Updated 2.6 kernel packages fix multiple vulnerabilities

July 2, 2005

Mandriva Linux Security Update Advisory

Package name: kernel
Advisory ID: MDKSA-2005:110
Date: June 30th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0

Problem Description:

Multiple vulnerabilities in the Linux kernel have been discovered and
fixed in this update. The following CVE names have been fixed in the
LE2005 kernel:

Colin Percival discovered a vulnerability in Intel’s Hyper-Threading
technology could allow a local user to use a malicious thread to create
covert channels, monitor the execution of other threads, and obtain
sensitive information such as cryptographic keys via a timing attack on
memory cache misses. This has been corrected by disabling HT support
in all kernels (CAN-2005-0109).

An information leak in the ext2 filesystem code in kernels prior to
2.6.11.6 was found where when a new directory is created, the ext2
block written to disk is not initialized (CAN-2005-0400).

A flaw when freeing a pointer in load_elf_library was found in kernels
prior to 2.6.11.6 that could be abused by a local user to potentially
crash the machine causing a Denial of Service (CAN-2005-0749).

A problem with the Bluetooth kernel stack in kernels 2.4.6 through
2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker
to gain root access or crash the machine (CAN-2005-0750).

Paul Starzetz found an integer overflow in the ELF binary format
loader’s code dump function in kernels prior to and including 2.4.31-pre1
and 2.6.12-rc4. By creating and executing a specially
crafted ELF executable, a local attacker could exploit this to
execute arbitrary code with root and kernel privileges
(CAN-2005-1263).

The drivers for raw devices used the wrong function to pass arguments
to the underlying block device in 2.6.x kernels. This made the kernel
address space accessible to user-space applictions allowing any local
user with at least read access to a device in /dev/raw/* (usually only
root) to execute arbitrary code with kernel privileges (CAN-2005-1264).

The it87 and via686a hardware monitor drivers in kernels prior to
2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named
‘alarms’ with write permissions although they are not designed to be
writable. This allowed a local user to crash the kernel by attempting
to write to these files (CAN-2005-1369).

In addition to the above-noted CAN-2005-0109, CAN-2005-0400,
CAN-2005-0749, CAN-2005-0750, and CAN-2005-1369 fixes, the following
CVE names have been fixed in the 10.1 kernel:

The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to
and including 2.6.8.1 did not properly handle the credentials of a
process that is launched before the module is loaded, which could be
used by local attackers to gain elevated privileges (CAN-2004-1337).

A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on
systems allowing remote users to connect to a server via PPP, a remote
client could cause a crash, resulting in a Denial of Service
(CAN-2005-0384).

George Guninski discovered a buffer overflow in the ATM driver in
kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr()
function does not validate its arguments sufficiently which could allow
a local attacker to overwrite large portions of kernel memory by
supplying a negative length argument. This could potentially lead to
the execution of arbitrary code (CAN-2005-0531).

The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c
before kernel 2.6.11, when running on 64-bit architectures, could allow
local users to trigger a buffer overflow as a result of casting
discrepancies between size_t and int data types. This could allow an
attacker to overwrite kernel memory, crash the machine, or potentially
obtain root access (CAN-2005-0532).

A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a
local user with DRI privileges to execute arbitrary code as root
(CAN-2005-0767).

Access was not restricted to the N_MOUSE discipline for a TTY in
kernels prior to 2.6.11. This could allow local attackers to obtain
elevated privileges by injecting mouse or keyboard events into other
user’s sessions (CAN-2005-0839).

Some futex functions in futex.c in 2.6 kernels performed get_user calls
while holding the mmap_sem semaphore, which could allow a local
attacker to cause a deadlock condition in do_page_fault by triggering
get_user faults while another thread is executing mmap or other
functions (CAN-2005-0937).

In addition to the above-noted CAN-2004-1337, CAN-2005-0109,
CAN-2005-0384, CAN-2005-0400, CAN-2005-0531, CAN-2005-0532,
CAN-2005-0749, CAN-2005-0750, CAN-2005-0767, CAN-2005-0839,
CAN-2005-0937, CAN-2005-1263, CAN-2005-1264, and CAN-2005-1369
fixes, the following CVE names have been fixed in the 10.0/
Corporate 3.0 kernels:

A race condition in the setsid function in kernels before 2.6.8.1 could
allow a local attacker to cause a Denial of Service and possibly access
portions of kernel memory related to TTY changes, locking, and
semaphores (CAN-2005-0178).

When forwarding fragmented packets in kernel 2.6.8.1, a hardware
assisted checksum could only be used once which could lead to a Denial
of Service attack or crash by remote users (CAN-2005-0209).

A signedness error in the copy_from_read_buf function in n_tty.c
before kernel 2.6.11 allows local users to read kernel memory via a
negative argument (CAN-2005-0530).

A vulnerability in the fib_seq_start() function allowed a local user
to crash the system by readiung /proc/net/route in a certain way,
causing a Denial of Service (CAN-2005-1041).

A vulnerability in the Direct Rendering Manager (DRM) driver in the
2.6 kernel does not properly check the DMA lock, which could allow
remote attackers or local users to cause a Denial of Service (X Server
crash) and possibly modify the video output (CAN-2004-1056).

Posted in Linux