The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: denial of service of tty_fasync

Synthesis of the vulnerability 

A local attacker can generate an inter-blocking in tty_fasync(), in order to stop the system.
Vulnerable systems: Debian, Linux.
Severity of this threat: 1/4.
Creation date: 15/06/2010.
Références of this weakness: BID-40867, CVE-2009-4895, DSA-2094-1, VIGILANCE-VUL-9710.

Description of the vulnerability 

The f_modown() function of the fs/fcntl.c file changes the owner of a file.

The tty_fasync() function of the drivers/char/tty_io.c file manages asynchronous access to a TTY. It uses __f_setown() to change the owner of a file.

However, when both functions are called simultaneously, two locks used, and an inter-blocking case occurs.

A local attacker can therefore generate an inter-blocking in tty_fasync(), in order to stop the system.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security threat impacts software or systems such as Debian, Linux.

Our Vigil@nce team determined that the severity of this computer weakness note is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat 

Linux kernel: version 2.6.32.9.
Version 2.6.32.9 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.31.13.
Version 2.6.31.13 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.27.46.
Version 2.6.27.46 is corrected:
  http://www.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: patch for tty_fasync.
A patch is available in information sources.

Debian: new linux-2.6 packages.
New packages are available:
  linux-2.6_2.6.26-24lenny1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity announces. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.