SUSE-SA:2006:012

[linux-kernel] 20050826 [PATCH 7/7] [IPV6]: Fix SKB leak in ip6_input_finish()

[linux-kernel] 20050829 Re: Linux 2.6.12.6

18203

18510

18562

19038

19369

19374

DSA-1017

DSA-1018

RHSA-2006:0101

RHSA-2006:0140

16043

oval:org.mitre.oval:def:9396

USN-231-1

The original update lacked recompiled ALSA modules against the new  kernel ABI. Furthermore, kernel-latest-2.4-sparc now correctly  depends on the updated packages. For completeness we're providing the  original problem description :

  Several local and remote vulnerabilities have been discovered in the   Linux kernel that may lead to a denial of service or the execution   of arbitrary code. The Common Vulnerabilities and Exposures project   identifies the following problems :

    - CVE-2004-0887       Martin Schwidefsky discovered that the privileged       instruction SACF (Set Address Space Control Fast) on       the S/390 platform is not handled properly, allowing       for a local user to gain root privileges.

    - CVE-2004-1058       A race condition allows for a local user to read the       environment variables of another process that is still       spawning through /proc/.../cmdline.

    - CVE-2004-2607       A numeric casting discrepancy in sdla_xfer allows       local users to read portions of kernel memory via a       large len argument which is received as an int but       cast to a short, preventing read loop from filling a       buffer.

    - CVE-2005-0449       An error in the skb_checksum_help() function from the       netfilter framework has been discovered that allows       the bypass of packet filter rules or a denial of       service attack.

    - CVE-2005-1761       A vulnerability in the ptrace subsystem of the IA-64       architecture can allow local attackers to overwrite       kernel memory and crash the kernel.

    - CVE-2005-2457       Tim Yamin discovered that insufficient input       validation in the compressed ISO file system (zisofs)       allows a denial of service attack through maliciously       crafted ISO images.

    - CVE-2005-2555       Herbert Xu discovered that the setsockopt() function       was not restricted to users/processes with the       CAP_NET_ADMIN capability. This allows attackers to       manipulate IPSEC policies or initiate a denial of       service attack.

    - CVE-2005-2709       Al Viro discovered a race condition in the /proc       handling of network devices. A (local) attacker could       exploit the stale reference after interface shutdown       to cause a denial of service or possibly execute code       in kernel mode.

    - CVE-2005-2973       Tetsuo Handa discovered that the udp_v6_get_port()       function from the IPv6 code can be forced into an       endless loop, which allows a denial of service attack.

    - CVE-2005-3257       Rudolf Polzer discovered that the kernel improperly       restricts access to the KDSKBSENT ioctl, which can       possibly lead to privilege escalation.

    - CVE-2005-3783       The ptrace code using CLONE_THREAD didn't use the       thread group ID to determine whether the caller is       attaching to itself, which allows a denial of service       attack.

    - CVE-2005-3806       Yen Zheng discovered that the IPv6 flow label code       modified an incorrect variable, which could lead to       memory corruption and denial of service.

    - CVE-2005-3848       Ollie Wild discovered a memory leak in the       icmp_push_reply() function, which allows denial of       service through memory consumption.

    - CVE-2005-3857       Chris Wright discovered that excessive allocation of       broken file lock leases in the VFS layer can exhaust       memory and fill up the system logging, which allows       denial of service.

    - CVE-2005-3858       Patrick McHardy discovered a memory leak in the       ip6_input_finish() function from the IPv6 code, which       allows denial of service.

    - CVE-2005-4618       Yi Ying discovered that sysctl does not properly       enforce the size of a buffer, which allows a denial of       service attack.

Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2004-1017     Multiple overflows exist in the io_edgeport driver which     might be usable as a denial of service attack vector.

  - CVE-2005-0124     Bryan Fulton reported a bounds checking bug in the     coda_pioctl function which may allow local users to     execute arbitrary code or trigger a denial of service     attack.

  - CVE-2005-0449     An error in the skb_checksum_help() function from the     netfilter framework has been discovered that allows the     bypass of packet filter rules or a denial of service     attack.

  - CVE-2005-2457     Tim Yamin discovered that insufficient input validation     in the zisofs driver for compressed ISO file systems     allows a denial of service attack through maliciously     crafted ISO images.

  - CVE-2005-2490     A buffer overflow in the sendmsg() function allows local     users to execute arbitrary code.

  - CVE-2005-2555     Herbert Xu discovered that the setsockopt() function was     not restricted to users/processes with the CAP_NET_ADMIN     capability. This allows attackers to manipulate IPSEC     policies or initiate a denial of service attack. 

  - CVE-2005-2709     Al Viro discovered a race condition in the /proc     handling of network devices. A (local) attacker could     exploit the stale reference after interface shutdown to     cause a denial of service or possibly execute code in     kernel mode.

  - CVE-2005-2800     Jan Blunck discovered that repeated failed reads of     /proc/scsi/sg/devices leak memory, which allows a denial     of service attack.

  - CVE-2005-2973     Tetsuo Handa discovered that the udp_v6_get_port()     function from the IPv6 code can be forced into an     endless loop, which allows a denial of service attack.

  - CVE-2005-3044     Vasiliy Averin discovered that the reference counters     from sockfd_put() and fput() can be forced into     overlapping, which allows a denial of service attack     through a NULL pointer dereference.

  - CVE-2005-3053     Eric Dumazet discovered that the set_mempolicy() system     call accepts a negative value for its first argument,     which triggers a BUG() assert. This allows a denial of     service attack.

  - CVE-2005-3055     Harald Welte discovered that if a process issues a USB     Request Block (URB) to a device and terminates before     the URB completes, a stale pointer would be     dereferenced. This could be used to trigger a denial of     service attack.

  - CVE-2005-3180     Pavel Roskin discovered that the driver for Orinoco     wireless cards clears its buffers insufficiently. This     could leak sensitive information into user space.

  - CVE-2005-3181     Robert Derr discovered that the audit subsystem uses an     incorrect function to free memory, which allows a denial     of service attack.

  - CVE-2005-3257     Rudolf Polzer discovered that the kernel improperly     restricts access to the KDSKBSENT ioctl, which can     possibly lead to privilege escalation.

  - CVE-2005-3356     Doug Chapman discovered that the mq_open syscall can be     tricked into decrementing an internal counter twice,     which allows a denial of service attack through a kernel     panic.

  - CVE-2005-3358     Doug Chapman discovered that passing a zero bitmask to     the set_mempolicy() system call leads to a kernel panic,     which allows a denial of service attack.

  - CVE-2005-3783     The ptrace code using CLONE_THREAD didn't use the thread     group ID to determine whether the caller is attaching to     itself, which allows a denial of service attack.

  - CVE-2005-3784     The auto-reaping of child processes functionality     included ptraced-attached processes, which allows denial     of service through dangling references.

  - CVE-2005-3806     Yen Zheng discovered that the IPv6 flow label code     modified an incorrect variable, which could lead to     memory corruption and denial of service.

  - CVE-2005-3847     It was discovered that a threaded real-time process,     which is currently dumping core can be forced into a     dead-lock situation by sending it a SIGKILL signal,     which allows a denial of service attack. 

  - CVE-2005-3848     Ollie Wild discovered a memory leak in the     icmp_push_reply() function, which allows denial of     service through memory consumption.

  - CVE-2005-3857     Chris Wright discovered that excessive allocation of     broken file lock leases in the VFS layer can exhaust     memory and fill up the system logging, which allows     denial of service.

  - CVE-2005-3858     Patrick McHardy discovered a memory leak in the     ip6_input_finish() function from the IPv6 code, which     allows denial of service.

  - CVE-2005-4605     Karl Janmar discovered that a signedness error in the     procfs code can be exploited to read kernel memory,     which may disclose sensitive information.

  - CVE-2005-4618     Yi Ying discovered that sysctl does not properly enforce     the size of a buffer, which allows a denial of service     attack.

  - CVE-2006-0095     Stefan Rompf discovered that dm_crypt does not clear an     internal struct before freeing it, which might disclose     sensitive information.

  - CVE-2006-0096     It was discovered that the SDLA driver's capability     checks were too lax for firmware upgrades.

  - CVE-2006-0482     Ludovic Courtes discovered that get_compat_timespec()     performs insufficient input sanitizing, which allows a     local denial of service attack.

  - CVE-2006-1066     It was discovered that ptrace() on the ia64 architecture     allows a local denial of service attack, when preemption     is enabled.

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 4 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below :

  - a flaw in network IGMP processing that a allowed a     remote user on the local network to cause a denial of     service (disabling of multicast reports) if the system     is running multicast applications (CVE-2002-2185,     moderate)

  - a flaw which allowed a local user to write to firmware     on read-only opened /dev/cdrom devices (CVE-2004-1190,     moderate)

  - a flaw in gzip/zlib handling internal to the kernel that     may allow a local user to cause a denial of service     (crash) (CVE-2005-2458, low)

  - a flaw in procfs handling during unloading of modules     that allowed a local user to cause a denial of service     or potentially gain privileges (CVE-2005-2709, moderate)

  - a flaw in the SCSI procfs interface that allowed a local     user to cause a denial of service (crash)     (CVE-2005-2800, moderate)

  - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl     that allowed a local user to cause a denial of service     (crash) (CVE-2005-3044, important)

  - a race condition when threads share memory mapping that     allowed local users to cause a denial of service     (deadlock) (CVE-2005-3106, important)

  - a flaw when trying to mount a non-hfsplus filesystem     using hfsplus that allowed local users to cause a denial     of service (crash) (CVE-2005-3109, moderate)

  - a minor info leak with the get_thread_area() syscall     that allowed a local user to view uninitialized kernel     stack data (CVE-2005-3276, low)

  - a flaw in mq_open system call that allowed a local user     to cause a denial of service (crash) (CVE-2005-3356,     important)

  - a flaw in set_mempolicy that allowed a local user on     some 64-bit architectures to cause a denial of service     (crash) (CVE-2005-3358, important)

  - a flaw in the auto-reap of child processes that allowed     a local user to cause a denial of service (crash)     (CVE-2005-3784, important)

  - a flaw in the IPv6 flowlabel code that allowed a local     user to cause a denial of service (crash)     (CVE-2005-3806, important)

  - a flaw in network ICMP processing that allowed a local     user to cause a denial of service (memory exhaustion)     (CVE-2005-3848, important)

  - a flaw in file lease time-out handling that allowed a     local user to cause a denial of service (log file     overflow) (CVE-2005-3857, moderate)

  - a flaw in network IPv6 xfrm handling that allowed a     local user to cause a denial of service (memory     exhaustion) (CVE-2005-3858, important)

  - a flaw in procfs handling that allowed a local user to     read kernel memory (CVE-2005-4605, important)

All Red Hat Enterprise Linux 4 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.

Updated kernel packages that fix several security issues in the Red Hat Enterprise Linux 3 kernel are now available.

This security advisory has been rated as having important security impact by the Red Hat Security Response Team.

The Linux kernel handles the basic functions of the operating system.

These new kernel packages contain fixes for the security issues described below :

  - a flaw in network IGMP processing that a allowed a     remote user on the local network to cause a denial of     service (disabling of multicast reports) if the system     is running multicast applications (CVE-2002-2185,     moderate)

  - a flaw in remap_page_range() with O_DIRECT writes that     allowed a local user to cause a denial of service     (crash) (CVE-2004-1057, important)

  - a flaw in exec() handling on some 64-bit architectures     that allowed a local user to cause a denial of service     (crash) (CVE-2005-2708, important)

  - a flaw in procfs handling during unloading of modules     that allowed a local user to cause a denial of service     or potentially gain privileges (CVE-2005-2709, moderate)

  - a flaw in IPv6 network UDP port hash table lookups that     allowed a local user to cause a denial of service (hang)     (CVE-2005-2973, important)

  - a flaw in 32-bit-compat handling of the TIOCGDEV ioctl     that allowed a local user to cause a denial of service     (crash) (CVE-2005-3044, important)

  - a network buffer info leak using the orinoco driver that     allowed a remote user to possibly view uninitialized     data (CVE-2005-3180, important)

  - a flaw in IPv4 network TCP and UDP netfilter handling     that allowed a local user to cause a denial of service     (crash) (CVE-2005-3275, important)

  - a flaw in the IPv6 flowlabel code that allowed a local     user to cause a denial of service (crash)     (CVE-2005-3806, important)

  - a flaw in network ICMP processing that allowed a local     user to cause a denial of service (memory exhaustion)     (CVE-2005-3848, important)

  - a flaw in file lease time-out handling that allowed a     local user to cause a denial of service (log file     overflow) (CVE-2005-3857, moderate)

  - a flaw in network IPv6 xfrm handling that allowed a     local user to cause a denial of service (memory     exhaustion) (CVE-2005-3858, important)

All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architecture and configurations as listed in this erratum.

Rudolf Polzer reported an abuse of the 'loadkeys' command. By redefining one or more keys and tricking another user (like root) into logging in on a text console and typing something that involves the redefined keys, a local user could cause execution of arbitrary commands with the privileges of the target user. The updated kernel restricts the usage of 'loadkeys' to root. (CVE-2005-3257)

The ptrace() system call did not correctly check whether a process tried to attach to itself. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3783)

A Denial of Service vulnerability was found in the handler that automatically cleans up and terminates child processes that are not correctly handled by their parent process ('auto-reaper'). The check did not correctly handle processes which were currently traced by another process. A local attacker could exploit this to cause a kernel crash. (CVE-2005-3784)

A locking problem was discovered in the POSIX timer cleanup handling on process exit. A local attacker could exploit this to cause the machine to hang (Denial of Service). This flaw only affects multiprocessor (SMP) systems. (CVE-2005-3805)

A Denial of Service vulnerability was discovered in the IPv6 flowlabel handling code. By invoking setsockopt(IPV6_FLOWLABEL_MGR) in a special way, a local attacker could cause memory corruption which eventually led to a kernel crash. (CVE-2005-3806)

A memory leak was discovered in the VFS lease handling. These operations are commonly executed by the Samba server, which led to steady memory exhaustion. By repeatedly triggering the affected operations in quick succession, a local attacker could exploit this to drain all memory, which leads to a Denial of Service. (CVE-2005-3807)

An integer overflow was discovered in the invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls on a 32 bit system, a local user could exploit this to crash the machine, thereby causing Denial of Service. This flaw does not affect the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)

Ollie Wild discovered a memory leak in the icmp_push_reply() function.
By sending a large amount of specially crafted packets, a remote attacker could exploit this to drain all memory, which eventually leads to a Denial of Service. (CVE-2005-3848)

Chris Wrigth found a Denial of Service vulnerability in the time_out_leases() function. By allocating a large number of VFS file lock leases and having them timeout at the same time, a large number of 'printk' debugging statements was generated at the same time, which could exhaust kernel memory. (CVE-2005-3857)

Patrick McHardy discovered a memory leak in the ip6_input_finish() function. A remote attacker could exploit this by sending specially crafted IPv6 packets, which would eventually drain all available kernel memory, thus causing a Denial of Service. (CVE-2005-3858).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0140.

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2006-0101.

ID	Name	Product	Family	Severity
22560	Debian DSA-1018-2 : kernel-source-2.4.27 - several vulnerabilities	Nessus	Debian Local Security Checks	high
22559	Debian DSA-1017-1 : kernel-source-2.6.8 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
21977	CentOS 4 : kernel (CESA-2006:0101)	Nessus	CentOS Local Security Checks	high
21881	CentOS 3 : kernel (CESA-2006:0140)	Nessus	CentOS Local Security Checks	high
20775	Ubuntu 4.10 / 5.04 / 5.10 : linux-source-2.6.8.1/-2.6.10/-2.6.12 vulnerabilities (USN-231-1)	Nessus	Ubuntu Local Security Checks	high
20751	RHEL 3 : kernel (RHSA-2006:0140)	Nessus	Red Hat Local Security Checks	high
20732	RHEL 4 : kernel (RHSA-2006:0101)	Nessus	Red Hat Local Security Checks	high
801415	CentOS RHSA-2006-0140 Security Check	Log Correlation Engine	Generic	high
801413	CentOS RHSA-2006-0101 Security Check	Log Correlation Engine	Generic	high

CVE-2005-3858

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins