe:/o:linux:kernel:2.6.25.6

* cpe:/o:linux:kernel:2.6.25.7::x86_64

* cpe:/o:linux:kernel:2.6.25.7

* cpe:/o:linux:kernel:2.6.25.6::x86_64

* cpe:/o:linux:kernel:2.6.25.5::x86_64

* cpe:/o:linux:kernel:2.6.25.4::x86_64

* cpe:/o:linux:kernel:2.6.25.3::x86_64

* cpe:/o:linux:kernel:2.6.25.2::x86_64

* cpe:/o:linux:kernel:2.6.25.10::x86_64

* cpe:/o:linux:kernel:2.6.25.1::x86_64

* cpe:/o:linux:kernel:2.6.18:rc5

* cpe:/o:linux:kernel:2.6.18:rc6

* cpe:/o:linux:kernel:2.6.18:rc7

* cpe:/o:linux:kernel:2.6.18:rc1

* cpe:/o:linux:kernel:2.6.18:rc2

* cpe:/o:linux:kernel:2.6.25.8

* cpe:/o:linux:kernel:2.6.18:rc3

* cpe:/o:linux:kernel:2.6.18:rc4

* cpe:/o:linux:kernel:2.6.25.1

* cpe:/o:linux:kernel:2.6.25.12

* cpe:/o:linux:kernel:2.6.24.2

* cpe:/o:linux:kernel:2.6.22.22

* cpe:/o:linux:kernel:2.6.22.21

* cpe:/o:linux:kernel:2.6.22.20

* cpe:/o:linux:kernel:2.6.22.19

* cpe:/o:linux:kernel:2.6

* cpe:/o:linux:kernel:2.6.24.3

* cpe:/o:linux:kernel:2.6.24.4

* cpe:/o:linux:kernel:2.6.24.5

* cpe:/o:linux:kernel:2.6.25

* cpe:/o:linux:kernel:2.6.22.2

* cpe:/o:linux:kernel:2.6.22.8

* cpe:/o:linux:kernel:2.6.22.9

* cpe:/o:linux:kernel:2.6.22.14

* cpe:/o:linux:kernel:2.6.22.15

* cpe:/o:linux:kernel:2.6.22.17

* cpe:/o:linux:kernel:2.6.22.18

* cpe:/o:linux:kernel:2.6.22.10

* cpe:/o:linux:kernel:2.6.22.11

* cpe:/o:linux:kernel:2.6.22.12

* cpe:/o:linux:kernel:2.6.22.13

* cpe:/o:linux:kernel:2.6.25.9

* cpe:/o:linux:kernel:2.6.25.9::x86_64

* cpe:/o:linux:kernel:2.6.25::x86_64

* cpe:/o:linux:kernel:2.6.26

* cpe:/o:linux:kernel:2.6.26.1

* cpe:/o:linux:kernel:2.6.26.2

* cpe:/o:linux:kernel:2.6.26.3

* cpe:/o:linux:kernel:2.6.26.4

* cpe:/o:linux:kernel:2.6.26.5

* cpe:/o:linux:kernel:2.6.27

* cpe:/o:linux:kernel:2.6.28 and previous versions

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Input Validation (CWE-20)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0029