Fedora 8: 2008-8980 Moderate: Kernel Splice Function Threat

The kernel package contains the Linux kernel (vmlinuz), the core of any

Linux operating system. The kernel handles the basic functions

of the operating system: memory allocation, process allocation, device

input and output, etc.

Update kernel from version 2.6.26.5 to 2.6.26.6:

CVE-2008-3831

An IOCTL in the i915 driver was not properly restricted to users with the

proper capabilities to use it. CVE-2008-4410 The vmi_write_ldt_entry

function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in

the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was

intended, which allows local users to cause a denial of service (persistent

application failure) via crafted function calls, related to the Java Runtime

Environment (JRE) experiencing improper LDT selector state, a different

vulnerability than CVE-2008-3247. CVE-2008-3525 The sbni_ioctl function in

drivers/net/wan/sbni.c in the wan subsystem in the Linux kernel 2.6.26.3 does

not check for the CAP_NET_ADMIN capability before processing a (1)

SIOCDEVRESINSTATS, (2) SIOCDEVSHWSTATE, (3) SIOCDEVENSLAVE, or (4)

SIOCDEVEMANSIPATE ioctl request, which allows local users to bypass intended

capability restrictions. CVE-2008-4554 The do_splice_from function in

fs/splice.c in the Linux kernel before 2.6.27 does not reject file descriptors

that have the O_APPEND flag set, which allows local users to bypass append mode

and make arbitrary changes to other locations in the file. CVE-2008-4576

sctp in Linux kernel before 2.6.25.18 allows remote attackers to cause a denial

of service (OOPS) via an INIT-ACK that states the peer does not support AUTH,

which causes the sctp_process_init function to clean up active transports and

triggers the OOPS when the T1-Init timer expires. Also fixes these bugs

reported against Fedora 9: 465873 - kernel build-id note corruption 466303 -IPSec kernel lockup. 464613 - 11143 unconditional linker option

arch/powerpc/lib/crtsavres.o causes external module buildfailure 463034 -[sata_nv swncq] kernel 2.6.26.3-29 raid errors: "md: super_written gets

error=-5, uptodate=0" 460550 - Insert key does not work on console since 2.6.26

438606 - at76 stops working with port to mac80211 466511 - Kernel crash when

using openswan 462919 - kernel 2.6.26.3-19.fc9.x86_64 TT-budget C-1500 DVB card

is not longer working 462178 - PCMCIA CF adaptor causes kernel hang at

"Starting UDEV:"

* Fri Oct 17 2008 Chuck Ebbert 2.6.26.6-49

- Two security patches from F9:

Fix IOCTL permission checking in sbni WAN adapter (CVE-2008-3525).

DRM: fix ioctl security issue (CVE-2008-3831).

* Thu Oct 16 2008 Chuck Ebbert 2.6.26.6-48

- Fix RTC on systems that don't describe it in PnP (F9#451188)

* Wed Oct 15 2008 Chuck Ebbert 2.6.26.6-47

- Copy utrace updates from F-9.

* Tue Oct 14 2008 Chuck Ebbert 2.6.26.6-46

- Fix pci mmap range checking to work without the WARN() macro.

* Tue Oct 14 2008 Chuck Ebbert 2.6.26.6-45

- Two x86 fixes from F9:

x86, early_ioremap: fix fencepost error

x86: SB450: skip IRQ0 override if it is not routed to INT2 of IOAPIC

* Tue Oct 14 2008 Chuck Ebbert 2.6.26.6-44

- Three libata fixes from F9:

libata: always do follow-up SRST if hardreset returned -EAGAIN

libata: fix EH action overwriting in ata_eh_reset()

libata: sata_nv: SWNCQ should be disabled by default (#463034)

* Mon Oct 13 2008 Chuck Ebbert 2.6.26.6-43

- x86: Reserve FIRST_DEVICE_VECTOR in used_vectors bitmap.

* Mon Oct 13 2008 Chuck Ebbert 2.6.26.6-42

- libata: pata_marvell: use the upstream patch for playing nice with ahci

* Fri Oct 10 2008 Chuck Ebbert 2.6.26.6-41

- pci: check range on sysfs mmapped resources

* Fri Oct 10 2008 Chuck Ebbert 2.6.26.6-40

- Don't allow splice to files opened with O_APPEND.

* Fri Oct 10 2008 Chuck Ebbert 2.6.26.6-39

- Fix buffer overflow in uvcvideo driver.

* Fri Oct 10 2008 Chuck Ebbert 2.6.26.6-38

- Fix possible oops in get_wchan()

* Thu Oct 9 2008 Kyle McMartin 2.6.26.6-37

- add e1000e: write protect nvram to prevent corruption patch from upstream

* Thu Oct 9 2008 Chuck Ebbert 2.6.26.6-36

- x86: switch to UP mode when only one CPU is present at boot time

* Thu Oct 9 2008 Chuck Ebbert 2.6.26.6-35

- 2.6.26.6

Dropped patches:

linux-2.6-sched-fix-process-time-monotonicity.patch

linux-2.6-x86-64-fix-overlap-of-modules-and-fixmap-areas.patch

linux-2.6-x86-fdiv-bug-detection-fix.patch

linux-2.6-x86-fix-oprofile-and-hibernation-issues.patch

linux-2.6-x86-32-amd-c1e-force-timer-broadcast-late.patch

linux-2.6-x86-pat-proper-tracking-of-set_memory_uc.patch

linux-2.6-x86-hpet-01-fix-moronic-32-64-bit-thinko.patch

linux-2.6-x86-hpet-02-read-back-compare-register.patch

linux-2.6-x86-hpet-03-make-minimum-reprogramming-delta-useful.patch

linux-2.6-x86-fix-memmap-exactmap-boot-argument.patch

linux-2.6-usb-fix-hcd-interrupt-disabling.patch

linux-2.6-acpi-processor-use-signed-int.patch

linux-2.6-mm-dirty-page-tracking-race-fix.patch

linux-2.6-mm-mark-correct-zone-full-when-scanning-zonelists.patch

linux-2.6-block-submit_bh-discards-barrier-flag.patch

linux-2.6-pcmcia-fix-broken-abuse-of-dev-driver_data.patch

Reverted from upstream:

rt2x00-use-ieee80211_hw-workqueue-again.patch

* Wed Oct 8 2008 Chuck Ebbert 2.6.26.5-34

- Disable the snd-aw2 module: it conflicts with video drivers. (F9#462919)

* Wed Oct 8 2008 Chuck Ebbert 2.6.26.5-33

- Copy dwmw2's build fixes from rawhide:

Include arch/$ARCH/include/ directories in kernel-devel (F10#465486)

Include arch/powerpc/lib/crtsavres.[So] too (F9#464613)

* Wed Oct 8 2008 Chuck Ebbert 2.6.26.5-32

- Fix build ID fiddling magic. (F9#465873)

- Move build-nonintconfig patch so it gets included in -vanilla.

* Mon Oct 6 2008 John W. Linville 2.6.26.5-31

- Re-revert at76_usb to version from before attempted mac80211 port

* Mon Sep 22 2008 Chuck Ebbert 2.6.26.5-30

- pcmcia: Fix broken abuse of dev->driver_data (F9#462178)

* Mon Sep 22 2008 Chuck Ebbert 2.6.26.5-29

- Copy forgotten libata patch from F9.

[ 1 ] Bug #464502 - CVE-2008-3831 kernel: i915 kernel drm driver arbitrary ioremap

https://bugzilla.redhat.com/show_bug.cgi?id=464502

[ 2 ] Bug #460401 - CVE-2008-3525 kernel: missing capability checks in sbni_ioctl()

https://bugzilla.redhat.com/show_bug.cgi?id=460401

[ 3 ] Bug #466707 - CVE-2008-4554 kernel: don't allow splice() to files opened with O_APPEND

https://bugzilla.redhat.com/show_bug.cgi?id=466707

[ 4 ] Bug #466079 - CVE-2008-4576 kernel: sctp: Fix oops when INIT-ACK indicates that peer doesn't support AUTH

https://bugzilla.redhat.com/show_bug.cgi?id=466079

su -c 'yum update kernel' at the command line.

For more information, refer to "Managing Software with yum",

available at .

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/