Debian DSA-2264-1 : linux-2.6 - privilege escalation/denial of service/information leak

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Debian host is missing a security-related update.

Description :

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leak. The Common Vulnerabilities and Exposures project identifies the
following problems :

- CVE-2010-2524
David Howells reported an issue in the Common Internet
File System (CIFS). Local users could cause arbitrary
CIFS shares to be mounted by introducing malicious
redirects.

- CVE-2010-3875
Vasiliy Kulikov discovered an issue in the Linux
implementation of the Amateur Radio AX.25 Level 2
protocol. Local users may obtain access to sensitive
kernel memory.

- CVE-2010-4075
Dan Rosenberg reported an issue in the tty layer that
may allow local users to obtain access to sensitive
kernel memory.

- CVE-2010-4655
Kees Cook discovered several issues in the ethtool
interface which may allow local users with the
CAP_NET_ADMIN capability to obtain access to sensitive
kernel memory.

- CVE-2011-0695
Jens Kuehnel reported an issue in the InfiniBand stack.
Remote attackers can exploit a race condition to cause a
denial of service (kernel panic).

- CVE-2011-0710
Al Viro reported an issue in the /proc/<pid>/status
interface on the s390 architecture. Local users could
gain access to sensitive memory in processes they do not
own via the task_show_regs entry.

- CVE-2011-0711
Dan Rosenberg reported an issue in the XFS filesystem.
Local users may obtain access to sensitive kernel
memory.

- CVE-2011-0726
Kees Cook reported an issue in the /proc/<pid>/stat
implementation. Local users could learn the text
location of a process, defeating protections provided by
address space layout randomization (ASLR).

- CVE-2011-1010
Timo Warns reported an issue in the Linux support for
Mac partition tables. Local users with physical access
could cause a denial of service (panic) by adding a
storage device with a malicious map_count value.

- CVE-2011-1012
Timo Warns reported an issue in the Linux support for
LDM partition tables. Local users with physical access
could cause a denial of service (Oops) by adding a
storage device with an invalid VBLK value in the VMDB
structure.

- CVE-2011-1017
Timo Warns reported an issue in the Linux support for
LDM partition tables. Users with physical access can
gain access to sensitive kernel memory or gain elevated
privileges by adding a storage device with a specially
crafted LDM partition.

- CVE-2011-1078
Vasiliy Kulikov discovered an issue in the Bluetooth
subsystem. Local users can obtain access to sensitive
kernel memory.

- CVE-2011-1079
Vasiliy Kulikov discovered an issue in the Bluetooth
subsystem. Local users with the CAP_NET_ADMIN capability
can cause a denial of service (kernel Oops).

- CVE-2011-1080
Vasiliy Kulikov discovered an issue in the Netfilter
subsystem. Local users can obtain access to sensitive
kernel memory.

- CVE-2011-1090
Neil Horman discovered a memory leak in the setacl()
call on NFSv4 filesystems. Local users can exploit this
to cause a denial of service (Oops).

- CVE-2011-1093
Johan Hovold reported an issue in the Datagram
Congestion Control Protocol (DCCP) implementation.
Remote users could cause a denial of service by sending
data after closing a socket.

- CVE-2011-1160
Peter Huewe reported an issue in the Linux kernel's
support for TPM security chips. Local users with
permission to open the device can gain access to
sensitive kernel memory.

- CVE-2011-1163
Timo Warns reported an issue in the kernel support for
Alpha OSF format disk partitions. Users with physical
access can gain access to sensitive kernel memory by
adding a storage device with a specially crafted OSF
partition.

- CVE-2011-1170
Vasiliy Kulikov reported an issue in the Netfilter arp
table implementation. Local users with the CAP_NET_ADMIN
capability can gain access to sensitive kernel memory.

- CVE-2011-1171
Vasiliy Kulikov reported an issue in the Netfilter IP
table implementation. Local users with the CAP_NET_ADMIN
capability can gain access to sensitive kernel memory.

- CVE-2011-1172
Vasiliy Kulikov reported an issue in the Netfilter IP6
table implementation. Local users with the CAP_NET_ADMIN
capability can gain access to sensitive kernel memory.

- CVE-2011-1173
Vasiliy Kulikov reported an issue in the Acorn Econet
protocol implementation. Local users can obtain access
to sensitive kernel memory on systems that use this rare
hardware.

- CVE-2011-1180
Dan Rosenberg reported a buffer overflow in the
Information Access Service of the IrDA protocol, used
for Infrared devices. Remote attackers within IR device
range can cause a denial of service or possibly gain
elevated privileges.

- CVE-2011-1182
Julien Tinnes reported an issue in the rt_sigqueueinfo
interface. Local users can generate signals with
falsified source pid and uid information.

- CVE-2011-1477
Dan Rosenberg reported issues in the Open Sound System
driver for cards that include a Yamaha FM synthesizer
chip. Local users can cause memory corruption resulting
in a denial of service. This issue does not affect
official Debian Linux image packages as they no longer
provide support for OSS. However, custom kernels built
from Debians linux-source-2.6.26 may have enabled this
configuration and would therefore be vulnerable.

- CVE-2011-1493
Dan Rosenburg reported two issues in the Linux
implementation of the Amateur Radio X.25 PLP (Rose)
protocol. A remote user can cause a denial of service by
providing specially crafted facilities fields.

- CVE-2011-1577
Timo Warns reported an issue in the Linux support for
GPT partition tables. Local users with physical access
could cause a denial of service (Oops) by adding a
storage device with a malicious partition table header.

- CVE-2011-1593
Robert Swiecki reported a signednes issue in the
next_pidmap() function, which can be exploited my local
users to cause a denial of service.

- CVE-2011-1598
Dave Jones reported an issue in the Broadcast Manager
Controller Area Network (CAN/BCM) protocol that may
allow local users to cause a NULL pointer dereference,
resulting in a denial of service.

- CVE-2011-1745
Vasiliy Kulikov reported an issue in the Linux support
for AGP devices. Local users can obtain elevated
privileges or cause a denial of service due to missing
bounds checking in the AGPIOC_BIND ioctl. On default
Debian installations, this is exploitable only by users
in the video group.

- CVE-2011-1746
Vasiliy Kulikov reported an issue in the Linux support
for AGP devices. Local users can obtain elevated
privileges or cause a denial of service due to missing
bounds checking in the agp_allocate_memory and
agp_create_user_memory. On default Debian installations,
this is exploitable only by users in the video group.

- CVE-2011-1748
Oliver Kartkopp reported an issue in the Controller Area
Network (CAN) raw socket implementation which permits
ocal users to cause a NULL pointer dereference,
resulting in a denial of service.

- CVE-2011-1759
Dan Rosenberg reported an issue in the support for
executing 'old ABI' binaries on ARM processors. Local
users can obtain elevated privileges due to insufficient
bounds checking in the semtimedop system call.

- CVE-2011-1767
Alexecy Dobriyan reported an issue in the GRE over IP
implementation. Remote users can cause a denial of
service by sending a packet during module
initialization.

- CVE-2011-1768
Alexecy Dobriyan reported an issue in the IP tunnels
implementation. Remote users can cause a denial of
service by sending a packet during module
initialization.

- CVE-2011-1776
Timo Warns reported an issue in the Linux implementation
for GUID partitions. Users with physical access can gain
access to sensitive kernel memory by adding a storage
device with a specially crafted corrupted invalid
partition table.

- CVE-2011-2022
Vasiliy Kulikov reported an issue in the Linux support
for AGP devices. Local users can obtain elevated
privileges or cause a denial of service due to missing
bounds checking in the AGPIOC_UNBIND ioctl. On default
Debian installations, this is exploitable only by users
in the video group.

- CVE-2011-2182
Ben Hutchings reported an issue with the fix for
CVE-2011-1017 (see above) that made it insufficient to
resolve the issue.

See also :

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618485
https://security-tracker.debian.org/tracker/CVE-2010-2524
https://security-tracker.debian.org/tracker/CVE-2010-3875
https://security-tracker.debian.org/tracker/CVE-2010-4075
https://security-tracker.debian.org/tracker/CVE-2010-4655
https://security-tracker.debian.org/tracker/CVE-2011-0695
https://security-tracker.debian.org/tracker/CVE-2011-0710
https://security-tracker.debian.org/tracker/CVE-2011-0711
https://security-tracker.debian.org/tracker/CVE-2011-0726
https://security-tracker.debian.org/tracker/CVE-2011-1010
https://security-tracker.debian.org/tracker/CVE-2011-1012
https://security-tracker.debian.org/tracker/CVE-2011-1017
https://security-tracker.debian.org/tracker/CVE-2011-1078
https://security-tracker.debian.org/tracker/CVE-2011-1079
https://security-tracker.debian.org/tracker/CVE-2011-1080
https://security-tracker.debian.org/tracker/CVE-2011-1090
https://security-tracker.debian.org/tracker/CVE-2011-1093
https://security-tracker.debian.org/tracker/CVE-2011-1160
https://security-tracker.debian.org/tracker/CVE-2011-1163
https://security-tracker.debian.org/tracker/CVE-2011-1170
https://security-tracker.debian.org/tracker/CVE-2011-1171
https://security-tracker.debian.org/tracker/CVE-2011-1172
https://security-tracker.debian.org/tracker/CVE-2011-1173
https://security-tracker.debian.org/tracker/CVE-2011-1180
https://security-tracker.debian.org/tracker/CVE-2011-1182
https://security-tracker.debian.org/tracker/CVE-2011-1477
https://security-tracker.debian.org/tracker/CVE-2011-1493
https://security-tracker.debian.org/tracker/CVE-2011-1577
https://security-tracker.debian.org/tracker/CVE-2011-1593
https://security-tracker.debian.org/tracker/CVE-2011-1598
https://security-tracker.debian.org/tracker/CVE-2011-1745
https://security-tracker.debian.org/tracker/CVE-2011-1746
https://security-tracker.debian.org/tracker/CVE-2011-1748
https://security-tracker.debian.org/tracker/CVE-2011-1759
https://security-tracker.debian.org/tracker/CVE-2011-1767
https://security-tracker.debian.org/tracker/CVE-2011-1768
https://security-tracker.debian.org/tracker/CVE-2011-1776
https://security-tracker.debian.org/tracker/CVE-2011-2022
https://security-tracker.debian.org/tracker/CVE-2011-2182
https://security-tracker.debian.org/tracker/CVE-2011-1017
http://www.debian.org/security/2011/dsa-2264

Solution :

Upgrade the linux-2.6 and user-mode-linux packages. These updates will
not become active until after the system is rebooted.

For the oldstable distribution (lenny), this problem has been fixed in
version 2.6.26-26lenny3. Updates for arm and hppa are not yet
available, but will be released as soon as possible.

The following matrix lists additional source packages that were
rebuilt for compatibility with or to take advantage of this update :

  Debian 5.0 (lenny)
user-mode-linux 2.6.26-1um-2+26lenny3
Note: Debian carefully tracks all known security issues across every
Linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or 'leap-frog' fashion.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false