Ubuntu 1074-1: Linux kernel vulnerabilities

    Date25 Feb 2011
    CategoryUbuntu
    34
    Posted ByLinuxSecurity Advisories
    Al Viro discovered a race condition in the TTY driver. A local attackercould exploit this to crash the system, leading to a denial of service.(CVE-2009-4895)
    ===========================================================
    Ubuntu Security Notice USN-1074-1         February 25, 2011
    linux-fsl-imx51 vulnerabilities
    CVE-2009-4895, CVE-2010-2066, CVE-2010-2226, CVE-2010-2240,
    CVE-2010-2248, CVE-2010-2478, CVE-2010-2495, CVE-2010-2521,
    CVE-2010-2524, CVE-2010-2538, CVE-2010-2798, CVE-2010-2803,
    CVE-2010-2942, CVE-2010-2943, CVE-2010-2946, CVE-2010-2954,
    CVE-2010-2955, CVE-2010-2959, CVE-2010-2962, CVE-2010-2963,
    CVE-2010-3015, CVE-2010-3067, CVE-2010-3078, CVE-2010-3079,
    CVE-2010-3080, CVE-2010-3081, CVE-2010-3084, CVE-2010-3296,
    CVE-2010-3297, CVE-2010-3298, CVE-2010-3301, CVE-2010-3310,
    CVE-2010-3432, CVE-2010-3437, CVE-2010-3442, CVE-2010-3448,
    CVE-2010-3477, CVE-2010-3698, CVE-2010-3705, CVE-2010-3848,
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 9.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 9.10:
      linux-image-2.6.31-112-imx51    2.6.31-112.30
    
    After a standard system update you need to reboot your computer to make
    all the necessary changes.
    
    Details follow:
    
    Al Viro discovered a race condition in the TTY driver. A local attacker
    could exploit this to crash the system, leading to a denial of service.
    (CVE-2009-4895)
    
    Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
    check file permissions. A local attacker could overwrite append-only files,
    leading to potential data loss. (CVE-2010-2066)
    
    Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly
    check file permissions. A local attacker could exploit this to read from
    write-only files, leading to a loss of privacy. (CVE-2010-2226)
    
    Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
    manager did not properly handle when applications grow stacks into adjacent
    memory regions. A local attacker could exploit this to gain control of
    certain applications, potentially leading to privilege escalation, as
    demonstrated in attacks against the X server. (CVE-2010-2240)
    
    Suresh Jayaraman discovered that CIFS did not correctly validate certain
    response packats. A remote attacker could send specially crafted traffic
    that would crash the system, leading to a denial of service.
    (CVE-2010-2248)
    
    Ben Hutchings discovered that the ethtool interface did not correctly check
    certain sizes. A local attacker could perform malicious ioctl calls that
    could crash the system, leading to a denial of service. (CVE-2010-2478,
    CVE-2010-3084)
    
    James Chapman discovered that L2TP did not correctly evaluate checksum
    capabilities. If an attacker could make malicious routing changes, they
    could crash the system, leading to a denial of service. (CVE-2010-2495)
    
    Neil Brown discovered that NFSv4 did not correctly check certain write
    requests. A remote attacker could send specially crafted traffic that could
    crash the system or possibly gain root privileges. (CVE-2010-2521)
    
    David Howells discovered that DNS resolution in CIFS could be spoofed. A
    local attacker could exploit this to control DNS replies, leading to a loss
    of privacy and possible privilege escalation. (CVE-2010-2524)
    
    Dan Rosenberg discovered that the btrfs filesystem did not correctly
    validate permissions when using the clone function. A local attacker could
    overwrite the contents of file handles that were opened for append-only, or
    potentially read arbitrary contents, leading to a loss of privacy. Only
    Ubuntu 9.10 was affected. (CVE-2010-2538)
    
    Bob Peterson discovered that GFS2 rename operations did not correctly
    validate certain sizes. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-2798)
    
    Kees Cook discovered that under certain situations the ioctl subsystem for
    DRM did not properly sanitize its arguments. A local attacker could exploit
    this to read previously freed kernel memory, leading to a loss of privacy.
    (CVE-2010-2803)
    
    Eric Dumazet discovered that many network functions could leak kernel stack
    contents. A local attacker could exploit this to read portions of kernel
    memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477)
    
    Dave Chinner discovered that the XFS filesystem did not correctly order
    inode lookups when exported by NFS. A remote attacker could exploit this to
    read or write disk blocks that had changed file assignment or had become
    unlinked, leading to a loss of privacy. (CVE-2010-2943)
    
    Sergey Vlasov discovered that JFS did not correctly handle certain extended
    attributes. A local attacker could bypass namespace access rules, leading
    to a loss of privacy. (CVE-2010-2946)
    
    Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
    down. A local attacker could exploit this to cause the system to crash or
    possibly gain root privileges. (CVE-2010-2954)
    
    Brad Spengler discovered that the wireless extensions did not correctly
    validate certain request sizes. A local attacker could exploit this to read
    portions of kernel memory, leading to a loss of privacy. (CVE-2010-2955)
    
    Ben Hawkes discovered an integer overflow in the Controller Area Network
    (CVE-2010-2959)
    
    Kees Cook discovered that the Intel i915 graphics driver did not correctly
    validate memory regions. A local attacker with access to the video card
    could read and write arbitrary kernel memory to gain root privileges.
    Ubuntu 10.10 was not affected. (CVE-2010-2962)
    
    Kees Cook discovered that the V4L1 32bit compat interface did not correctly
    validate certain parameters. A local attacker on a 64bit system with access
    to a video device could exploit this to gain root privileges.
    (CVE-2010-2963)
    
    Toshiyuki Okajima discovered that ext4 did not correctly check certain
    parameters. A local attacker could exploit this to crash the system or
    overwrite the last block of large files. (CVE-2010-3015)
    
    Tavis Ormandy discovered that the AIO subsystem did not correctly validate
    certain parameters. A local attacker could exploit this to crash the system
    or possibly gain root privileges. (CVE-2010-3067)
    
    Dan Rosenberg discovered that certain XFS ioctls leaked kernel stack
    contents. A local attacker could exploit this to read portions of kernel
    memory, leading to a loss of privacy. (CVE-2010-3078)
    
    Robert Swiecki discovered that ftrace did not correctly handle mutexes. A
    local attacker could exploit this to crash the kernel, leading to a denial
    of service. (CVE-2010-3079)
    
    Tavis Ormandy discovered that the OSS sequencer device did not correctly
    shut down. A local attacker could exploit this to crash the system or
    possibly gain root privileges. (CVE-2010-3080)
    
    Ben Hawkes discovered that the Linux kernel did not correctly validate
    memory ranges on 64bit kernels when allocating memory on behalf of 32bit
    system calls. On a 64bit system, a local attacker could perform malicious
    multicast getsockopt calls to gain root privileges. (CVE-2010-3081)
    
    Dan Rosenberg discovered that several network ioctls did not clear kernel
    memory correctly. A local user could exploit this to read kernel stack
    memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297,
    CVE-2010-3298)
    
    Ben Hawkes discovered that the Linux kernel did not correctly filter
    registers on 64bit kernels when performing 32bit system calls. On a 64bit
    system, a local attacker could manipulate 32bit system calls to gain root
    privileges. (CVE-2010-3301)
    
    Dan Rosenberg discovered that the ROSE driver did not correctly check
    parameters. A local attacker with access to a ROSE network device could
    exploit this to crash the system or possibly gain root privileges.
    (CVE-2010-3310)
    
    Thomas Dreibholz discovered that SCTP did not correctly handle appending
    packet chunks. A remote attacker could send specially crafted traffic to
    crash the system, leading to a denial of service. (CVE-2010-3432)
    
    Dan Rosenberg discovered that the CD driver did not correctly check
    parameters. A local attacker could exploit this to read arbitrary kernel
    memory, leading to a loss of privacy. (CVE-2010-3437)
    
    Dan Rosenberg discovered that the Sound subsystem did not correctly
    validate parameters. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-3442)
    
    Dan Jacobson discovered that ThinkPad video output was not correctly access
    controlled. A local attacker could exploit this to hang the system, leading
    to a denial of service. (CVE-2010-3448)
    
    It was discovered that KVM did not correctly initialize certain CPU
    registers. A local attacker could exploit this to crash the system, leading
    to a denial of service. (CVE-2010-3698)
    
    Dan Rosenberg discovered that SCTP did not correctly handle HMAC
    calculations. A remote attacker could send specially crafted traffic that
    would crash the system, leading to a denial of service. (CVE-2010-3705)
    
    Nelson Elhage discovered several problems with the Acorn Econet protocol
    driver. A local user could cause a denial of service via a NULL pointer
    dereference, escalate privileges by overflowing the kernel stack, and
    assign Econet addresses to arbitrary interfaces. (CVE-2010-3848,
    CVE-2010-3849, CVE-2010-3850)
    
    Brad Spengler discovered that stack memory for new a process was not
    correctly calculated. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-3858)
    
    Kees Cook discovered that the ethtool interface did not correctly clear
    kernel memory. A local attacker could read kernel heap memory, leading to a
    loss of privacy. (CVE-2010-3861)
    
    Dan Rosenberg discovered that the RDS network protocol did not correctly
    check certain parameters. A local attacker could exploit this gain root
    privileges. (CVE-2010-3904)
    
    Kees Cook and Vasiliy Kulikov discovered that the shm interface did not
    clear kernel memory correctly. A local attacker could exploit this to read
    kernel stack memory, leading to a loss of privacy. (CVE-2010-4072)
    
    Dan Rosenberg discovered that the USB subsystem did not correctly
    initialize certian structures. A local attacker could exploit this to read
    kernel stack memory, leading to a loss of privacy. (CVE-2010-4074)
    
    Dan Rosenberg discovered that the SiS video driver did not correctly clear
    kernel memory. A local attacker could exploit this to read kernel stack
    memory, leading to a loss of privacy. (CVE-2010-4078)
    
    Dan Rosenberg discovered that the ivtv V4L driver did not correctly
    initialize certian structures. A local attacker could exploit this to read
    kernel stack memory, leading to a loss of privacy. (CVE-2010-4079)
    
    Steve Chen discovered that setsockopt did not correctly check MSS values. A
    local attacker could make a specially crafted socket call to crash the
    system, leading to a denial of service. (CVE-2010-4165)
    
    Dave Jones discovered that the mprotect system call did not correctly
    handle merged VMAs. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-4169)
    
    Vegard Nossum discovered that memory garbage collection was not handled
    correctly for active sockets. A local attacker could exploit this to
    allocate all available kernel memory, leading to a denial of service.
    (CVE-2010-4249)
    
    
    Updated packages for Ubuntu 9.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/linux-fsl-imx51/linux-fsl-imx51_2.6.31-112.30.diff.gz
          Size/MD5:  5689311 eb5f6fe8ea1ba1541908b6635b6eb070
        http://security.ubuntu.com/ubuntu/pool/main/l/linux-fsl-imx51/linux-fsl-imx51_2.6.31-112.30.dsc
          Size/MD5:     1389 9f183ebaeae4bc5f042e011c01a2d06b
        http://security.ubuntu.com/ubuntu/pool/main/l/linux-fsl-imx51/linux-fsl-imx51_2.6.31.orig.tar.gz
          Size/MD5: 78278595 16c0355d3612806ef87addf7c9f8c9f9
    
      armel architecture (ARM Architecture):
    
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/block-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    97392 be63ef29022f71ef81f0c5c0f7e5dff2
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/crypto-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    62012 808419d720380dacfc7aa71eb8447553
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/fat-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:     4542 2c5d3a96da5f45c531bb20b423279fe7
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/fs-core-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   548480 a0b16b84ff81a28d19d0ce5afc919083
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/fs-secondary-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   138382 a0fb096a86472328492a20ee846da9ab
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/input-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    50136 37a00bbbcc9b929ad363ea7db629e405
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/irda-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   212326 7c76d661cb4f11fb53d61b795e8277f1
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/kernel-image-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:  3417494 1e25b9c4dd46cbbd61d0e2a2f7647f3e
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/linux-headers-2.6.31-112-imx51_2.6.31-112.30_armel.deb
          Size/MD5:   673916 3602a6a08467cff3f063fa7d9acf4343
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/linux-headers-2.6.31-112_2.6.31-112.30_armel.deb
          Size/MD5:  9856034 69b7bc23b6a0ccd5911b8fe4279c89cb
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/linux-image-2.6.31-112-imx51_2.6.31-112.30_armel.deb
          Size/MD5: 14566916 593a2caa4da514cdd0e8663a5aa19f64
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/md-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   163272 ad8a5437eeb796073116c0c60254e17c
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/mouse-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    24552 c30bdc42f9f1b087dd62b912ae0fc002
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/nfs-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   294586 8052e549fae8a4f8189a0f853c4825fe
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/nic-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   236166 0df28001acd3f1cf5aa96dba8756022a
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/nic-shared-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   184568 50564e0525ab647761b1011e145399a9
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/nic-usb-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   112192 a66999a29ab17a23f464b124957e51f0
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/parport-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    28190 546362055ae18b5c08f90e2eaf00b192
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/plip-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:     8218 a46998bb3c8a1f786aa840c4949e4c95
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/ppp-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    36380 657ccd6145488ad41b788472cb5137ae
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/sata-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    15622 56616f349c347568528cb7737e1863bb
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/scsi-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   191494 53d973ce8597fa35e948f633296f512b
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/serial-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    93934 85515ab49064d8eab991be7b32d28551
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/storage-core-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:    21332 cbe570516cc3851629929202ad80a4f3
        http://ports.ubuntu.com/pool/main/l/linux-fsl-imx51/usb-modules-2.6.31-112-imx51-di_2.6.31-112.30_armel.udeb
          Size/MD5:   114184 67f6388b95d37d032147638daf363e22
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.