http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169130

SUSE-SA:2006:012

RHSA-2006:0101

18510

18527

18788

19038

19374

DSA-1017

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6

MDKSA-2006:040

SUSE-SA:2006:006

FLSA:157459-3

FLSA:157459-4

16283

linux-double-decrement-dos(25302)

oval:org.mitre.oval:def:10731

USN-244-1

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-1017     Multiple overflows exist in the io_edgeport driver which     might be usable as a denial of service attack vector.

  - CVE-2005-0124     Bryan Fulton reported a bounds checking bug in the     coda_pioctl function which may allow local users to     execute arbitrary code or trigger a denial of service     attack.

  - CVE-2005-0449     An error in the skb_checksum_help() function from the     netfilter framework has been discovered that allows the     bypass of packet filter rules or a denial of service     attack.

  - CVE-2005-2457     Tim Yamin discovered that insufficient input validation     in the zisofs driver for compressed ISO file systems     allows a denial of service attack through maliciously     crafted ISO images.

  - CVE-2005-2490     A buffer overflow in the sendmsg() function allows local     users to execute arbitrary code.

  - CVE-2005-2555     Herbert Xu discovered that the setsockopt() function was     not restricted to users/processes with the CAP_NET_ADMIN     capability. This allows attackers to manipulate IPSEC     policies or initiate a denial of service attack. 

  - CVE-2005-2709     Al Viro discovered a race condition in the /proc     handling of network devices. A (local) attacker could     exploit the stale reference after interface shutdown to     cause a denial of service or possibly execute code in     kernel mode.

  - CVE-2005-2800     Jan Blunck discovered that repeated failed reads of     /proc/scsi/sg/devices leak memory, which allows a denial     of service attack.

  - CVE-2005-2973     Tetsuo Handa discovered that the udp_v6_get_port()     function from the IPv6 code can be forced into an     endless loop, which allows a denial of service attack.

  - CVE-2005-3044     Vasiliy Averin discovered that the reference counters     from sockfd_put() and fput() can be forced into     overlapping, which allows a denial of service attack     through a NULL pointer dereference.

  - CVE-2005-3053     Eric Dumazet discovered that the set_mempolicy() system     call accepts a negative value for its first argument,     which triggers a BUG() assert. This allows a denial of     service attack.

  - CVE-2005-3055     Harald Welte discovered that if a process issues a USB     Request Block (URB) to a device and terminates before     the URB completes, a stale pointer would be     dereferenced. This could be used to trigger a denial of     service attack.

  - CVE-2005-3180     Pavel Roskin discovered that the driver for Orinoco     wireless cards clears its buffers insufficiently. This     could leak sensitive information into user space.

  - CVE-2005-3181     Robert Derr discovered that the audit subsystem uses an     incorrect function to free memory, which allows a denial     of service attack.

  - CVE-2005-3257     Rudolf Polzer discovered that the kernel improperly     restricts access to the KDSKBSENT ioctl, which can     possibly lead to privilege escalation.

  - CVE-2005-3356     Doug Chapman discovered that the mq_open syscall can be     tricked into decrementing an internal counter twice,     which allows a denial of service attack through a kernel     panic.

  - CVE-2005-3358     Doug Chapman discovered that passing a zero bitmask to     the set_mempolicy() system call leads to a kernel panic,     which allows a denial of service attack.

  - CVE-2005-3783     The ptrace code using CLONE_THREAD didn't use the thread     group ID to determine whether the caller is attaching to     itself, which allows a denial of service attack.

  - CVE-2005-3784     The auto-reaping of child processes functionality     included ptraced-attached processes, which allows denial     of service through dangling references.

  - CVE-2005-3806     Yen Zheng discovered that the IPv6 flow label code     modified an incorrect variable, which could lead to     memory corruption and denial of service.

  - CVE-2005-3847     It was discovered that a threaded real-time process,     which is currently dumping core can be forced into a     dead-lock situation by sending it a SIGKILL signal,     which allows a denial of service attack. 

  - CVE-2005-3848     Ollie Wild discovered a memory leak in the     icmp_push_reply() function, which allows denial of     service through memory consumption.

  - CVE-2005-3857     Chris Wright discovered that excessive allocation of     broken file lock leases in the VFS layer can exhaust     memory and fill up the system logging, which allows     denial of service.

  - CVE-2005-3858     Patrick McHardy discovered a memory leak in the     ip6_input_finish() function from the IPv6 code, which     allows denial of service.

  - CVE-2005-4605     Karl Janmar discovered that a signedness error in the     procfs code can be exploited to read kernel memory,     which may disclose sensitive information.

  - CVE-2005-4618     Yi Ying discovered that sysctl does not properly enforce     the size of a buffer, which allows a denial of service     attack.

  - CVE-2006-0095     Stefan Rompf discovered that dm_crypt does not clear an     internal struct before freeing it, which might disclose     sensitive information.

  - CVE-2006-0096     It was discovered that the SDLA driver's capability     checks were too lax for firmware upgrades.

  - CVE-2006-0482     Ludovic Courtes discovered that get_compat_timespec()     performs insufficient input sanitizing, which allows a     local denial of service attack.

  - CVE-2006-1066     It was discovered that ptrace() on the ia64 architecture     allows a local denial of service attack, when preemption     is enabled.

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below :

  - a flaw in network IGMP processing that a allowed a     remote user on the local network to cause a denial of     service (disabling of multicast reports) if the system     is running multicast applications (CVE-2002-2185,     moderate)

  - a flaw which allowed a local user to write to firmware     on read-only opened /dev/cdrom devices (CVE-2004-1190,     moderate)

  - a flaw in gzip/zlib handling internal to the kernel that     may allow a local user to cause a denial of service     (crash) (CVE-2005-2458, low)

  - a flaw in procfs handling during unloading of modules     that allowed a local user to cause a denial of service     or potentially gain privileges (CVE-2005-2709, moderate)

  - a flaw in the SCSI procfs interface that allowed a local     user to cause a denial of service (crash)     (CVE-2005-2800, moderate)

  - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl     that allowed a local user to cause a denial of service     (crash) (CVE-2005-3044, important)

  - a race condition when threads share memory mapping that     allowed local users to cause a denial of service     (deadlock) (CVE-2005-3106, important)

  - a flaw when trying to mount a non-hfsplus filesystem     using hfsplus that allowed local users to cause a denial     of service (crash) (CVE-2005-3109, moderate)

  - a minor info leak with the get_thread_area() syscall     that allowed a local user to view uninitialized kernel     stack data (CVE-2005-3276, low)

  - a flaw in mq_open system call that allowed a local user     to cause a denial of service (crash) (CVE-2005-3356,     important)

  - a flaw in set_mempolicy that allowed a local user on     some 64-bit architectures to cause a denial of service     (crash) (CVE-2005-3358, important)

  - a flaw in the auto-reap of child processes that allowed     a local user to cause a denial of service (crash)     (CVE-2005-3784, important)

  - a flaw in the IPv6 flowlabel code that allowed a local     user to cause a denial of service (crash)     (CVE-2005-3806, important)

  - a flaw in network ICMP processing that allowed a local     user to cause a denial of service (memory exhaustion)     (CVE-2005-3848, important)

  - a flaw in file lease time-out handling that allowed a     local user to cause a denial of service (log file     overflow) (CVE-2005-3857, moderate)

  - a flaw in network IPv6 xfrm handling that allowed a     local user to cause a denial of service (memory     exhaustion) (CVE-2005-3858, important)

  - a flaw in procfs handling that allowed a local user to     read kernel memory (CVE-2005-4605, important)

All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The udp_v6_get_port function in udp.c, when running IPv6, allows local users to cause a Denial of Service (infinite loop and crash) (CVE-2005-2973).

The mq_open system call in certain situations can decrement a counter twice as a result of multiple calls to the mntput function when the dentry_open function call fails, allowing a local user to cause a DoS (panic) via unspecified attack vectors (CVE-2005-3356).

The procfs code allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value (CVE-2005-4605).

A buffer overflow in sysctl allows local users to cause a DoS and possibly execute arbitrary code via a long string, which causes sysctl to write a zero byte outside the buffer (CVE-2005-4618).

A buffer overflow in the CA-driver for TwinHan DST Frontend/Card allows local users to cause a DoS (crash) and possibly execute arbitrary code by reading more than eight bytes into an eight byte long array (CVE-2005-4639).

dm-crypt does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key (CVE-2006-0095).

Remote attackers can cause a DoS via unknown attack vectors related to an 'extra dst release when ip_options_echo fails' in icmp.c (CVE-2006-0454).

In addition to these security fixes, other fixes have been included such as :

  - support for mptsas

    - fix for IPv6 with sis190

    - a problem with the time progressing twice as fast

    - a fix for Audigy 2 ZS Video Editor sample rates

    - a fix for a supermount crash when accessing a       supermount-ed CD/DVD drive

  - a fix for improperly unloading sbp2 module

The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

Doug Chapman discovered a flaw in the reference counting in the sys_mq_open() function. By calling this function in a special way, a local attacker could exploit this to cause a kernel crash.
(CVE-2005-3356)

Karl Janmar discovered that the /proc file system module used signed data types in a wrong way. A local attacker could exploit this to read random kernel memory, which could possibly contain sensitive data like passwords or private keys. (CVE-2005-4605)

Yi Yang discovered an off-by-one buffer overflow in the sysctl() system call. By calling sysctl with a specially crafted long string, a local attacker could exploit this to crash the kernel or possibly even execute arbitrary code with full kernel privileges. (CVE-2005-4618)

Perceval Anichini found a buffer overflow in the TwinHan DST Frontend/Card DVB driver. A local user could exploit this to crash the kernel or possibly execute arbitrary code with full kernel privileges.
This only affects Ubuntu 5.10. (CVE-2005-4639)

Stefan Rompf discovered that the dm-crypt module did not clear memory structures before releasing the memory allocation of it. This could lead to the disclosure of encryption keys. (CVE-2006-0095)

The SDLA WAN driver did not restrict firmware upgrades to processes that have the CAP_SYS_RAWIO kernel capability, it just required the CAP_NET_ADMIN privilege. This could allow processes with the latter privilege to update the SDLA firmware. Please note that this does not affect a standard Ubuntu installation, and this cannot be exploited by a normal (unprivileged) user. At most, this flaw might be relevant for installations that use a fine-grained capability granting system like RSBAC, cap_over, or grsecurity. This only affects Ubuntu 4.10.
(CVE-2006-0096).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0101.

ID	Name	Product	Family	Severity
22559	Debian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
21977	CentOS 4 : kernel (CESA-2006:0101)	Nessus	CentOS Local Security Checks	high
20939	Mandrake Linux Security Advisory : kernel (MDKSA-2006:040)	Nessus	Mandriva Local Security Checks	medium
20791	Ubuntu 4.10 / 5.04 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-244-1)	Nessus	Ubuntu Local Security Checks	high
20732	RHEL 4 : kernel (RHSA-2006:0101)	Nessus	Red Hat Local Security Checks	high
801413	CentOS RHSA-2006-0101 Security Check	Log Correlation Engine	Generic	high

CVE-2005-3356

LOW

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

medium

high

high

high