CVE-2009-2692

EUVD-2009-2685
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
2.4.4 ≤
𝑥
< 2.4.37.5
linuxlinux_kernel
2.6.0 ≤
𝑥
< 2.6.30.5
debiandebian_linux
4.0
redhatenterprise_linux_desktop
4.0
redhatenterprise_linux_desktop
5.0
redhatenterprise_linux_eus
4.8
redhatenterprise_linux_eus
5.3
redhatenterprise_linux_server
4.0
redhatenterprise_linux_server
5.0
redhatenterprise_linux_server_aus
5.3
redhatenterprise_linux_workstation
4.0
redhatenterprise_linux_workstation
5.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
linux
dapper
dne
hardy
Fixed 2.6.24-24.59
released
intrepid
Fixed 2.6.27-14.39
released
jaunty
Fixed 2.6.28-15.49
released
linux-source-2.6.15
dapper
Fixed 2.6.15-54.79
released
hardy
dne
intrepid
dne
jaunty
dne
Common Weakness Enumeration
References
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98
http://grsecurity.net/~spender/wunderbar_emporium.tgz
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://rhn.redhat.com/errata/RHSA-2009-1222.html
http://rhn.redhat.com/errata/RHSA-2009-1223.html
http://secunia.com/advisories/36278
http://secunia.com/advisories/36289
http://secunia.com/advisories/36327
http://secunia.com/advisories/36430
http://secunia.com/advisories/37298
http://secunia.com/advisories/37471
http://support.avaya.com/css/P8/documents/100067254
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
http://www.debian.org/security/2009/dsa-1865
http://www.exploit-db.com/exploits/19933
http://www.exploit-db.com/exploits/9477
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
http://www.openwall.com/lists/oss-security/2009/08/14/1
http://www.redhat.com/support/errata/RHSA-2009-1233.html
http://www.securityfocus.com/archive/1/505751/100/0/threaded
http://www.securityfocus.com/archive/1/505912/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/archive/1/512019/100/0/threaded
http://www.securityfocus.com/bid/36038
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2272
http://www.vupen.com/english/advisories/2009/3316
http://zenthought.org/content/file/android-root-2009-08-16-source
https://bugzilla.redhat.com/show_bug.cgi?id=516949
https://issues.rpath.com/browse/RPL-3103
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html
http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3Bh=c18d0fe535a73b219f960d1af3d0c264555a12e3
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e694958388c50148389b0e9b9e9e8945cf0f1b98
http://grsecurity.net/~spender/wunderbar_emporium.tgz
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://rhn.redhat.com/errata/RHSA-2009-1222.html
http://rhn.redhat.com/errata/RHSA-2009-1223.html
http://secunia.com/advisories/36278
http://secunia.com/advisories/36289
http://secunia.com/advisories/36327
http://secunia.com/advisories/36430
http://secunia.com/advisories/37298
http://secunia.com/advisories/37471
http://support.avaya.com/css/P8/documents/100067254
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0121
http://www.debian.org/security/2009/dsa-1865
http://www.exploit-db.com/exploits/19933
http://www.exploit-db.com/exploits/9477
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
http://www.mandriva.com/security/advisories?name=MDVSA-2009:233
http://www.openwall.com/lists/oss-security/2009/08/14/1
http://www.redhat.com/support/errata/RHSA-2009-1233.html
http://www.securityfocus.com/archive/1/505751/100/0/threaded
http://www.securityfocus.com/archive/1/505912/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/archive/1/512019/100/0/threaded
http://www.securityfocus.com/bid/36038
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2272
http://www.vupen.com/english/advisories/2009/3316
http://zenthought.org/content/file/android-root-2009-08-16-source
https://bugzilla.redhat.com/show_bug.cgi?id=516949
https://issues.rpath.com/browse/RPL-3103
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11526
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11591
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8657