Date:         Wed, 17 Dec 2008 14:41:11 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for kernel on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis: Important: kernel security and bug fix update
Issue date: 2008-12-16
CVE Names: CVE-2008-3831 CVE-2008-4554 CVE-2008-4576

* Olaf Kirch reported a flaw in the i915 kernel driver that only affects
the Intel G33 series and newer. This flaw could, potentially, lead to local
privilege escalation. (CVE-2008-3831, Important)

* Miklos Szeredi reported a missing check for files opened with O_APPEND in
the sys_splice(). This could allow a local, unprivileged user to bypass the
append-only file restrictions. (CVE-2008-4554, Important)

* a deficiency was found in the Linux kernel Stream Control Transmission
Protocol (SCTP) implementation. This could lead to a possible denial of
service if one end of a SCTP connection did not support the AUTH extension.
(CVE-2008-4576, Important)

In addition, these updated packages fix the following bugs:

* on Itanium=AE systems, when a multithreaded program was traced using the
command "strace -f", messages similar to the following ones were displayed,
after which the trace would stop:

        PANIC: attached pid 10740 exited
        PANIC: handle_group_exit: 10740 leader 10721
        PANIC: attached pid 10739 exited
        PANIC: handle_group_exit: 10739 leader 10721
        ...

In these updated packages, tracing a multithreaded program using the
"strace -f" command no longer results in these error messages, and strace
terminates normally after tracing all threads.

* on big-endian systems such as PowerPC, the getsockopt() function
incorrectly returned 0 depending on the parameters passed to it when the
time to live (TTL) value equaled 255.

* when using an NFSv4 file system, accessing the same file with two
separate processes simultaneously resulted in the NFS client process
becoming unresponsive.

* on AMD64 and Intel=AE 64 hypervisor-enabled systems, in cases in which a
syscall correctly returned '-1' in code compiled on Red Hat Enterprise
Linux 5, the same code, when run with the strace utility, would incorrectly
return an invalid return value. This has been fixed so that on AMD64 and
Intel=AE 64 hypervisor-enabled systems, syscalls in compiled code return the
same, correct values as syscalls do when run with strace.

* on the Itanium=AE architecture, fully-virtualized guest domains which were
created using more than 64 GB of memory caused other guest domains not to
receive interrupts, which caused a soft lockup on other guests. All guest
domains are now able to receive interrupts regardless of their allotted memory.

* when user-space used SIGIO notification, which wasn't disabled before
closing a file descriptor, and was then re-enabled in a different process,
an attempt by the kernel to dereference a stale pointer led to a kernel
crash. With this fix, such a situation no longer causes a kernel crash.

* modifications to certain pages made through a memory-mapped region could
have been lost in cases when the NFS client needed to invalidate the page
cache for that particular memory-mapped file.

* fully-virtualized Windows guests became unresponsive due to the vIOSAPIC
component being multiprocessor-unsafe. With this fix, vIOSAPIC is
multiprocessor-safe and Windows guests do not become unresponsive.

* on certain systems, keyboard controllers were not able to withstand a
continuous flow of requests to switch keyboard LEDs on or off, which
resulted in some or all key presses not being registered by the system.

* on the Itanium=AE architecture, setting the "vm.nr_hugepages" sysctl
parameter caused a kernel stack overflow resulting in a kernel panic, and
possibly stack corruption. With this fix, setting vm.nr_hugepages works
correctly.

* hugepages allow the Linux kernel to utilize the multiple page size
capabilities of modern hardware architectures. In certain configurations,
systems with large amounts of memory could fail to allocate most of memory
for hugepages even if it was free, which could have resulted, for example,
in database restart failures.

SL 5.x

    SRPMS:
kernel-2.6.18-92.1.22.el5.src.rpm
    i386:
kernel-2.6.18-92.1.22.el5.i686.rpm
kernel-debug-2.6.18-92.1.22.el5.i686.rpm
kernel-debug-devel-2.6.18-92.1.22.el5.i686.rpm
kernel-devel-2.6.18-92.1.22.el5.i686.rpm
kernel-doc-2.6.18-92.1.22.el5.noarch.rpm
kernel-headers-2.6.18-92.1.22.el5.i386.rpm
kernel-PAE-2.6.18-92.1.22.el5.i686.rpm
kernel-PAE-devel-2.6.18-92.1.22.el5.i686.rpm
kernel-xen-2.6.18-92.1.22.el5.i686.rpm
kernel-xen-devel-2.6.18-92.1.22.el5.i686.rpm
   Dependancies:
kernel-module-fuse-2.6.18-92.1.22.el5-2.6.3-1.sl5.i686.rpm
kernel-module-fuse-2.6.18-92.1.22.el5PAE-2.6.3-1.sl5.i686.rpm
kernel-module-fuse-2.6.18-92.1.22.el5xen-2.6.3-1.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-92.1.22.el5-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-92.1.22.el5PAE-1.2.0-2.sl5.i686.rpm
kernel-module-ipw3945-2.6.18-92.1.22.el5xen-1.2.0-2.sl5.i686.rpm
kernel-module-madwifi-2.6.18-92.1.22.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-92.1.22.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-92.1.22.el5-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-92.1.22.el5PAE-0.9.4-15.sl5.i686.rpm
kernel-module-madwifi-hal-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.i686.rpm
kernel-module-ndiswrapper-2.6.18-92.1.22.el5-1.53-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-92.1.22.el5PAE-1.53-1.SL.i686.rpm
kernel-module-ndiswrapper-2.6.18-92.1.22.el5xen-1.53-1.SL.i686.rpm
kernel-module-openafs-2.6.18-92.1.22.el5-1.4.7-68.SL5.i686.rpm
kernel-module-openafs-2.6.18-92.1.22.el5PAE-1.4.7-68.SL5.i686.rpm
kernel-module-openafs-2.6.18-92.1.22.el5xen-1.4.7-68.SL5.i686.rpm
kernel-module-xfs-2.6.18-92.1.22.el5-0.4-1.sl5.i686.rpm
kernel-module-xfs-2.6.18-92.1.22.el5PAE-0.4-1.sl5.i686.rpm
kernel-module-xfs-2.6.18-92.1.22.el5xen-0.4-1.sl5.i686.rpm
    x86_64:
kernel-2.6.18-92.1.22.el5.x86_64.rpm
kernel-debug-2.6.18-92.1.22.el5.x86_64.rpm
kernel-debug-devel-2.6.18-92.1.22.el5.x86_64.rpm
kernel-devel-2.6.18-92.1.22.el5.x86_64.rpm
kernel-doc-2.6.18-92.1.22.el5.noarch.rpm
kernel-headers-2.6.18-92.1.22.el5.x86_64.rpm
kernel-xen-2.6.18-92.1.22.el5.x86_64.rpm
kernel-xen-devel-2.6.18-92.1.22.el5.x86_64.rpm
   Dependancies:
kernel-module-fuse-2.6.18-92.1.22.el5-2.6.3-1.sl5.x86_64.rpm
kernel-module-fuse-2.6.18-92.1.22.el5xen-2.6.3-1.sl5.x86_64.rpm
kernel-module-ipw3945-2.6.18-92.1.22.el5-1.2.0-2.sl5.x86_64.rpm
kernel-module-ipw3945-2.6.18-92.1.22.el5xen-1.2.0-2.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-92.1.22.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-92.1.22.el5-0.9.4-15.sl5.x86_64.rpm
kernel-module-madwifi-hal-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-92.1.22.el5-1.53-1.SL.x86_64.rpm
kernel-module-ndiswrapper-2.6.18-92.1.22.el5xen-1.53-1.SL.x86_64.rpm
kernel-module-openafs-2.6.18-92.1.22.el5-1.4.7-68.SL5.x86_64.rpm
kernel-module-openafs-2.6.18-92.1.22.el5xen-1.4.7-68.SL5.x86_64.rpm
kernel-module-xfs-2.6.18-92.1.22.el5-0.4-1.sl5.x86_64.rpm
kernel-module-xfs-2.6.18-92.1.22.el5xen-0.4-1.sl5.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2008-3831 kernel SL5.x i386/x86_64

Important: kernel security and bug fix update

Summary

Date:         Wed, 17 Dec 2008 14:41:11 -0600Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for kernel on SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis: Important: kernel security and bug fix updateIssue date: 2008-12-16CVE Names: CVE-2008-3831 CVE-2008-4554 CVE-2008-4576* Olaf Kirch reported a flaw in the i915 kernel driver that only affectsthe Intel G33 series and newer. This flaw could, potentially, lead to localprivilege escalation. (CVE-2008-3831, Important)* Miklos Szeredi reported a missing check for files opened with O_APPEND inthe sys_splice(). This could allow a local, unprivileged user to bypass theappend-only file restrictions. (CVE-2008-4554, Important)* a deficiency was found in the Linux kernel Stream Control TransmissionProtocol (SCTP) implementation. This could lead to a possible denial ofservice if one end of a SCTP connection did not support the AUTH extension.(CVE-2008-4576, Important)In addition, these updated packages fix the following bugs:* on Itanium=AE systems, when a multithreaded program was traced using thecommand "strace -f", messages similar to the following ones were displayed,after which the trace would stop:        PANIC: attached pid 10740 exited        PANIC: handle_group_exit: 10740 leader 10721        PANIC: attached pid 10739 exited        PANIC: handle_group_exit: 10739 leader 10721        ...In these updated packages, tracing a multithreaded program using the"strace -f" command no longer results in these error messages, and straceterminates normally after tracing all threads.* on big-endian systems such as PowerPC, the getsockopt() functionincorrectly returned 0 depending on the parameters passed to it when thetime to live (TTL) value equaled 255.* when using an NFSv4 file system, accessing the same file with twoseparate processes simultaneously resulted in the NFS client processbecoming unresponsive.* on AMD64 and Intel=AE 64 hypervisor-enabled systems, in cases in which asyscall correctly returned '-1' in code compiled on Red Hat EnterpriseLinux 5, the same code, when run with the strace utility, would incorrectlyreturn an invalid return value. This has been fixed so that on AMD64 andIntel=AE 64 hypervisor-enabled systems, syscalls in compiled code return thesame, correct values as syscalls do when run with strace.* on the Itanium=AE architecture, fully-virtualized guest domains which werecreated using more than 64 GB of memory caused other guest domains not toreceive interrupts, which caused a soft lockup on other guests. All guestdomains are now able to receive interrupts regardless of their allotted memory.* when user-space used SIGIO notification, which wasn't disabled beforeclosing a file descriptor, and was then re-enabled in a different process,an attempt by the kernel to dereference a stale pointer led to a kernelcrash. With this fix, such a situation no longer causes a kernel crash.* modifications to certain pages made through a memory-mapped region couldhave been lost in cases when the NFS client needed to invalidate the pagecache for that particular memory-mapped file.* fully-virtualized Windows guests became unresponsive due to the vIOSAPICcomponent being multiprocessor-unsafe. With this fix, vIOSAPIC ismultiprocessor-safe and Windows guests do not become unresponsive.* on certain systems, keyboard controllers were not able to withstand acontinuous flow of requests to switch keyboard LEDs on or off, whichresulted in some or all key presses not being registered by the system.* on the Itanium=AE architecture, setting the "vm.nr_hugepages" sysctlparameter caused a kernel stack overflow resulting in a kernel panic, andpossibly stack corruption. With this fix, setting vm.nr_hugepages workscorrectly.* hugepages allow the Linux kernel to utilize the multiple page sizecapabilities of modern hardware architectures. In certain configurations,systems with large amounts of memory could fail to allocate most of memoryfor hugepages even if it was free, which could have resulted, for example,in database restart failures.SL 5.x    SRPMS:kernel-2.6.18-92.1.22.el5.src.rpm    i386:kernel-2.6.18-92.1.22.el5.i686.rpmkernel-debug-2.6.18-92.1.22.el5.i686.rpmkernel-debug-devel-2.6.18-92.1.22.el5.i686.rpmkernel-devel-2.6.18-92.1.22.el5.i686.rpmkernel-doc-2.6.18-92.1.22.el5.noarch.rpmkernel-headers-2.6.18-92.1.22.el5.i386.rpmkernel-PAE-2.6.18-92.1.22.el5.i686.rpmkernel-PAE-devel-2.6.18-92.1.22.el5.i686.rpmkernel-xen-2.6.18-92.1.22.el5.i686.rpmkernel-xen-devel-2.6.18-92.1.22.el5.i686.rpm   Dependancies:kernel-module-fuse-2.6.18-92.1.22.el5-2.6.3-1.sl5.i686.rpmkernel-module-fuse-2.6.18-92.1.22.el5PAE-2.6.3-1.sl5.i686.rpmkernel-module-fuse-2.6.18-92.1.22.el5xen-2.6.3-1.sl5.i686.rpmkernel-module-ipw3945-2.6.18-92.1.22.el5-1.2.0-2.sl5.i686.rpmkernel-module-ipw3945-2.6.18-92.1.22.el5PAE-1.2.0-2.sl5.i686.rpmkernel-module-ipw3945-2.6.18-92.1.22.el5xen-1.2.0-2.sl5.i686.rpmkernel-module-madwifi-2.6.18-92.1.22.el5-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-2.6.18-92.1.22.el5PAE-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-92.1.22.el5-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-92.1.22.el5PAE-0.9.4-15.sl5.i686.rpmkernel-module-madwifi-hal-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.i686.rpmkernel-module-ndiswrapper-2.6.18-92.1.22.el5-1.53-1.SL.i686.rpmkernel-module-ndiswrapper-2.6.18-92.1.22.el5PAE-1.53-1.SL.i686.rpmkernel-module-ndiswrapper-2.6.18-92.1.22.el5xen-1.53-1.SL.i686.rpmkernel-module-openafs-2.6.18-92.1.22.el5-1.4.7-68.SL5.i686.rpmkernel-module-openafs-2.6.18-92.1.22.el5PAE-1.4.7-68.SL5.i686.rpmkernel-module-openafs-2.6.18-92.1.22.el5xen-1.4.7-68.SL5.i686.rpmkernel-module-xfs-2.6.18-92.1.22.el5-0.4-1.sl5.i686.rpmkernel-module-xfs-2.6.18-92.1.22.el5PAE-0.4-1.sl5.i686.rpmkernel-module-xfs-2.6.18-92.1.22.el5xen-0.4-1.sl5.i686.rpm    x86_64:kernel-2.6.18-92.1.22.el5.x86_64.rpmkernel-debug-2.6.18-92.1.22.el5.x86_64.rpmkernel-debug-devel-2.6.18-92.1.22.el5.x86_64.rpmkernel-devel-2.6.18-92.1.22.el5.x86_64.rpmkernel-doc-2.6.18-92.1.22.el5.noarch.rpmkernel-headers-2.6.18-92.1.22.el5.x86_64.rpmkernel-xen-2.6.18-92.1.22.el5.x86_64.rpmkernel-xen-devel-2.6.18-92.1.22.el5.x86_64.rpm   Dependancies:kernel-module-fuse-2.6.18-92.1.22.el5-2.6.3-1.sl5.x86_64.rpmkernel-module-fuse-2.6.18-92.1.22.el5xen-2.6.3-1.sl5.x86_64.rpmkernel-module-ipw3945-2.6.18-92.1.22.el5-1.2.0-2.sl5.x86_64.rpmkernel-module-ipw3945-2.6.18-92.1.22.el5xen-1.2.0-2.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-92.1.22.el5-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-92.1.22.el5-0.9.4-15.sl5.x86_64.rpmkernel-module-madwifi-hal-2.6.18-92.1.22.el5xen-0.9.4-15.sl5.x86_64.rpmkernel-module-ndiswrapper-2.6.18-92.1.22.el5-1.53-1.SL.x86_64.rpmkernel-module-ndiswrapper-2.6.18-92.1.22.el5xen-1.53-1.SL.x86_64.rpmkernel-module-openafs-2.6.18-92.1.22.el5-1.4.7-68.SL5.x86_64.rpmkernel-module-openafs-2.6.18-92.1.22.el5xen-1.4.7-68.SL5.x86_64.rpmkernel-module-xfs-2.6.18-92.1.22.el5-0.4-1.sl5.x86_64.rpmkernel-module-xfs-2.6.18-92.1.22.el5xen-0.4-1.sl5.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity

Related News