http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=658fdbef66e5e9be79b457edc2cbbb3add840aa9

http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=658fdbef66e5e9be79b457edc2cbbb3add840aa9

24098

25691

26620

26994

32485

DSA-1381

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.18

http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.18-git13.log

MDKSA-2007:171

RHSA-2008:0957

20070615 rPSA-2007-0124-1 kernel xen

26060

USN-416-1

oval:org.mitre.oval:def:9554

From Red Hat Security Advisory 2008:0957 :

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

[Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important)

* Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges.
(CVE-2008-3527, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information.
(CVE-2008-4210, CVE-2008-3833, Important)

* a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important)

* a flaw was found in the Linux kernel when running on AMD64 systems.
During a context switch, EFLAGS were being neither saved nor restored.
This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low)

* a flaw was found in the Linux kernel virtual memory implementation.
This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low)

* an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low)

In addition, these updated packages fix the following bugs :

* random32() seeding has been improved.

* in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash.

* a format string was omitted in the call to the request_module() function.

* a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected.

* the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic().

* a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated.

* in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures.

* some of the newer Nehalem-based systems declare their CPU DSDT entries as type 'Alias'. During boot, this caused an 'Error attaching device data' message to be logged.

* the evtchn event channel device lacked locks and memory barriers.
This has led to xenstore becoming unresponsive on the Itanium(r) architecture.

* sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack.

* on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts.

* the CIFS 'forcedirectio' option did not allow text to be appended to files.

* the gettimeofday() function returned a backwards time on Intel(r) 64.

* residual-count corrections during UNDERRUN handling were added to the qla2xxx driver.

* the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems.

* the 'xm trigger init' command caused a domain panic if a userland application was running on a guest on the Intel(r) 64 architecture.

Users of kernel should upgrade to these updated packages, which contain backported patches to correct these issues.

- the Xen implementation did not prevent applications     running in a para-virtualized guest from modifying CR4     TSC. This could cause a local denial of service.
    (CVE-2007-5907, Important)

  - Tavis Ormandy reported missing boundary checks in the     Virtual Dynamic Shared Objects (vDSO) implementation.
    This could allow a local unprivileged user to cause a     denial of service or escalate privileges.
    (CVE-2008-3527, Important)

  - the do_truncate() and generic_file_splice_write()     functions did not clear the setuid and setgid bits. This     could allow a local unprivileged user to obtain access     to privileged information. (CVE-2008-4210,     CVE-2008-3833, Important)

  - a flaw was found in the Linux kernel splice     implementation. This could cause a local denial of     service when there is a certain failure in the     add_to_page_cache_lru() function. (CVE-2008-4302,     Important)

  - a flaw was found in the Linux kernel when running on     AMD64 systems. During a context switch, EFLAGS were     being neither saved nor restored. This could allow a     local unprivileged user to cause a denial of service.
    (CVE-2006-5755, Low)

  - a flaw was found in the Linux kernel virtual memory     implementation. This could allow a local unprivileged     user to cause a denial of service. (CVE-2008-2372, Low)

  - an integer overflow was discovered in the Linux kernel     Datagram Congestion Control Protocol (DCCP)     implementation. This could allow a remote attacker to     cause a denial of service. By default, remote DCCP is     blocked by SELinux. (CVE-2008-3276, Low)

In addition, these updated packages fix the following bugs :

  - random32() seeding has been improved.

  - in a multi-core environment, a race between the QP async     event-handler and the destro_qp() function could occur.
    This led to unpredictable results during invalid memory     access, which could lead to a kernel crash.

  - a format string was omitted in the call to the     request_module() function.

  - a stack overflow caused by an infinite recursion bug in     the binfmt_misc kernel module was corrected.

  - the ata_scsi_rbuf_get() and ata_scsi_rbuf_put()     functions now check for scatterlist usage before calling     kmap_atomic().

  - a sentinel NUL byte was added to the device_write()     function to ensure that lspace.name is NUL-terminated.

  - in the character device driver, a range_is_allowed()     check was added to the read_mem() and write_mem()     functions. It was possible for an illegitimate     application to bypass these checks, and access /dev/mem     beyond the 1M limit by calling mmap_mem() instead. Also,     the parameters of range_is_allowed() were changed to     cleanly handle greater than 32-bits of physical address     on 32-bit architectures.

  - some of the newer Nehalem-based systems declare their     CPU DSDT entries as type 'Alias'. During boot, this     caused an 'Error attaching device data' message to be     logged.

  - the evtchn event channel device lacked locks and memory     barriers. This has led to xenstore becoming unresponsive     on the Itanium&reg; architecture.

  - sending of gratuitous ARP packets in the Xen frontend     network driver is now delayed until the backend signals     that its carrier status has been processed by the stack.

  - on forcedeth devices, whenever setting ethtool     parameters for link speed, the device could stop     receiving interrupts.

  - the CIFS 'forcedirectio' option did not allow text to be     appended to files.

  - the gettimeofday() function returned a backwards time on     Intel&reg; 64.

  - residual-count corrections during UNDERRUN handling were     added to the qla2xxx driver.

  - the fix for a small quirk was removed for certain     Adaptec controllers for which it caused problems.

  - the 'xm trigger init' command caused a domain panic if a     userland application was running on a guest on the     Intel&reg; 64 architecture.

Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

[Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important)

* Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges.
(CVE-2008-3527, Important)

* the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information.
(CVE-2008-4210, CVE-2008-3833, Important)

* a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important)

* a flaw was found in the Linux kernel when running on AMD64 systems.
During a context switch, EFLAGS were being neither saved nor restored.
This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low)

* a flaw was found in the Linux kernel virtual memory implementation.
This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low)

* an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low)

In addition, these updated packages fix the following bugs :

* random32() seeding has been improved.

* in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash.

* a format string was omitted in the call to the request_module() function.

* a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected.

* the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic().

* a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated.

* in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures.

* some of the newer Nehalem-based systems declare their CPU DSDT entries as type 'Alias'. During boot, this caused an 'Error attaching device data' message to be logged.

* the evtchn event channel device lacked locks and memory barriers.
This has led to xenstore becoming unresponsive on the Itanium(r) architecture.

* sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack.

* on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts.

* the CIFS 'forcedirectio' option did not allow text to be appended to files.

* the gettimeofday() function returned a backwards time on Intel(r) 64.

* residual-count corrections during UNDERRUN handling were added to the qla2xxx driver.

* the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems.

* the 'xm trigger init' command caused a domain panic if a userland application was running on a guest on the Intel(r) 64 architecture.

Users of kernel should upgrade to these updated packages, which contain backported patches to correct these issues.

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented IPv6 packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has has already been fixed for Ubuntu 6.10 in USN-395-1;
this is the corresponding fix for Ubuntu 6.06.(CVE-2006-4572)

Doug Chapman discovered an improper lock handling in the mincore() function. A local attacker could exploit this to cause an eternal hang in the kernel, rendering the machine unusable. (CVE-2006-4814)

Al Viro reported that the ISDN PPP module did not initialize the reset state timer. By sending specially crafted ISDN packets, a remote attacker could exploit this to crash the kernel. (CVE-2006-5749)

Various syscalls (like listxattr()) misinterpreted the return value of return_EIO() when encountering bad inodes. By issuing particular system calls on a malformed file system, a local attacker could exploit this to crash the kernel. (CVE-2006-5753)

The task switching code did not save and restore EFLAGS of processes.
By starting a specially crafted executable, a local attacker could exploit this to eventually crash many other running processes. This only affects the amd64 platform. (CVE-2006-5755)

A race condition was found in the grow_buffers() function. By mounting a specially crafted ISO9660 or NTFS file system, a local attacker could exploit this to trigger an infinite loop in the kernel, rendering the machine unusable. (CVE-2006-5757)

A buffer overread was found in the zlib_inflate() function. By tricking an user into mounting a specially crafted file system which uses zlib compression (such as cramfs), this could be exploited to crash the kernel. (CVE-2006-5823)

The ext3 file system driver did not properly handle corrupted data structures. By mounting a specially crafted ext3 file system, a local attacker could exploit this to crash the kernel. (CVE-2006-6053)

The ext2 file system driver did not properly handle corrupted data structures. By mounting a specially crafted ext2 file system, a local attacker could exploit this to crash the kernel. (CVE-2006-6054)

The hfs file system driver did not properly handle corrupted data structures. By mounting a specially crafted hfs file system, a local attacker could exploit this to crash the kernel. This only affects systems which enable SELinux (Ubuntu disables SELinux by default).
(CVE-2006-6056)

Several vulnerabilities have been found in the GFS2 file system driver. Since this driver has never actually worked in Ubuntu 6.10, it has been disabled. This only affects Ubuntu 6.10. (CVE-2006-6057)

Marcel Holtman discovered several buffer overflows in the Bluetooth driver. By sending Bluetooth packets with specially crafted CAPI messages, a remote attacker could exploit these to crash the kernel.
(CVE-2006-6106).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mark Dowd discovered that the netfilter iptables module did not correcly handle fragmented packets. By sending specially crafted packets, a remote attacker could exploit this to bypass firewall rules. This has only be fixed for Ubuntu 6.10; the corresponding fix for Ubuntu 5.10 and 6.06 will follow soon. (CVE-2006-4572)

Dmitriy Monakhov discovered an information leak in the
__block_prepare_write() function. During error recovery, this function did not properly clear memory buffers which could allow local users to read portions of unlinked files. This only affects Ubuntu 5.10.
(CVE-2006-4813)

ADLab Venustech Info Ltd discovered that the ATM network driver referenced an already released pointer in some circumstances. By sending specially crafted packets to a host over ATM, a remote attacker could exploit this to crash that host. This does not affect Ubuntu 6.10. (CVE-2006-4997)

Matthias Andree discovered that the NFS locking management daemon (lockd) did not correctly handle mixing of 'lock' and 'nolock' option mounts on the same client. A remote attacker could exploit this to crash lockd and thus rendering the NFS imports inaccessible. This only affects Ubuntu 5.10. (CVE-2006-5158)

The task switching code did not save and restore EFLAGS of processes.
By starting a specially crafted executable, a local attacker could exploit this to eventually crash many other running processes. This does not affect Ubuntu 6.10. (CVE-2006-5173)

James Morris discovered that the ip6fl_get_n() function incorrectly handled flow labels. A local attacker could exploit this to crash the kernel. (CVE-2006-5619)

Fabio Massimo Di Nitto discovered that the sys_get_robust_list and sys_set_robust_list system calls lacked proper lock handling on the powerpc platform. A local attacker could exploit this to create unkillable processes, drain all available CPU/memory, and render the machine unrebootable. This only affects Ubuntu 6.10. (CVE-2006-5648)

Fabio Massimo Di Nitto discovered a flaw in the alignment check exception handling on the powerpc platform. A local attacker could exploit this to cause a kernel panic and crash the machine.
(CVE-2006-5649)

Certain corrupted squashfs file system images caused a memory allocation to be freed twice. By mounting a specially crafted squashfs file system, a local attacker could exploit this to crash the kernel.
This does not affect Ubuntu 5.10. (CVE-2006-5701)

An integer overflow was found in the get_fdb_entries() function of the network bridging code. By executing a specially crafted ioctl, a local attacker could exploit this to execute arbitrary code with root privileges. (CVE-2006-5751).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-5755     The NT bit maybe leaked into the next task which can     make it possible for local attackers to cause a Denial     of Service (crash) on systems which run the amd64     flavour kernel. The stable distribution ('etch') was not     believed to be vulnerable to this issue at the time of     release, however Bastian Blank discovered that this     issue still applied to the xen-amd64 and     xen-vserver-amd64 flavours, and is resolved by this DSA.

  - CVE-2007-4133     Hugh Dickins discovered a potential local DoS (panic) in     hugetlbfs. A misconversion of hugetlb_vmtruncate_list to     prio_tree may allow local users to trigger a BUG_ON()     call in exit_mmap.

  - CVE-2007-4573     Wojciech Purczynski discovered a vulnerability that can     be exploited by a local user to obtain superuser     privileges on x86_64 systems. This resulted from     improper clearing of the high bits of registers during     ia32 system call emulation. This vulnerability is     relevant to the Debian amd64 port as well as users of     the i386 port who run the amd64 linux-image flavour.

      DSA-1378 resolved this problem for the amd64 flavour kernels,       but Tim Wickberg and Ralf Hemmenstadt reported an outstanding       issue with the xen-amd64 and xen-vserver-amd64 flavours that is       resolved by this DSA.

  - CVE-2007-5093     Alex Smith discovered an issue with the pwc driver for     certain webcam devices. If the device is removed while a     userspace application has it open, the driver will wait     for userspace to close the device, resulting in a     blocked USB subsystem. This issue is of low security     impact as it requires the attacker to either have     physical access to the system or to convince users with     local access to remove the device on their behalf.

These problems have been fixed in the stable distribution in version 2.6.18.dfsg.1-13etch4.

This is an update to DSA-1381-1 which included only amd64 binaries for linux-2.6. Builds for all other architectures are now available, as well as rebuilds of ancillary packages that make use of the included linux source.

The following matrix lists additional packages that were rebuilt for compatibility with or to take advantage of this update :

                           Debian 4.0 (etch)           fai-kernels               1.17+etch.13etch4           kernel-patch-openvz       028.18.1etch5               user-mode-linux           2.6.18-1um-2etch.13etch4

Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel :

The Linux kernel did not properly save or restore EFLAGS during a context switch, or reset the flags when creating new threads, which allowed local users to cause a denial of service (process crash) (CVE-2006-5755).

The compat_sys_mount function in fs/compat.c allowed local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode (CVE-2006-7203).

The nfnetlink_log function in netfilter allowed an attacker to cause a denial of service (crash) via unspecified vectors which would trigger a NULL pointer dereference (CVE-2007-1496).

The nf_conntrack function in netfilter did not set nfctinfo during reassembly of fragmented packets, which left the default value as IP_CT_ESTABLISHED and could allow remote attackers to bypass certain rulesets using IPv6 fragments (CVE-2007-1497).

The netlink functionality did not properly handle NETLINK_FIB_LOOKUP replies, which allowed a remote attacker to cause a denial of service (resource consumption) via unspecified vectors, probably related to infinite recursion (CVE-2007-1861).

A typo in the Linux kernel caused RTA_MAX to be used as an array size instead of RTN_MAX, which lead to an out of bounds access by certain functions (CVE-2007-2172).

The IPv6 protocol allowed remote attackers to cause a denial of service via crafted IPv6 type 0 route headers that create network amplification between two routers (CVE-2007-2242).

The random number feature did not properly seed pools when there was no entropy, or used an incorrect cast when extracting entropy, which could cause the random number generator to provide the same values after reboots on systems without an entropy source (CVE-2007-2453).

A memory leak in the PPPoE socket implementation allowed local users to cause a denial of service (memory consumption) by creating a socket using connect, and releasing it before the PPPIOCGCHAN ioctl is initialized (CVE-2007-2525).

An integer underflow in the cpuset_tasks_read function, when the cpuset filesystem is mounted, allowed local users to obtain kernel memory contents by using a large offset when reading the /dev/cpuset/tasks file (CVE-2007-2875).

The sctp_new function in netfilter allowed remote attackers to cause a denial of service by causing certain invalid states that triggered a NULL pointer dereference (CVE-2007-2876).

In addition to these security fixes, other fixes have been included such as :

  - Fix crash on netfilter when nfnetlink_log is used on     certain hooks on packets forwarded to or from a bridge

  - Fixed busy sleep on IPVS which caused high load averages

    - Fixed possible race condition on ext[34]_link

    - Fixed missing braces in condition block that led to       wrong behaviour in NFS

  - Fixed XFS lock deallocation that resulted in oops when     unmounting

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate

The remote CentOS system is missing a security update which has been documented in Red Hat advisory RHSA-2008-0957.

ID	Name	Product	Family	Severity
67758	Oracle Linux 5 : kernel (ELSA-2008-0957)	Nessus	Oracle Linux Local Security Checks	high
60488	Scientific Linux Security Update : kernel on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
43713	CentOS 5 : kernel (CESA-2008:0957)	Nessus	CentOS Local Security Checks	high
34690	RHEL 5 : kernel (RHSA-2008:0957)	Nessus	Red Hat Local Security Checks	high
28005	Ubuntu 5.10 / 6.06 LTS / 6.10 : linux-source-2.6.12/2.6.15/2.6.17 vulnerabilities (USN-416-1)	Nessus	Ubuntu Local Security Checks	high
27981	Ubuntu 5.10 / 6.06 LTS / 6.10 : linux-source-2.6.12/-2.6.15/-2.6.17 vulnerabilities (USN-395-1)	Nessus	Ubuntu Local Security Checks	high
26211	Debian DSA-1381-2 : linux-2.6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
25968	Mandrake Linux Security Advisory : kernel (MDKSA-2007:171)	Nessus	Mandriva Local Security Checks	high
801458	CentOS RHSA-2008-0957 Security Check	Log Correlation Engine	Generic	high

CVE-2006-5755

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high