Problem Description:

Multiple vulnerabilities in the Linux kernel have been discovered and
fixed in this update. The following have been fixed in the 2.4
kernels:

Colin Percival discovered a vulnerability in Intel’s Hyper-Threading
technology could allow a local user to use a malicious thread to create
covert channels, monitor the execution of other threads, and obtain
sensitive information such as cryptographic keys via a timing attack on
memory cache misses. This has been corrected by disabling HT support
in all kernels (CAN-2005-0109).

When forwarding fragmented packets, a hardware assisted checksum could
only be used once which could lead to a Denial of Service attack or
crash by remote users (CAN-2005-0209).

A flaw in the Linux PPP driver was found where on systems allowing
remote users to connect to a server via PPP, a remote client could
cause a crash, resulting in a Denial of Service (CAN-2005-0384).

An information leak in the ext2 filesystem code was found where when a
new directory is created, the ext2 block written to disk is not
initialized (CAN-2005-0400).

A signedness error in the copy_from_read_buf function in n_tty.c
allows local users to read kernel memory via a negative argument
(CAN-2005-0530).

George Guninski discovered a buffer overflow in the ATM driver
where the atm_get_addr() function does not validate its arguments
sufficiently which could allow a local attacker to overwrite large
portions of kernel memory by supplying a negative length argument. This
could potentially lead to the execution of arbitrary code
(CAN-2005-0531).

A flaw when freeing a pointer in load_elf_library was found that could
be abused by a local user to potentially crash the machine causing a
Denial of Service (CAN-2005-0749).

A problem with the Bluetooth kernel stack in kernels 2.4.6 through
2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker
to gain root access or crash the machine (CAN-2005-0750).

A race condition in the Radeon DRI driver allows a local user with DRI
privileges to execute arbitrary code as root (CAN-2005-0767).

Paul Starzetz found an integer overflow in the ELF binary format
loader’s code dump function in kernels prior to and including 2.4.31-pre1
and 2.6.12-rc4. By creating and executing a specially
crafted ELF executable, a local attacker could exploit this to
execute arbitrary code with root and kernel privileges
(CAN-2005-1263).

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0209

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0384

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0400

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0530

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0531

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0749

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0750

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0767

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1263

Updated Packages:

Mandrakelinux 10.0:
6e064c284eee32e9b8aa444d5c8b1f51 10.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.i586.rpm
34b6b9caac88e1ff34788bc9a99eb023 10.0/RPMS/kernel-enterprise-2.4.25.14mdk-1-1mdk.i586.rpm
6464002754031a7fcd663d6df76c0871 10.0/RPMS/kernel-i686-up-4GB-2.4.25.14mdk-1-1mdk.i586.rpm
5d9c42cd422d34521514becb2b99f5ee 10.0/RPMS/kernel-p3-smp-64GB-2.4.25.14mdk-1-1mdk.i586.rpm
da21d692d1c1b4ac76930491cb977355 10.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.i586.rpm
e1680f042ca01793cd3526ca890a6359 10.0/RPMS/kernel-source-2.4.25-14mdk.i586.rpm
49ca54a42f3df341c89deea3cc60752b 10.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm

Mandrakelinux 10.0/AMD64:
b25d2470f809eb14d8ba4c27ffc720b0 amd64/10.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.amd64.rpm
6073c44537913b11d9ce81a506d4f698 amd64/10.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.amd64.rpm
a2fe6dfa98e85ca097aea0c3cd01cac4 amd64/10.0/RPMS/kernel-source-2.4.25-14mdk.amd64.rpm
49ca54a42f3df341c89deea3cc60752b amd64/10.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm

Mandrakelinux 10.1:
2bb1a55a701e1f9bf8d9c004873fbec3 10.1/RPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm
e7dc646e68cde7f58de3379ab581c436 10.1/RPMS/kernel-enterprise-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm
aa252943a193bb218ff6c7b80d40d575 10.1/RPMS/kernel-i586-up-1GB-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm
f953475453e85586b8878024496708d6 10.1/RPMS/kernel-smp-2.4.28.0.rc1.6mdk-1-1mdk.i586.rpm
9472f72434bcd3152c440d886b8b8d0a 10.1/RPMS/kernel-source-2.4-2.4.28-0.rc1.6mdk.i586.rpm
da09cdd87f8658578a134b35afc3634e 10.1/SRPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.src.rpm

Mandrakelinux 10.1/X86_64:
45b22f87c2aca0cd3cb660aee55b309c x86_64/10.1/RPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.x86_64.rpm
de98bf86d25660a7d1209391718941cd x86_64/10.1/RPMS/kernel-smp-2.4.28.0.rc1.6mdk-1-1mdk.x86_64.rpm
8037b0d02ff5958009c1ce06fc80ecb7 x86_64/10.1/RPMS/kernel-source-2.4-2.4.28-0.rc1.6mdk.x86_64.rpm
da09cdd87f8658578a134b35afc3634e x86_64/10.1/SRPMS/kernel-2.4.28.0.rc1.6mdk-1-1mdk.src.rpm

Corporate Server 2.1:
3d62f084903092436aa7074a57b8f50a corporate/2.1/RPMS/kernel-2.4.19.49mdk-1-1mdk.i586.rpm
057c35e5704d2cb40db72d6731798c45 corporate/2.1/RPMS/kernel-enterprise-2.4.19.49mdk-1-1mdk.i586.rpm
5c8e475f0f0d3dd14f79e2a3d875596d corporate/2.1/RPMS/kernel-secure-2.4.19.49mdk-1-1mdk.i586.rpm
0bdd8e582fa2c8996853c583581c5a1c corporate/2.1/RPMS/kernel-smp-2.4.19.49mdk-1-1mdk.i586.rpm
cc34893f190d9a2b914b2b133687d483 corporate/2.1/RPMS/kernel-source-2.4.19-49mdk.i586.rpm
9b8252d59a1f75bf80d134ff394e631f corporate/2.1/SRPMS/kernel-2.4.19.49mdk-1-1mdk.src.rpm

Corporate Server 2.1/X86_64:
2bf8630a1b3439a62cd226675afac5fa x86_64/corporate/2.1/RPMS/kernel-2.4.19.49mdk-1-1mdk.x86_64.rpm
81f5f76607480270437d4e176cbc052c x86_64/corporate/2.1/RPMS/kernel-secure-2.4.19.49mdk-1-1mdk.x86_64.rpm
68e934d793f23b77f0072e1d9dfffff8 x86_64/corporate/2.1/RPMS/kernel-smp-2.4.19.49mdk-1-1mdk.x86_64.rpm
76e6aed1997bd297034978fd177e9c6c x86_64/corporate/2.1/RPMS/kernel-source-2.4.19-49mdk.x86_64.rpm
9b8252d59a1f75bf80d134ff394e631f x86_64/corporate/2.1/SRPMS/kernel-2.4.19.49mdk-1-1mdk.src.rpm

Corporate 3.0:
6e064c284eee32e9b8aa444d5c8b1f51 corporate/3.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.i586.rpm
34b6b9caac88e1ff34788bc9a99eb023 corporate/3.0/RPMS/kernel-enterprise-2.4.25.14mdk-1-1mdk.i586.rpm
6464002754031a7fcd663d6df76c0871 corporate/3.0/RPMS/kernel-i686-up-4GB-2.4.25.14mdk-1-1mdk.i586.rpm
5d9c42cd422d34521514becb2b99f5ee corporate/3.0/RPMS/kernel-p3-smp-64GB-2.4.25.14mdk-1-1mdk.i586.rpm
da21d692d1c1b4ac76930491cb977355 corporate/3.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.i586.rpm
e1680f042ca01793cd3526ca890a6359 corporate/3.0/RPMS/kernel-source-2.4.25-14mdk.i586.rpm
49ca54a42f3df341c89deea3cc60752b corporate/3.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm

Corporate 3.0/X86_64:
9f9a2331e209bc05e1f673f6ba4496c3 x86_64/corporate/3.0/RPMS/kernel-2.4.25.14mdk-1-1mdk.x86_64.rpm
cba23e8d414c01245b7bfd9d40fb976d x86_64/corporate/3.0/RPMS/kernel-smp-2.4.25.14mdk-1-1mdk.x86_64.rpm
e1891c175b7544470017aa7979ae2fb9 x86_64/corporate/3.0/RPMS/kernel-source-2.4.25-14mdk.x86_64.rpm
49ca54a42f3df341c89deea3cc60752b x86_64/corporate/3.0/SRPMS/kernel-2.4.25.14mdk-1-1mdk.src.rpm

Multi Network Firewall 8.2:
5c8e475f0f0d3dd14f79e2a3d875596d mnf8.2/RPMS/kernel-secure-2.4.19.49mdk-1-1mdk.i586.rpm
9b8252d59a1f75bf80d134ff394e631f mnf8.2/SRPMS/kernel-2.4.19.49mdk-1-1mdk.src.rpm

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0×22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Problem Description:

A vulnerability was discovered by GulfTech Security in the PHP XML RPC
project. This vulnerability is considered critical and can lead to
remote code execution. The vulnerability also exists in the PEAR
XMLRPC implementation.

Mandriva ships with the PEAR XMLRPC implementation and it has been
patched to correct this problem. It is advised that users examine the
PHP applications they have installed on their servers for any
applications that may come bundled with their own copies of the PEAR
system and either patch RPC.php or use the system PEAR (found in
/usr/share/pear).

Updates have been released for some popular PHP applications such
as WordPress and Serendipity and users are urged to take all
precautions to protect their systems from attack and/or defacement by
upgrading their applications from the authors of the respective
applications.

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0×22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Package name: kernel
Advisory ID: MDKSA-2005:110
Date: June 30th, 2005
Affected versions: 10.0, 10.1, 10.2, Corporate 3.0

Problem Description:

Multiple vulnerabilities in the Linux kernel have been discovered and
fixed in this update. The following CVE names have been fixed in the
LE2005 kernel:

Colin Percival discovered a vulnerability in Intel’s Hyper-Threading
technology could allow a local user to use a malicious thread to create
covert channels, monitor the execution of other threads, and obtain
sensitive information such as cryptographic keys via a timing attack on
memory cache misses. This has been corrected by disabling HT support
in all kernels (CAN-2005-0109).

An information leak in the ext2 filesystem code in kernels prior to
2.6.11.6 was found where when a new directory is created, the ext2
block written to disk is not initialized (CAN-2005-0400).

A flaw when freeing a pointer in load_elf_library was found in kernels
prior to 2.6.11.6 that could be abused by a local user to potentially
crash the machine causing a Denial of Service (CAN-2005-0749).

A problem with the Bluetooth kernel stack in kernels 2.4.6 through
2.4.30-rc1 and 2.6 through 2.6.11.5 could be used by a local attacker
to gain root access or crash the machine (CAN-2005-0750).

Paul Starzetz found an integer overflow in the ELF binary format
loader’s code dump function in kernels prior to and including 2.4.31-pre1
and 2.6.12-rc4. By creating and executing a specially
crafted ELF executable, a local attacker could exploit this to
execute arbitrary code with root and kernel privileges
(CAN-2005-1263).

The drivers for raw devices used the wrong function to pass arguments
to the underlying block device in 2.6.x kernels. This made the kernel
address space accessible to user-space applictions allowing any local
user with at least read access to a device in /dev/raw/* (usually only
root) to execute arbitrary code with kernel privileges (CAN-2005-1264).

The it87 and via686a hardware monitor drivers in kernels prior to
2.6.11.8 and 2.6.12 prior to 2.6.12-rc2 created a sysfs file named
‘alarms’ with write permissions although they are not designed to be
writable. This allowed a local user to crash the kernel by attempting
to write to these files (CAN-2005-1369).

In addition to the above-noted CAN-2005-0109, CAN-2005-0400,
CAN-2005-0749, CAN-2005-0750, and CAN-2005-1369 fixes, the following
CVE names have been fixed in the 10.1 kernel:

The POSIX Capability Linux Security Module (LSM) for 2.6 kernels up to
and including 2.6.8.1 did not properly handle the credentials of a
process that is launched before the module is loaded, which could be
used by local attackers to gain elevated privileges (CAN-2004-1337).

A flaw in the Linux PPP driver in kernel 2.6.8.1 was found where on
systems allowing remote users to connect to a server via PPP, a remote
client could cause a crash, resulting in a Denial of Service
(CAN-2005-0384).

George Guninski discovered a buffer overflow in the ATM driver in
kernels 2.6.10 and 2.6.11 before 2.6.11-rc4 where the atm_get_addr()
function does not validate its arguments sufficiently which could allow
a local attacker to overwrite large portions of kernel memory by
supplying a negative length argument. This could potentially lead to
the execution of arbitrary code (CAN-2005-0531).

The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c
before kernel 2.6.11, when running on 64-bit architectures, could allow
local users to trigger a buffer overflow as a result of casting
discrepancies between size_t and int data types. This could allow an
attacker to overwrite kernel memory, crash the machine, or potentially
obtain root access (CAN-2005-0532).

A race condition in the Radeon DRI driver in kernel 2.6.8.1 allows a
local user with DRI privileges to execute arbitrary code as root
(CAN-2005-0767).

Access was not restricted to the N_MOUSE discipline for a TTY in
kernels prior to 2.6.11. This could allow local attackers to obtain
elevated privileges by injecting mouse or keyboard events into other
user’s sessions (CAN-2005-0839).

Some futex functions in futex.c in 2.6 kernels performed get_user calls
while holding the mmap_sem semaphore, which could allow a local
attacker to cause a deadlock condition in do_page_fault by triggering
get_user faults while another thread is executing mmap or other
functions (CAN-2005-0937).

In addition to the above-noted CAN-2004-1337, CAN-2005-0109,
CAN-2005-0384, CAN-2005-0400, CAN-2005-0531, CAN-2005-0532,
CAN-2005-0749, CAN-2005-0750, CAN-2005-0767, CAN-2005-0839,
CAN-2005-0937, CAN-2005-1263, CAN-2005-1264, and CAN-2005-1369
fixes, the following CVE names have been fixed in the 10.0/
Corporate 3.0 kernels:

A race condition in the setsid function in kernels before 2.6.8.1 could
allow a local attacker to cause a Denial of Service and possibly access
portions of kernel memory related to TTY changes, locking, and
semaphores (CAN-2005-0178).

When forwarding fragmented packets in kernel 2.6.8.1, a hardware
assisted checksum could only be used once which could lead to a Denial
of Service attack or crash by remote users (CAN-2005-0209).

A signedness error in the copy_from_read_buf function in n_tty.c
before kernel 2.6.11 allows local users to read kernel memory via a
negative argument (CAN-2005-0530).

A vulnerability in the fib_seq_start() function allowed a local user
to crash the system by readiung /proc/net/route in a certain way,
causing a Denial of Service (CAN-2005-1041).

A vulnerability in the Direct Rendering Manager (DRM) driver in the
2.6 kernel does not properly check the DMA lock, which could allow
remote attackers or local users to cause a Denial of Service (X Server
crash) and possibly modify the video output (CAN-2004-1056).