Ubuntu 1167-1: Linux kernel vulnerabilities

    Date13 Jul 2011
    CategoryUbuntu
    53
    Posted ByLinuxSecurity Advisories
    Multiple kernel flaws have been fixed.
    ==========================================================================
    Ubuntu Security Notice USN-1167-1
    July 13, 2011
    
    linux vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 11.04
    
    Summary:
    
    Multiple kernel flaws have been fixed.
    
    Software Description:
    - linux: Linux kernel
    
    Details:
    
    Dan Rosenberg discovered that the Linux kernel TIPC implementation
    contained multiple integer signedness errors. A local attacker could
    exploit this to gain root privileges. (CVE-2010-3859)
    
    Dan Rosenberg discovered that the CAN protocol on 64bit systems did not
    correctly calculate the size of certain buffers. A local attacker could
    exploit this to crash the system or possibly execute arbitrary code as the
    root user. (CVE-2010-3874)
    
    Vasiliy Kulikov discovered that the Linux kernel X.25 implementation did
    not correctly clear kernel memory. A local attacker could exploit this to
    read kernel stack memory, leading to a loss of privacy. (CVE-2010-3875)
    
    Vasiliy Kulikov discovered that the Linux kernel sockets implementation did
    not properly initialize certain structures. A local attacker could exploit
    this to read kernel stack memory, leading to a loss of privacy.
    (CVE-2010-3876)
    
    Vasiliy Kulikov discovered that the TIPC interface did not correctly
    initialize certain structures. A local attacker could exploit this to read
    kernel stack memory, leading to a loss of privacy. (CVE-2010-3877)
    
    Nelson Elhage discovered that the Linux kernel IPv4 implementation did not
    properly audit certain bytecodes in netlink messages. A local attacker
    could exploit this to cause the kernel to hang, leading to a denial of
    service. (CVE-2010-3880)
    
    Dan Rosenberg discovered that the socket filters did not correctly
    initialize structure memory. A local attacker could create malicious
    filters to read portions of kernel stack memory, leading to a loss of
    privacy. (CVE-2010-4158)
    
    Dan Rosenberg discovered that certain iovec operations did not calculate
    page counts correctly. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-4162)
    
    Dan Rosenberg discovered that the SCSI subsystem did not correctly validate
    iov segments. A local attacker with access to a SCSI device could send
    specially crafted requests to crash the system, leading to a denial of
    service. (CVE-2010-4163, CVE-2010-4668)
    
    Dan Rosenberg discovered multiple flaws in the X.25 facilities parsing. If
    a system was using X.25, a remote attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-4164)
    
    Steve Chen discovered that setsockopt did not correctly check MSS values. A
    local attacker could make a specially crafted socket call to crash the
    system, leading to a denial of service. (CVE-2010-4165)
    
    Dave Jones discovered that the mprotect system call did not correctly
    handle merged VMAs. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2010-4169)
    
    Dan Rosenberg discovered that the RDS protocol did not correctly check
    ioctl arguments. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2010-4175)
    
    Brad Spengler discovered that the kernel did not correctly account for
    userspace memory allocations during exec() calls. A local attacker could
    exploit this to consume all system memory, leading to a denial of service.
    (CVE-2010-4243)
    
    It was discovered that multithreaded exec did not handle CPU timers
    correctly. A local attacker could exploit this to crash the system, leading
    to a denial of service. (CVE-2010-4248)
    
    Vegard Nossum discovered that memory garbage collection was not handled
    correctly for active sockets. A local attacker could exploit this to
    allocate all available kernel memory, leading to a denial of service.
    (CVE-2010-4249)
    
    It was discovered that named pipes did not correctly handle certain fcntl
    calls. A local attacker could exploit this to crash the system, leading to
    a denial of service. (CVE-2010-4256)
    
    Nelson Elhage discovered that the kernel did not correctly handle process
    cleanup after triggering a recoverable kernel bug. If a local attacker were
    able to trigger certain kinds of kernel bugs, they could create a specially
    crafted process to gain root privileges. (CVE-2010-4258)
    
    Nelson Elhage discovered that Econet did not correctly handle AUN packets
    over UDP. A local attacker could send specially crafted traffic to crash
    the system, leading to a denial of service. (CVE-2010-4342)
    
    Tavis Ormandy discovered that the install_special_mapping function could
    bypass the mmap_min_addr restriction. A local attacker could exploit this
    to mmap 4096 bytes below the mmap_min_addr area, possibly improving the
    chances of performing NULL pointer dereference attacks. (CVE-2010-4346)
    
    Dan Rosenberg discovered that the OSS subsystem did not handle name
    termination correctly. A local attacker could exploit this crash the system
    or gain root privileges. (CVE-2010-4527)
    
    Dan Rosenberg discovered that IRDA did not correctly check the size of
    buffers. On non-x86 systems, a local attacker could exploit this to read
    kernel heap memory, leading to a loss of privacy. (CVE-2010-4529)
    
    Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses
    into the /proc filesystem. A local attacker could use this to increase the
    chances of a successful memory corruption exploit. (CVE-2010-4565)
    
    Dan Carpenter discovered that the Infiniband driver did not correctly
    handle certain requests. A local user could exploit this to crash the
    system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044)
    
    Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly
    clear memory when writing certain file holes. A local attacker could
    exploit this to read uninitialized data from the disk, leading to a loss of
    privacy. (CVE-2011-0463)
    
    Dan Carpenter discovered that the TTPCI DVB driver did not check certain
    values during an ioctl. If the dvb-ttpci module was loaded, a local
    attacker could exploit this to crash the system, leading to a denial of
    service, or possibly gain root privileges. (CVE-2011-0521)
    
    Jens Kuehnel discovered that the InfiniBand driver contained a race
    condition. On systems using InfiniBand, a local attacker could send
    specially crafted requests to crash the system, leading to a denial of
    service. (CVE-2011-0695)
    
    Dan Rosenberg discovered that XFS did not correctly initialize memory. A
    local attacker could make crafted ioctl calls to leak portions of kernel
    stack memory, leading to a loss of privacy. (CVE-2011-0711)
    
    Rafael Dominguez Vega discovered that the caiaq Native Instruments USB
    driver did not correctly validate string lengths. A local attacker with
    physical access could plug in a specially crafted USB device to crash the
    system or potentially gain root privileges. (CVE-2011-0712)
    
    Kees Cook reported that /proc/pid/stat did not correctly filter certain
    memory locations. A local attacker could determine the memory layout of
    processes in an attempt to increase the chances of a successful memory
    corruption exploit. (CVE-2011-0726)
    
    It was discoverd that transparent huge page support did not correctly
    handle temporary stacks. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2011-0999)
    
    Timo Warns discovered that MAC partition parsing routines did not correctly
    calculate block counts. A local attacker with physical access could plug in
    a specially crafted block device to crash the system or potentially gain
    root privileges. (CVE-2011-1010)
    
    Timo Warns discovered that LDM partition parsing routines did not correctly
    calculate block counts. A local attacker with physical access could plug in
    a specially crafted block device to crash the system, leading to a denial
    of service. (CVE-2011-1012)
    
    Matthiew Herrb discovered that the drm modeset interface did not correctly
    handle a signed comparison. A local attacker could exploit this to crash
    the system or possibly gain root privileges. (CVE-2011-1013)
    
    Marek Olšák discovered that the Radeon GPU drivers did not correctly
    validate certain registers. On systems with specific hardware, a local
    attacker could exploit this to write to arbitrary video memory.
    (CVE-2011-1016)
    
    Timo Warns discovered that the LDM disk partition handling code did not
    correctly handle certain values. By inserting a specially crafted disk
    device, a local attacker could exploit this to gain root privileges.
    (CVE-2011-1017)
    
    Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not
    needed to load kernel modules. A local attacker with the CAP_NET_ADMIN
    capability could load existing kernel modules, possibly increasing the
    attack surface available on the system. (CVE-2011-1019)
    
    It was discovered that the key-based DNS resolver did not correctly handle
    certain error states. A local attacker could exploit this to crash the
    system, leading to a denial of service. (CVE-2011-1076)
    
    Nelson Elhage discovered that the epoll subsystem did not correctly handle
    certain structures. A local attacker could create malicious requests that
    would hang the system, leading to a denial of service. (CVE-2011-1082)
    
    Nelson Elhage discovered that the epoll subsystem did not correctly handle
    certain structures. A local attacker could create malicious requests that
    would consume large amounts of CPU, leading to a denial of service.
    (CVE-2011-1083)
    
    Neil Horman discovered that NFSv4 did not correctly handle certain orders
    of operation with ACL data. A remote attacker with access to an NFSv4 mount
    could exploit this to crash the system, leading to a denial of service.
    (CVE-2011-1090)
    
    Timo Warns discovered that OSF partition parsing routines did not correctly
    clear memory. A local attacker with physical access could plug in a
    specially crafted block device to read kernel memory, leading to a loss of
    privacy. (CVE-2011-1163)
    
    Dan Rosenberg discovered that some ALSA drivers did not correctly check the
    adapter index during ioctl calls. If this driver was loaded, a local
    attacker could make a specially crafted ioctl call to gain root privileges.
    (CVE-2011-1169)
    
    Vasiliy Kulikov discovered that the netfilter code did not check certain
    strings copied from userspace. A local attacker with netfilter access could
    exploit this to read kernel memory or crash the system, leading to a denial
    of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534)
    
    Vasiliy Kulikov discovered that the Acorn Universal Networking driver did
    not correctly initialize memory. A remote attacker could send specially
    crafted traffic to read kernel stack memory, leading to a loss of privacy.
    (CVE-2011-1173)
    
    Julien Tinnes discovered that the kernel did not correctly validate the
    signal structure from tkill(). A local attacker could exploit this to send
    signals to arbitrary threads, possibly bypassing expected restrictions.
    (CVE-2011-1182)
    
    Dan Rosenberg discovered that MPT devices did not correctly validate
    certain values in ioctl calls. If these drivers were loaded, a local
    attacker could exploit this to read arbitrary kernel memory, leading to a
    loss of privacy. (CVE-2011-1494, CVE-2011-1495)
    
    Tavis Ormandy discovered that the pidmap function did not correctly handle
    large requests. A local attacker could exploit this to crash the system,
    leading to a denial of service. (CVE-2011-1593)
    
    Oliver Hartkopp and Dave Jones discovered that the CAN network driver did
    not correctly validate certain socket structures. If this driver was
    loaded, a local attacker could crash the system, leading to a denial of
    service. (CVE-2011-1598, CVE-2011-1748)
    
    Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl
    values. A local attacker with access to the video subsystem could exploit
    this to crash the system, leading to a denial of service, or possibly gain
    root privileges. (CVE-2011-1745, CVE-2011-2022)
    
    Vasiliy Kulikov discovered that the AGP driver did not check the size of
    certain memory allocations. A local attacker with access to the video
    subsystem could exploit this to run the system out of memory, leading to a
    denial of service. (CVE-2011-1746, CVE-2011-1747)
    
    Dan Rosenberg discovered that the DCCP stack did not correctly handle
    certain packet structures. A remote attacker could exploit this to crash
    the system, leading to a denial of service. (CVE-2011-1770)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 11.04:
      linux-image-2.6.38-10-generic   2.6.38-10.46
      linux-image-2.6.38-10-generic-pae  2.6.38-10.46
      linux-image-2.6.38-10-omap      2.6.38-10.46
      linux-image-2.6.38-10-powerpc   2.6.38-10.46
      linux-image-2.6.38-10-powerpc-smp  2.6.38-10.46
      linux-image-2.6.38-10-powerpc64-smp  2.6.38-10.46
      linux-image-2.6.38-10-server    2.6.38-10.46
      linux-image-2.6.38-10-versatile  2.6.38-10.46
      linux-image-2.6.38-10-virtual   2.6.38-10.46
    
    After a standard system update you need to reboot your computer to make
    all the necessary changes.
    
    ATTENTION: Due to an unavoidable ABI change the kernel updates have
    been given a new version number, which requires you to recompile and
    reinstall all third party kernel modules you might have installed. If
    you use linux-restricted-modules, you have to update that package as
    well to get modules which work with the new kernel version. Unless you
    manually uninstalled the standard kernel metapackages (e.g. linux-generic,
    linux-server, linux-powerpc), a standard system upgrade will automatically
    perform this as well.
    
    References:
      http://www.ubuntu.com/usn/usn-1167-1
      CVE-2010-3859, CVE-2010-3874, CVE-2010-3875, CVE-2010-3876,
      CVE-2010-3877, CVE-2010-3880, CVE-2010-4158, CVE-2010-4162,
      CVE-2010-4163, CVE-2010-4164, CVE-2010-4165, CVE-2010-4169,
      CVE-2010-4175, CVE-2010-4243, CVE-2010-4248, CVE-2010-4249,
      CVE-2010-4256, CVE-2010-4258, CVE-2010-4342, CVE-2010-4346,
      CVE-2010-4527, CVE-2010-4529, CVE-2010-4565, CVE-2010-4649,
      CVE-2010-4668, CVE-2011-0463, CVE-2011-0521, CVE-2011-0695,
      CVE-2011-0711, CVE-2011-0712, CVE-2011-0726, CVE-2011-0999,
      CVE-2011-1010, CVE-2011-1012, CVE-2011-1013, CVE-2011-1016,
      CVE-2011-1017, CVE-2011-1019, CVE-2011-1044, CVE-2011-1076,
    
    Package Information:
      https://launchpad.net/ubuntu/+source/linux/2.6.38-10.46
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.